frebsd jails advice

Matthew Seaman matthew at
Mon Dec 10 11:51:57 UTC 2018

On 10/12/2018 10:17, Shyaka Rene via freebsd-questions wrote:
> hello, I don't have experience with freebsd or system administration, but i need your advice
> suppose I have this scenario with 2 computers
> 1) server (not big just 8GB RAM) machine with virtualbox or openstack installed with any OS
>      - virtual machine 1 for java development with eclipse installed
>      - virtual machine 2 for php development with eclipse
>      - virtual machine 3 for testing anything
> all these virtual machines have graphical user interface installed (windows or gnome any OS)
> 2) client machine for accessing virtual machines using remote desktop or VNC client.
> my problem is
> Is it possible to change this senario to Freebsd and jails with x11server installed on jails
> and access them using x11client?
> 1) server machine (freebsd)
>      - jail 1 (x11 server)
>      - jail 2 (x11 server)
>      - jail 3 (x11 server)
> 2) client machine (access jails with xclient)
> thank you for your advice

Yes, this is certainly possible, but a bit more complicated than you 
might hope.

You've got the client and server sides of X mixed up.  The X server is 
the bit which controls the display -- ie. it runs on your laptop or 
desktop machine.  The X client is the piece of software that you are 
trying to interact with through that display -- so, eclipse in this 
case.  Clients can be run either locally or remotely.  It's confusing 
because it is the other way round from just about any other network 
accessible service where you run a local client to connect to a server 
which could also be local but is almost always remote.

So, you don't need an X server in each of the jails.  You just need your 
X capable software in each jail and you need to set the DISPLAY 
environment variable correctly so that will talk to your X server on 
your local desktop.

Pease do not use remote X11 access across a network in plaintext. 
That's roughly of the same order of badness as using things like rsh or 

Instead, set up your jails with ssh and ssh into each of them, 
forwarding an X connection over SSH (which will typically set up thigs 
like DISPLAY appropriately in the environment for you.)

This means that the X client only needs to talk on the loopback address 
in order to feed the traffic into the SSH session.  Unfortunately with 
standard FreeBSD jails, there isn't a loopback interface within the 
jail, and any attempt to connect to the loopback is transparently 
redirected to connect to the jail external interface, which kind of 
confounds the whole security arrangement there.   So make sure to write 
your firewall rules carefully to prevent X traffic egressing from your 
jails onto the network at large.  You might consider investigating VNET 
jails, which are new in 12.0-RELEASE (due out Real Soon Now), where 
individual jails *do* have their own loopback addresses, but these are a 
bit more complex to set up.



More information about the freebsd-questions mailing list