Jailed desktop (full desktop environment inside a FreeBSD jail)

[FreeDomBSD]

I was hoping to install XFCE inside of a jailed environment. The idea behind this undertaking is to keep the base FreeBSD (jail host) with a very limited set of software and run a desktop client inside a jail. Thank you for replying.

I forgot to mention that I read some ways to do it from few years ago, but I was hoping to get acquainted with other methods.

 

[wblock@]

What is "xfice"?

 

[fonz]

What is "xfice"?

I suspect (s)he means x11-wm/xfce4, but in any case I'm missing a concrete question.

 

[FreeDomBSD]

Whops! It's a typo, obviously. Thanks!

 

[fonz]

I was hoping to install XFCE inside of a jailed environment.

The one problem I see with that is access to the host's X server. I never tried to run any X stuff inside a jail so I can't offer specific advice, but you'll probably have to muck around with xhost somehow, allowing (a) user(s) from your jail's IP address access to your host's X session.

Perhaps someone who has actually done this can give you more specific instructions, but at least you'll know where to look.

 

[jnbek]

What I think he's getting at, is leaving the 'host' as barebones as possible, then installing within the jail, the full monty, X, Xfce and all the associated ancillary ports within the jail only. That said, you can do this, but you can't just set it up to do a [CMD=]startx[/CMD] and have ~/.xinitrc run start-xfce4 and have X all start up inside the jail, like I think you're thinking. You have to set up a 'headless' X server, XFCE inside of that and then use an rdesktop/vnc to interact with it. I've done this using xorg-vfbserver and it works very well. So that said, you can run pkg_add to install xorg-vfbserver and xfce4 then decide which solution, rdp or vnc to connect in and configure it.

 

[FreeDomBSD]

Thanks! I do not understand why I need to set X server as 'headless' and VNC/RDP into it. Why can't I just do a 'normal' install inside a jail and start it manually? Thanks again.

 

[BlueCoder]

You have to patch the kernel to run X in in a jail. It adds a couple sysctl flags and then you need to hack your own jail startup and shutdown script. Overall the patch isn't complicated, it just allow jail access to all system memory. Using a jail just for containment this isn't an issue and especially since the flags limit which jails can break security. Hacking the scripts together yourself is actually quite involved but you most certainly could implement your own startx.

You'll need to ssh into the master machine though because once your in X all local xterms are in that jail.

But if I may suggest you should also do the same thing and without the patch by using chroot instead of a jail. Do a [cmd=]make installworld[/cmd] into a target directory and chroot to it and install packages. Setup a view to dev in that tree. Processes and stuff are not separated from what is running outside the chroot but if your using it just for package segregation then that shouldn't matter.

 

[wblock@]

But if you really want it to be isolated, put it in a VM and use ssh(1) X forwarding.

 

[FreeDomBSD]

Thank you for the great replies!

What I want is:

What I think he's getting at, is leaving the 'host' as barebones as possible, then installing within the jail, the full monty, X, Xfce and all the associated ancillary ports within the jail only.

+

But if you really want it to be isolated...

with XFCE
+ VirtualBox running Linux and Windows.

Essentially:

FreeBSD (bare install) ===running===> Jailed desktop (XFCE) ===running===> VirtualBox ===running===> Windows 7; Ubuntu; OSX

 

[jnbek]

I think that's going to be alot more difficult that you think. You need to install VirtualBox's kmod in the host and getting the VirtualBox working in the jail after that is less than.... optimal. I had Arch Linux installed in a jailed VirtualBox instance but networking to the outside world didn't work. Something about the jail's networking prevents some things from working from within the jail environment. minidlna, steamdedicatedserver are a couple of others that I have never been able to get working inside of jails, but outside a jail are trivial to setup. You're going to need to hunt around this forum for the posts, but there are a few posts regarding VirtualBox + jails.

Best of luck!

 

[FreeDomBSD]

I've been looking around for weeks: http://forums.freebsd.org/showpost.php?p=184915&postcount=4, but nothing for XFCE.

 

[jnbek]

Oh, my apologies, I was referring to searching the forum for getting VirtualBox working inside the jail. The presented ideas thus far with regard to XFCE are really your only options. I really recommend the Xvfb->VNC/RDP->XFCE method. It's quite easy and looks/feels just like the real thing.

 

[FreeDomBSD]

Thanks a lot for the input! I was wondering if you could explain me how this model would work in practice:

I really recommend the Xvfb->VNC/RDP->XFCE method. It's quite easy and looks/feels just like the real thing.

It may sound a bit silly of me to ask this, but if you could explain it to me in very simplistic terms it would really help me because I can't wrap my head around all the VNC/RDP stuff (e.g. turn computer on --> log in as user --> start jail --> etc). I'm really confused at the proposed workflow with this system. Where will the desktop environment reside? Will it be jailed? Will I have to run VNC/RDP software from the host FreeBSD system? Will I need to install X11 on the base system (to support VNC/RDP, possibly?)? I do not understand this setup. I have read about it, but I just can't understand why/how it works the way it is used. Also, if I have to still deal with VirtualBox being headless and have to launch guest systems from command line, would there be any particular advantage to installing XFCE at all? I wanted to install XFCE to be able to use GUI's of my favorite FreeBSD programs. If I can't do that, I guess I could just do all the VNC/RDP stuff to the headless VirtualBox and completely skip all of the xfce headaches. Also, this build will be my main computer so I will not dump it in the closet and access virtual machines over the network -- this is my desktop environment.

 

[wblock@]

You want to do all of this on one machine? Then the host will have X installed anyway. xfce does not add much overhead to that (what headaches?). Add VirtualBox for VMs with other operating systems and it's done.

 

[FreeDomBSD]

Yep, on one machine. I want to separate my base install from any new software I add.

 

[FreeDomBSD]

By the way... http://www.xfce.org/ doesn't capitalize every letter of Xfce on their site, why do you?

 

[fonz]

By the way... http://www.xfce.org/ doesn't capitalize every letter of Xfce on their site, why do you?

They probably should capitalise it, but if their official site spells it as Xfce then that's pretty authoritative. Thanks for pointing it out.

 

[wblock@]

Since it is not a word or acronym, and I feel "Xfce" looks stupid, I don't capitalize any of it.

 

[FreeDomBSD]

I guess I will use this thread to collect the information on ruining a jailed desktop environment.

Jailed Gnome:

Without a kernel patch and good devfs rules you will not get Xorg up and running in a jail (at least I didn’t managed to let it recognize my graphic card without the kernel patch). Now I have to beef up the patch a little bit and ask for review (it weakens up the security a little bit like the sysctl security.jail.sysvipc_allowed=1 or security.jail.allow_raw_sockets=1).

Have a look at http://www.leidinger.net/FreeBSD/current-patches/ and at the jail-mailinglist, I wrote about the devfs.rules which are needed there.

I looked at http://www.leidinger.net/FreeBSD/current-patches/ and didn't find any patches that looked as if they were for patching the kernel. The author may have deleted them, or I do not know what to look for. I also looked at the dates and there isn't anything from 2007, but of course files could have been updated since.


FreeBSD jails mailing list:

http://lists.freebsd.org/mailman/listinfo/freebsd-jail



FreeBSD Jail Allow Sound And Flash Access 2011

http://www.cyberciti.biz/faq/freebssd-enable-sound-inside-jailed-kde-gnome-xfce-desktop/

This guide speaks nothing of patching the kernel. Any comments on this guide?



This is pretty cool from 2010:

Jailed Gnome via Xnest x11-servers/xorg-nestserver running on host

http://forums.freebsd.org/showpost.php?p=93515&postcount=4


This is probably the route I'd like to go with...

Any comments?

 

[FreeDomBSD]

Since it is not a word or acronym, and I feel "Xfce" looks stupid, I don't capitalize any of it.

Haha! Don't let Dutch �e catch you slippin' like that...

 

[fonz]

and I feel "Xfce" looks stupid

That I agree with. But I suppose it's creator/owner's prerogative

 

[FreeDomBSD]

Hey @fonz, any comment on the Xnest method? Maybe coupled with the one above it for sound and flash?

 

[sossego]

What about the idea of adding a second video card?
It may be possible to run# Xorg -configure from within the jail and then comment out the values of the original xorg.conf.

Just a suggestion.

 

[FreeDomBSD]

What about the idea of adding a second video card?
It may be possible to run# Xorg -configure from within the jail and then comment out the values of the original xorg.conf.

Just a suggestion.

I actually can't expand the capabilities of this machine. Bummer.