Ways to offer user isolation

[j.carney1987]

So first off, I used to be a Linux Guru and running a web hosting business for over 5 years, but decided to focus on HVAC engineering for about 6 years which is completely different skill set. So as a result, I'm very rusty and forgot a lot of what I used to know.

I used to be decent in Perl programming and I'm looking to get back into it.

So what I want to do as a practice and hope that I can get a project group going is build an opensource web hosting control panel that isn't bloated like virtualmin, but would support basic perl, php, mysql.
With that being said FreeBSD supports those features very well.

Reasons why I want to do this project.
FreeBSD is known to having a solid network stack.
There is no real good web hosting control panel that is open source other than virtual min that I"m aware of.
Its a good way to learn FreeBSD and get comfortable with it.

Previously on Linux I would use things like Jail shell and monitoring scripts to help keep the server secure, but true user isolation became possible with cloudlinux which was based off of the Linux OpenVZ kernel and ran users in their respective containers.

Is there anything similar to that other than jailshell with BSD?

Thanks!

 

[Alain De Vos]

There are jails...

 

[j.carney1987]

actual Jails, seems interesting, but if I understand correctly, If a user is running in a jail, he wouldn't have access to say apache, or mysql, etc. It would have to be installed in his jail.

Correct?

 

[CyberCr33p]

actual Jails, seems interesting, but if I understand correctly, If a user is running in a jail, he wouldn't have access to say apache, or mysql, etc. It would have to be installed in his jail.

Correct?

You can connect them using unix sockets. Also for files you can use nullfs mounts.

 

[Alain De Vos]

The purpose of jails is isolation. But the level of isolation is configurable.

 

[zirias@]

actual Jails, seems interesting, but if I understand correctly, If a user is running in a jail, he wouldn't have access to say apache, or mysql, etc. It would have to be installed in his jail.

Correct?

No. For a database server that multiple users should be able to access, just install it in another jail and allow the network communication in your firewall rules. You could optionally use VNET jails, so every jail has its own network stack. Such a jail is more or less a full user-space virtual machine.

For a webserver, well, what do you want to achieve? If your users should have administrative control over "their" webserver, then sure, install one in every jail. Use some other jail with e.g. nginx as a reverse proxy that's reachable from the internet. If you just want one central webserver and only serve all the users' content, null-mounting all users' "web root" directories to the one jail running the webserver would be the straight-forward option.

 

[Erichans]

These may be helpful:

• Chapter 15. Jails
• Virtualise your network on FreeBSD with VNET
• Jails and VNET, a guide
• 20 Years of FreeBSD Jails & FreeBSD Mastery: Jails
• Why I prefer thick jails over thin jails

Reading your OP, the last entry in the list, Why I prefer thick jails over thin jails by Dan Langille, may not seem to be of immediate interest. However, when delving into jails it is important to know the difference between "thin jails" and "thick jails", as Dan Langille speaks about why he transitioned from ezjails (ezjail(7)) to iocage jails (iocage(8)) respectively.

If you'd like to have a look at its foundings, Bryan Cantrill on Jails and Solaris Zones - (video & slides) discusses it, based on two important papers:

• Daniel Price and Andrew Tucker - Solaris Zones: Operating System Support for Consolidating Commercial Workloads -- (html) (pdf)
  From: LISA'04 - Solaris Zones
• Poul-Henning Kamp and Robert N. M. Watson - Confining the omnipotent root.
  From: Jails – High value but shitty Virtualization