jails what files was missing between thin and thick jail in freebsd14.2 ?

[fff2024g]

Dear all:
i want to find thin and thick jail difference. so please let know.
thin jail : base.txz
thick jail ; base.txz
they all need base.txz . no file to miss . why difference ?

i think. thick jail = base.txz +kernel.txz . thin jail = base.txz +host's kernel ............right ?
please help me . thanks.

 

[cy@]

Jails don't need their own kernel. Jails, like Solaris zones and Linux containers, share the kernel with the base system (called global).

A thin jail installs an image of FreeBSD somewhere on disk (or uses the base system, not recommended but possible) and uses read-only nullfs as a base layer with nullfs and/or unionfs mounted on top for unique directories and files within the jail. The advantage is the base read-only nullfs can be used by a number of jails.

A thick jail is one which a complete FreeBSD system (minus the kernel) is installed for each jail.

The advantage of thin jails, as described above, is that one only needs to update image shared by all the jails. Whereas each thick jail must be updated.

The disadvantage of thin jails is they are significantly more complex to set up and use. And they pose a security hazard if not set up correctly. (Though thick jails can also constitute a different security hazard if not set up correctly.)

I use thin jails. They do take more planning and work to set up. But once set up they are easier to update. And adding new jails is easy since the harder work of planning and setting up has already been done (by you).

Anticipating your next question: No, there is no documentation I know of how to set up a thin jail. Most automated tools can't do this for you. One needs to know enough about FreeBSD, UNIX, filesystems, and the minutae of your application.

 

[ShelLuser]

I don't fully agree with Cy's last comment.. but bear in mind: within the context of FreeBSD 14.2, and I realize that Cy is probably referring to howto's and the likes when talking about documentation.

My point though: jail(8) is also an excellent source of information here, and it fully describes how to set up a Jail userland. Sure, it uses make world and make distribution as examples, but it's easy to figure out that you can substitute those steps with the use of archives (now referring to base.txz and kernel.txz).

But there's more... the manualpage also gives us this gem:

Start a shell in the jail:

jail -c path=/data/jail/testjail mount.devfs \
host.hostname=testhostname ip4.addr=192.0.2.100 \
command=/bin/sh

And while this isn't exactly a full HOWTO it still gives you all the required steps to set up a basic jail. Next: mount_nullfs(8) and after that you're practically half done. A good way to start could be to propagate an existing /usr/local inside this new jail.

Hope this can also help!

 

[loveydovey]

No, there is no documentation I know of how to set up a thin jail. Most automated tools can't do this for you. One needs to know enough about FreeBSD, UNIX, filesystems, and the minutae of your application.

This is, like, the number 1 thing stragglers from Linux want to do coming to FreeBSD. They want firejail their stuff.

I got a nice thin jail set up for Firefox that's close to firejail (although no Linux namespaces and seccomp-bpf in FreeBSD), and I was only able to do it rapidly thanks to AI. The thing is, your own thin jail setup becomes the automated tool/blueprint to set up all sorts of jails for other things. Do FreeBSD people feel this should be kept at the sharp learning curve state for people migrating from Linux?

 

[loveydovey]

unionfs

Speaking of unionfs, basically the most required thing for jails, why is it still so dangerous? I have never been more scared reading a FreeBSD manpage before (mount_unionfs):

BUGS
       THIS  FILE  SYSTEM  TYPE     IS  NOT YET FULLY SUPPORTED (READ: IT DOESN'T
       WORK) AND USING IT MAY, IN FACT,    DESTROY    DATA ON    YOUR SYSTEM.   USE  AT
       YOUR OWN    RISK.

       This  code  also    needs an owner in order    to be less dangerous - serious
hackers can apply by sending mail to <freebsd-fs@FreeBSD.org>  and  an-
       nouncing    their intent to    take it    over.

I'm scarrreddddd, what do I do?

 

[loveydovey]

unionfs, basically the most required thing for jails,

I take this back. There seem to be ways to do what needs to be done without unionfs.

 

[SirDice]

There seem to be ways to do what needs to be done without unionfs.

Yes, bastille for example:

# ll /usr/local/bastille/jails/ports/root/
total 246
drwxr-xr-x  18 root wheel   22 Jan 27  2025 .bastille/
-rw-r--r--   1 root wheel 1011 Mar  2  2024 .cshrc
-rw-r--r--   1 root wheel  495 Mar  2  2024 .profile
drwxr-xr-x   2 root wheel    2 Apr 24  2021 .template/
-r--r--r--   1 root wheel 6109 Mar  2  2024 COPYRIGHT
lrwxr-xr-x   1 root wheel   14 Apr 24  2021 bin@ -> /.bastille/bin
lrwxr-xr-x   1 root wheel   15 Apr 24  2021 boot@ -> /.bastille/boot
drwxr-xr-x   8 root wheel    8 Aug 13  2023 data/
dr-xr-xr-x  16 root wheel  512 Nov 24 10:02 dev/
drwxr-xr-x  27 root wheel  106 Mar 16  2024 etc/
lrwxr-xr-x   1 root wheel    8 Apr 24  2021 home@ -> usr/home
lrwxr-xr-x   1 root wheel   14 Apr 24  2021 lib@ -> /.bastille/lib
lrwxr-xr-x   1 root wheel   18 Apr 24  2021 libexec@ -> /.bastille/libexec
drwxr-xr-x   2 root wheel    2 Apr  9  2021 media/
drwxr-xr-x   2 root wheel    2 Apr  9  2021 mnt/
drwxr-xr-x   2 root wheel    2 Apr  9  2021 net/
dr-xr-xr-x   2 root wheel    2 Apr  9  2021 proc/
lrwxr-xr-x   1 root wheel   17 Apr 24  2021 rescue@ -> /.bastille/rescue
drwxr-x---   2 root wheel   11 Feb 16  2025 root/
lrwxr-xr-x   1 root wheel   15 Apr 24  2021 sbin@ -> /.bastille/sbin
drwxrwxrwt   6 root wheel    6 Dec  8 03:01 tmp/
drwxr-xr-x   6 root wheel   15 Apr 24  2021 usr/
drwxr-xr-x  24 root wheel   24 Nov 24 10:02 var/

It simply links to a "base" jail that's been nullfs mounted (read-only) on that .bastille directory. Everything that's not linked to the base jail is writable.

# bastille list
 JID  Name   Boot  Prio  State  Type   IP Address              Published Ports  Release       Tags
 1    ports  on    99    Up     thin   192.168.10.202          -                14.2-RELEASE  -

This thing is old, haven't used it in a while (moved my repositories to a different machine), should probably delete it while I'm here.

Various jail tools I've used in the past (EZJail for example) all take a similar approach to set up a thin jail.

I think part of the OPs confusion is conflating a thin jail and a minimal jail. But those are two different approaches.

 

[loveydovey]

conflating a thin jail and a minimal jail. But those are two different approaches.

And then there's ephemeral jails? I think that's the Linux idea of jails. Thin/thick jails are what Linux thinks of as containers. You are all wrong.

My idea of a jail is - I literally construct a jail on-the-fly on each launch using FreeBSD's native `jail`, the only permanence is the app's settings folder that gets pulled in. No execs are pulled in except the app and env. The libs are read-only, /etc is minimal and with fake data, runtime dir is constructed with just separate display and sound. Everything else is containers to me - because it contains stuff I guess.

 

[SirDice]

Thin/thick jails are what Linux thinks of as containers. You are all wrong.

FreeBSD's jail(8) predates Linux' containers by about 8 years. As does the terminology in reference to jails.

 

[loveydovey]

 

[bakul]

FreeBSD-4.0 (in 2000) had jails, LXC 1.0 came out in 2014. https://linuxcontainers.org/lxc/news/2014_02_20_00_00.html