home server jail

[SuperMiguel]

are jails worth the time for a homeserver? running file/web/ftp/ssh services?

 

[rhyous]

Only if you also need to learn how to do jails.

Security is never a bad idea...one could argue that it is an overkill, but someone would argue that security is never an overkill.

 

[SuperMiguel]

a jail is a like a virtual machine?

 

[SirDice]

a jail is a like a virtual machine?

Yes, more or less. It's an OS based virtual machine as apposed to a hardware based virtual machine (like vmware and all).

I have a jail running on my home server for some internet facing services like irc and apache. It's a good way to compartmentalize.

 

[SuperMiguel]

Yes, more or less. It's an OS based virtual machine as apposed to a hardware based virtual machine (like vmware and all).

I have a jail running on my home server for some internet facing services like irc and apache. It's a good way to compartmentalize.

so and then to comunicate from one jail to another i have to use ssh? or i can just copy file from jail to jail? Also does all the jails get a diff ip address?

 

[Oko]

Yes, more or less. It's an OS based virtual machine as apposed to a hardware based virtual machine (like vmware and all).

VMware is not a real hardware based virtual machine.FreeBSD to my knowledge doesn't support any hardware based virtual machine.
OpenBSD does

http://undeadly.org/cgi?action=article&sid=20090201164147

 

[Oko]

Also does all the jails get a diff ip address?

If I recall correctly that will be possible in FreeBSD 8.0.

 

[vivek]

FreeBSD jail - operating system-level virtualization ( or you can say chroot() on steroids).

Vmware - Virtual machines emulator. It can run many oses because guest OS is not aware that it is not running on real hardware. It fools guest oses and act as real system.

XEN - paravirtualization - VMM but most of its work is performed in the guest OS code, which in turn is modified to support this VMM and avoid unnecessary use of privileged instructions.


IBM / SUN and a new AMD / Intel vm technology can do hardware level virtualization.

so and then to comunicate from one jail to another i have to use ssh? or i can just copy file from jail to jail? Also does all the jails get a diff ip address?

No need to ssh untile and unless you are going to login remotely. You can attach console using jexec command to any local jail. Jail can have a single ip, multiple ip or no IP. A single public IP can be shared by other jails using NAT via firewall.

 

[SirDice]

VMware is not a real hardware based virtual machine.

VMware is a hardware virtual machine as it uses a hardware feature of the Pentium (and higher) processors. The 'proper' term would be hardware assisted virtual machine.

FreeBSD to my knowledge doesn't support any hardware based virtual machine.

Correct. Not yet anyway. IIRC work is being done to get Sun's Virtual box and Xen-host working on FreeBSD.

 

[SirDice]

Also does all the jails get a diff ip address?

If I recall correctly that will be possible in FreeBSD 8.0.

Each jail must have an IP address, this has been the way since jails were first introduced. With 8-CURRENT you can have multiple IP addresses bound to the same jail and jails can even have no IP address. A lot of these features are currently MFC'd into 7-STABLE.

 

[Oko]

IIRC work is being done to get Sun's Virtual box

Works already fine on FreeBSD for couple of my friends I am really curious about Xen work though.

 

[SirDice]

IBM / SUN and a new AMD / Intel vm technology can do hardware level virtualization.

Contrary to popular belief it is not a new feature. The good old Pentium (1; one) was already capable of this.

 

[SirDice]

I am really curious about Xen work though.

http://wiki.freebsd.org/FreeBSD/Xen

 

[SuperMiguel]

if my system is setup already.. do i need to reload?

 

[vivek]

Contrary to popular belief it is not a new feature. The good old Pentium (1; one) was already capable of this.

IIRC, P4 was the first one and not P1 to support VT technology. Pentium 4 HT 620 was the first one to come with VT. Before that Vmware was applying all sort of dirty hacks to emulate hardware. It was Popek and Goldberg virtualization requirements that forced both Intel and AMD to get into this game. Otherwise it was totally controlled by IBM and Motorola vendors before 1997. It was vmware who changed the game in 1998. They introduced their resarchr done at Stanford University as vmware technology.

 

[SirDice]

if my system is setup already.. do i need to reload?

Nope, you just need some space to install the jail. See jail(8) for more info.

 

[anomie]

are jails worth the time for a homeserver? running file/web/ftp/ssh services?

To me they are. It's another layer of security in the proverbial onion. While my home systems aren't exposed to the 'net (except through NAT), I do run a wireless network. And I definitely don't monitor home systems as closely as I do those that are in production at work.

Additionally, having FreeBSD Jails set up at home gives me something of a testing environment. (Not really, though]Chapter 15 Jails[/url]

 

[SirDice]

IIRC, P4 was the first one and not P1 to support VT technology.

AFAIK it was the P1 (vmware couldn't run on anything less), rudimentary perhaps but still it was there. The P4 and above just expended on this.

What ever the case, virtualization isn't new. Even before it was possible on consumer grade machines it was used in minis and mainframes :e

 

[wonslung]

check out ezjails, my first jails were with those, though now i'm doing it manually on top of ZFS because ZFS snapshot based jails is just TOO cool
I just make a base jail the way i want it, snapshot it and make several clones as a starting point...it's so cool


2 great web sites that will help you:

http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail
if you want to make them manually, that site is great, only 2 things to remember, the part where it says JAILDIR=
requires you to be using the BASH shell. I do not know what the equivalent is tcsh. Also, it has the old way to mount devfs, the currect way is like this:

mount -t devfs devfs /some/mount/point

this site is great too
http://www.scottro.net/qnd/qnd-ezjail.html
explains ezjails.

 

[WibbleWobble]

Can I ask a really noobie question.
Is jail and chroot the same thing ?
I've read somewhere that jail restricts the user more than chroot.

 

[DutchDaemon]

They're conceptually alike. You could say that a chroot contains an application/session (like an ftp login session, or BIND), whereas a jail contains an entire OS. A chroot'ed application still has direct links and hooks to the 'master OS' and environment it runs in (which doesn't make it 100% secure and inescapable -- it may stop a script kiddie, it won't stop a dedicated hacker). A jail(ed OS) is a world unto itself. It's an extremely chroot'ed chroot on all levels, that has no hold over, or any alleyway into, the 'master OS' the jail is in.

Oversimplified, I admit.

 

[wonslung]

another thing that's great about jails is it's amazingly cheap as far as processing power goes.

I have notices no real load increase from using a jail for every single service.

I have an FTP jail, a MYSQL jail a Webserver jail, an irc server jail.

Each one is it's own system. Because of the way 7.2 works, i can have more than 1 ip per jail so each one that needs a public ip has one, and they all have a private ip which i use a new loopback device i made called lo1 and the 10.0.0.0/24 range

its great if you want to have let people use your server to host stuff but don't want to give them full root access...just make them a jail.

It's also great if you DO have a service that gets compromised....
if your webjail gets hacked, its just the webjail...and now with ZFS and snapshots it's even cooler...

 

[WibbleWobble]

Thank you DutchDaemon.

It's amazing I read many pages trying to find the difference and in just 4 sentences you made it pretty clear to me.