Clarification: "Jail" -vs- "Chroot"

Vincent Hoffman vince at unsane.co.uk
Wed Jul 14 11:31:00 UTC 2010


On 14/07/2010 00:30, Aiza wrote:
> Ed Flecko wrote:
>> Hi folks,
>> I'm reading about "jails" and "chroot", and I'm not clear about the
>> differences so I'm hoping someone can clarify this for me.
>>
>> Here's what I "think" is correct:
>>
>> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
>>
>> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
>>
>> 3.) When reading something (book, article, etc.), is there a way to
>> determine if the author is, in fact, talking about truly a "jail" or
>> are they really just referring to a "chroot" environment? For example,
>> I have a book ("Preventing web attacks with Apache") that says:
>>
>> "Chroot is short for change root and essentially allows you to run
>> programs in a protected or jailed environment. The main benefit of a
>> chroot jail is that the jail will limit the portion of the file system
>> the daemon can see to the root directory of the jail. Additionally,
>> since the jail only needs to support Apache, the programs available in
>> the jail can be extremely limited."
>>
>> 4.) Jail is the more secure of the two options?
>>
>> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
>> edition of "Absolute FreeBSD" says:
>>
>> "Chrooting is useful for web servers that have multiple clients on one
>> machine—that is, web servers with many virtual hosts."
>>
>> Comments??? Suggestions???
>>
>> Thank you!
>>
>> Ed
>
> Well let me take a shot at this. First of all we are only talking
> about the FreeBSD operating system. The ability to chroot a directory
> tree has been available since RELEASES 2.0. The jail utility first
> appeared in RELEASE 4.0. The jail utility is just a basic effort to
> automate the building and administration of an chrooted directory tree
> which is pretty much useless unless it contains a complete copy of the
> Freebsd operating system binaries. 
Actually as the manpage says  "In the other extreme case a jail might
contain only one file: the executable to be run in the jail."
you put in a jail what you need. It doesnt have to be a complete install
its just commonly for that purpose. Also a jail offers more features
than chroot, such as sperate securelevels from the host, limits on
number of child jails (Hierarchical Jails) etc.
> The major short coming of the jail command jail system is each jail
> has it's own copy of the hosts running system binaries. Freebsd
> reserves a limited number of control structures for storing files and
> directories, called inodes. Creating a few jails consumes many of
> these valuable inodes, eventually preventing the creation of new jails
> and new files on the host. Worst yet is each jail loads it's own copy
> of it's running binaries into memory which causes thrashing on the
> swap device as memory pages are swapped in and out as the limited
> memory is shared between the host and jails. Besides consuming
> resources and creating performance degradation, this also causes a
> major administration headache when wanting to update the host running
> system, because the host and the jails all have to be running the same
> RELEASE version.
>
you can run other (lower) version userland if you want to as long as the
host has the correct COMPAT options in its kernel config. I'll agree on
the administration headache though.
> Now with some considerable hand jobbing per the jail section of the
> handbook, a jail environment can be created where by a single copy of
> the jailed running binaries are shared among all the jails. But this
> still leaves you with an administration nightmare as the number of
> jails deployed grows past 5. Now there are some ports in the port
> system that are utility wrappers around the jail command that tries to
> address this administration nightmare. My experience with these are
> they are very poorly documented and you really need to have a good
> grasp on how jails work and network ip address usage before they are
> useful. Their easy of use quickly evaporates as the number of jails
> deployed reaches 10.
>
> The next generation of a jail utility for the deployment of a large
> number of jails is in project phase right now. Keep checking the ports
> system for qjail.
>
I quite like ezjail but I'll be sure to keep an eye open for qjail.

Vince
> Now about what to run in a jail. Well since each jail is like a
> complete stand-a-lone operating system, you can populate it with any
> application you want. The real limitation is how is that jail going to
> gain public internet access so the domain name of your apache website
> can be found and accessed. A static ip address is pretty much
> required, though with some creative ip address assignments this can be
> circumvented. Thats a whole other subject area.
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"



More information about the freebsd-questions mailing list