MATE and vBox in a jail?

M

max21

Hello everyone,

I’m thinking to build on huge jail. Is it possible to put MATE-desktop and VirtualBox in a jail? Also is there a how-to install MATE-desktop anywhere, or is it as easy as installing Gnome?
 
Putting VirtualBox in a jail is not possible. This is a too complex piece of software which need various direct accesses to some parts of the kernel and this is a NONSENSE, either you virtualise a full FreeBSD MATE desktop in a VirtualBox host either you set it up in a jail. VirtualBox and Jail play the same role, VirtualBox is just a more advanced solution (and heavy) to isolate a part of a system. Jail is simply perfect for "lightweight" isolation, this is fundamentally an advanced "chroot" environment. The main advantage of a jail is that it consumes nearly nothing in memory or additional CPU power. You can set up jails on old computer with less that 512GB of memory... for VirtualBox you need a powerful processor and much more memory

But setting up a MATE desktop in a jail is theoretically possible, but this is not easy because you must trigger the devfs.rules parameters with "hide/unhide" in order to make available some base system devices in the jail. You must also play with some funny rules at jail setting up as "allow.raw.sockets" etc etc. I saw a blog where a guy managed to set up a full Linux distro in a FreBSD jail... and finally ?

You will get something with a very lot of limitations. Many applications won't work... because jail is not a virtualization. The most problematic limitation is the inability to mount file system dynamically. When a jail is started it is impossible to mount dynamically what is called by FreeBSD an unsafe file system. But in fact the only safe file system you could dynamically mount is a ZFS file system, so no way to access to a samba share from within a jail for example. Some people complained about that. In their opinion, administrator should have the choice to determine what is safe or unsafe, and some guys made in the past a kernel patch to override this limitation, but as today FreeBSD developer have not heard this request.

If you have a powerful processor with at less 8 go of RAM, so set up a full FreeBSD MATE desktop in VirtualBox, forget the jail this would be a loss of time. But the good policy is simply to set up MATE desktop onto your base system and isolate "critical" services through a collection of "jail services". For example you can isolate the samba server in a dedicated jail. So if somebody breaks the access to "samba", he will have some difficulties to access and compromise the host. You can set up in jail some proxies services as Tor, Privoxy, Squid. You can also isolate a Bind DNS server...

This is what I have done on my home made server. My base system is fundamentally a desktop environment with several graphic interfaces (LXDE, Lumina DE, Windowmaker...), I switch between them with the WDM logon manager. All server functionalities are "imprisoned" in a collection of 5 jails. One jail is dedicated to several "proxies", an other is a radius, etc., etc.

Follow this tutorial :
https://www.freebsd.org/doc/handbook/jails-application.html
 
Wozzeck said:
Putting VirtualBox in a jail is not possible. This is a too complex piece of software which need various direct accesses to some parts of the kernel and this is a NONSENSE, either you virtualise a full FreeBSD MATE desktop in a VirtualBox host either you set it up in a jail. VirtualBox and Jail play the same role, VirtualBox is just a more advanced solution (and heavy) to isolate a part of a system. Jail is simply perfect for "lightweight" isolation, this is fundamentally an advanced "chroot" environment. The main advantage of a jail is that it consumes nearly nothing in memory or additional CPU power. You can set up jails on old computer with less that 512GB of memory... for VirtualBox you need a powerful processor and much more memory

But setting up a MATE desktop in a jail is theoretically possible, but this is not easy because you must trigger the devfs.rules parameters with "hide/unhide" in order to make available some base system devices in the jail. You must also play with some funny rules at jail setting up as "allow.raw.sockets" etc etc. I saw a blog where a guy managed to set up a full Linux distro in a FreBSD jail... and finally ?

You will get something with a very lot of limitations. Many applications won't work... because jail is not a virtualization. The most problematic limitation is the inability to mount file system dynamically. When a jail is started it is impossible to mount dynamically what is called by FreeBSD an unsafe file system. But in fact the only safe file system you could dynamically mount is a ZFS file system, so no way to access to a samba share from within a jail for example. Some people complained about that. In their opinion, administrator should have the choice to determine what is safe or unsafe, and some guys made in the past a kernel patch to override this limitation, but as today FreeBSD developer have not heard this request.

If you have a powerful processor with at less 8 go of RAM, so set up a full FreeBSD MATE desktop in VirtualBox, forget the jail this would be a loss of time. But the good policy is simply to set up MATE desktop onto your base system and isolate "critical" services through a collection of "jail services". For example you can isolate the samba server in a dedicated jail. So if somebody breaks the access to "samba", he will have some difficulties to access and compromise the host. You can set up in jail some proxies services as Tor, Privoxy, Squid. You can also isolate a Bind DNS server...

This is what I have done on my home made server. My base system is fundamentally a desktop environment with several graphic interfaces (LXDE, Lumina DE, Windowmaker...), I switch between them with the WDM logon manager. All server functionalities are "imprisoned" in a collection of 5 jails. One jail is dedicated to several "proxies", an other is a radius, etc., etc.

Follow this tutorial :
https://www.freebsd.org/doc/handbook/jails-application.html
Click to expand...

Wozzeck, all I can say is well explained. Yours are the type of answers that I never could google-up since Virtualbox was made possible to work on FreeBSD (among many other things). There were hints, but no reasons why … until now. I got to know Why or wonder about it until the end of time.

I surely would have built myself another trap; with many more back-doors, wide open. … Thanks again Wozzeck.
 
Giving the jailed VBox access to the vbox* devices effectively bypasses all security measures implemented by the jail mechanism.
 
PacketMan said:
Can I ask why you would want to run emulators/virtualbox-ose in a jail? Not saying you should or should not do it, I am just curious as to what problem this configuration would fix.
Click to expand...

For continuous integration purpose, I wanted to host a MS OS without polluting in the long term my host w/trillion dependencies that came w/vbox.
Generally speaking and from an application lifecycle point of vue I trend to segment services into jail in order not to mess software dep and all the joy that come around multiple software living together in the same place :)

ps: I my use case, requirement was one physical host and no hypervisor
 
PacketMan said:
Can I ask why you would want to run emulators/virtualbox-ose in a jail? Not saying you should or should not do it, I am just curious as to what problem this configuration would fix.
Click to expand...
I’m glad I learn my lesson soon… Virtualbox runs on the host only, but the drivers can go into a jail. That’s even better for the host and the guest. I thought you had to install the whole thing.

Anyway, excellent point kpa, but consider this; if we could, even the hosting provider can’t spy on your cloud anymore, and he would fear loss of business. It would be the virtual of virtual, like going deeper into deep space, into the black-hole. I think, I bet vnet-jail could lead to that one day, if not already, or even jails in jail. BTW, Thanks for that link kalw. That is more than enough for now! Also, I notice more and more people here are going vnet-jails, all of a sudden. Maybe it’s time to take that walk on the wild side. Thanks guys
 
You must log in or register to reply here.
Back
Top