Date: Wed, 14 Jul 2010 10:27:04 +0300 From: Valentin Bud <valentin.bud@gmail.com> To: Aiza <aiza21@comclark.com> Cc: Ed Flecko <edflecko@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Clarification: "Jail" -vs- "Chroot" Message-ID: <AANLkTilYu1aRQZlh-j2YsdAV2NcXdh4RDOqY7YJIwz9w@mail.gmail.com> In-Reply-To: <4C3CF701.9030009@comclark.com> References: <AANLkTimdPaIJgfhmJ1r6I1M9AoZUzcKLrnqxcnr3XIvK@mail.gmail.com> <4C3CF701.9030009@comclark.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 14, 2010 at 2:30 AM, Aiza <aiza21@comclark.com> wrote: > Ed Flecko wrote: > >> Hi folks, >> I'm reading about "jails" and "chroot", and I'm not clear about the >> differences so I'm hoping someone can clarify this for me. >> >> Here's what I "think" is correct: >> >> 1.) FreeBSD has both "chroot" capability as well as "jail" capability. >> >> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? >> >> 3.) When reading something (book, article, etc.), is there a way to >> determine if the author is, in fact, talking about truly a "jail" or >> are they really just referring to a "chroot" environment? For example, >> I have a book ("Preventing web attacks with Apache") that says: >> >> "Chroot is short for change root and essentially allows you to run >> programs in a protected or jailed environment. The main benefit of a >> chroot jail is that the jail will limit the portion of the file system >> the daemon can see to the root directory of the jail. Additionally, >> since the jail only needs to support Apache, the programs available in >> the jail can be extremely limited." >> >> 4.) Jail is the more secure of the two options? >> >> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd >> edition of "Absolute FreeBSD" says: >> >> "Chrooting is useful for web servers that have multiple clients on one >> machine=97that is, web servers with many virtual hosts." >> >> Comments??? Suggestions??? >> >> Thank you! >> >> Ed >> > > Well let me take a shot at this. First of all we are only talking about t= he > FreeBSD operating system. The ability to chroot a directory tree has been > available since RELEASES 2.0. The jail utility first appeared in RELEASE > 4.0. The jail utility is just a basic effort to automate the building and > administration of an chrooted directory tree which is pretty much useless > unless it contains a complete copy of the Freebsd operating system binari= es. > The major short coming of the jail command jail system is each jail has i= t's > own copy of the hosts running system binaries. Freebsd reserves a limited > number of control structures for storing files and directories, called > inodes. Creating a few jails consumes many of these valuable inodes, > eventually preventing the creation of new jails and new files on the host= . > Worst yet is each jail loads it's own copy of it's running binaries into > memory which causes thrashing on the swap device as memory pages are swap= ped > in and out as the limited memory is shared between the host and jails. > Besides consuming resources and creating performance degradation, this al= so > causes a major administration headache when wanting to update the host > running system, because the host and the jails all have to be running the > same RELEASE version. > > Now with some considerable hand jobbing per the jail section of the > handbook, a jail environment can be created where by a single copy of the > jailed running binaries are shared among all the jails. But this still > leaves you with an administration nightmare as the number of jails deploy= ed > grows past 5. Now there are some ports in the port system that are utilit= y > wrappers around the jail command that tries to address this administratio= n > nightmare. My experience with these are they are very poorly documented a= nd > you really need to have a good grasp on how jails work and network ip > address usage before they are useful. Their easy of use quickly evaporate= s > as the number of jails deployed reaches 10. > > The next generation of a jail utility for the deployment of a large numbe= r > of jails is in project phase right now. Keep checking the ports system fo= r > qjail. > > Now about what to run in a jail. Well since each jail is like a complete > stand-a-lone operating system, you can populate it with any application y= ou > want. The real limitation is how is that jail going to gain public intern= et > access so the domain name of your apache website can be found and accesse= d. > A static ip address is pretty much required, though with some creative ip > address assignments this can be circumvented. Thats a whole other subject > area. Hello community, Aiza could you please tell us more about qjail. google isn't very helpful and I am very interested in the subject. thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTilYu1aRQZlh-j2YsdAV2NcXdh4RDOqY7YJIwz9w>