From owner-freebsd-jail@FreeBSD.ORG Tue Apr 21 12:57:56 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 45CD7B69 for ; Tue, 21 Apr 2015 12:57:56 +0000 (UTC) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 104B11384 for ; Tue, 21 Apr 2015 12:57:56 +0000 (UTC) Received: by igbhj9 with SMTP id hj9so14389942igb.1 for ; Tue, 21 Apr 2015 05:57:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=NAeIaEm6aNH16wzjbH+QAj7iYOmZOKsaWCGunyiqabs=; b=DD6R1FRo3inB61u7iFmmispJe8z2KsScFm29emUZTVOTREBg2PX+QJw5NO/YWgFHRI gbiPAp7eABksU9RPBYmzwSd9aNBICmYB640ySxsdRSfZmASQ2fRGSYC/vXzUrmBMIAj9 6XErOPk/UV1090jrnTJeg6oLQhkLM36tAeAn9jyLXF45tlBs7WE4+ok6Z03FOu16pD3i KYABae3LmZJ26RbNO0mUX5l1qtmJriIhvjC/EsMDUmdpKQ8OVhtlHr7mAlu3ivohK58e 9WbsrV78LECg0srqUJx9WFPsEOkEZlgVrmsT3k/cwamR1UbhPAv4CZztfGX5i/KbCrfY WX6g== X-Received: by 10.50.97.41 with SMTP id dx9mr27351347igb.1.1429621075395; Tue, 21 Apr 2015 05:57:55 -0700 (PDT) Received: from [10.0.10.5] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id v3sm1181380igk.1.2015.04.21.05.57.54 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 Apr 2015 05:57:54 -0700 (PDT) Message-ID: <55364959.9080509@gmail.com> Date: Tue, 21 Apr 2015 08:58:01 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Kai Gallasch CC: freebsd-jail@freebsd.org Subject: Re: IPFW2 logging inside VIMAGE Jails? References: <55324E55.1000805@free.de> In-Reply-To: <55324E55.1000805@free.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 12:57:56 -0000 Kai Gallasch wrote: > Hi. > > Is it possible at all to log actions of IPFW > firewall inside a running vnet/VIMAGE jail to the vnet/VIMAGE jail's syslog? NO. Not at this time. > > I'm asking, because I see no firewall log entries inside the jail's > /var/log/security log. > > What I find is, that log messages of jails with active IPFW rules are > only logged on the jailhost (/var/log/security) - out of reach of any > local jail admins.. > > My kernel is built without firewall support. The ipfw.ko is loaded > dynamically when the server starts. No PF firewall is in use. Compiling IPFW into the hosts kernel makes no difference either. > > - FreeBSD 10.1-RELEASE-p9 > - /dev/bpf available inside jails > - firewall logging enabled on the jailhost and also inside the jail > > I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178482 (2 > years old, FreeBSD 9.1 related) > > Cheers, > Kai. > > As PR# 178482 shows this bug has not been addressed in over 2 years and your recent testing shows this bug is still present in the current production RELEASE 10.1 of FreeBSD. In a nut shell, VIMAGE is experimental, IPFW was only made vimage aware enough so it would not cause the host to abend. IPFW and vimage still don't integrate correctly. The fact that IPFW can run on a host kernel with vimage compiled in and also in a vnet jail at the same time with out blowing up DOESN'T mean that IPFW is really functioning correctly in a vnet jail. The fact that vnet/jail IPFW log messages are being written to the host's IPFW log message file strongly indicates IPFW in a vnet jail is insecure and violates the whole purpose of jail security. To me this is a major show stopper to using vnet/vimage jails at all. Adding a comment to PR# 178482 saying this reported problem is still present in RELEASE 10.1 is about all you can do, next to you finding and correcting the bug in IPFW/vimage yourself. Good luck with that. From owner-freebsd-jail@FreeBSD.ORG Tue Apr 21 12:59:30 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53A0CBA2 for ; Tue, 21 Apr 2015 12:59:30 +0000 (UTC) Received: from BLU004-OMC3S4.hotmail.com (blu004-omc3s4.hotmail.com [65.55.116.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC2351397 for ; Tue, 21 Apr 2015 12:59:29 +0000 (UTC) Received: from BLU403-EAS375 ([65.55.116.74]) by BLU004-OMC3S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Tue, 21 Apr 2015 05:58:23 -0700 X-TMN: [eDYLBq4aU05NuKY3Gd/M8j3MVpxcmOED] X-Originating-Email: [freekai@outlook.com] Message-ID: From: freekai To: Subject: what are the differences freebsd jails and docker Date: Tue, 21 Apr 2015 20:58:11 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AdB8MqFnxZxGTBkxRQG7MtOvLzTg1w== Content-Language: zh-cn X-OriginalArrivalTime: 21 Apr 2015 12:58:23.0771 (UTC) FILETIME=[D9C7E6B0:01D07C32] X-Mailman-Approved-At: Tue, 21 Apr 2015 13:39:46 +0000 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 12:59:30 -0000 Nowdays,docker is popular,but what are the differences freebsd jails = and docker? From owner-freebsd-jail@FreeBSD.ORG Tue Apr 21 14:02:05 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3D88BA5D for ; Tue, 21 Apr 2015 14:02:05 +0000 (UTC) Received: from frv190.fwdcdn.com (frv190.fwdcdn.com [212.42.77.190]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F2B291BD8 for ; Tue, 21 Apr 2015 14:02:04 +0000 (UTC) Received: from [10.10.1.23] (helo=frv199.fwdcdn.com) by frv190.fwdcdn.com with esmtp ID 1YkY7J-000NJe-My for freebsd-jail@freebsd.org; Tue, 21 Apr 2015 16:21:33 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=vJCWo/4edufhkXpY5yOiJrTvMWKUOnaXOORCqEXkxL0=; b=Jr3bOZlgIUdAXji2qEIYHRIMj0TAJtmRorr8JWgUtSNxOSGcS6TiZEwoCYtIjLhBNIqgR9VwugZpm4q5WM9vT0od6FaxvG4hgT72D4BiIsb7T6DmKj025HXraCfd7VLKbD6SqAF7xTWyELmwXD5hzx65WNc2s108ZXOmVfi0P6I=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv199.fwdcdn.com with smtp ID 1YkY76-000MhQ-1U for freebsd-jail@freebsd.org; Tue, 21 Apr 2015 16:21:20 +0300 Date: Tue, 21 Apr 2015 16:21:19 +0300 From: wishmaster Subject: Re[2]: IPFW2 logging inside VIMAGE Jails? To: Ernie Luzar Cc: Kai Gallasch , freebsd-jail@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1429621373.903439725.qof27zc5@frv34.fwdcdn.com> In-Reply-To: <55364959.9080509@gmail.com> References: <55324E55.1000805@free.de> <55324E55.1000805@free.de> <55364959.9080509@gmail.com> X-Reply-Action: reply MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Tue, 21 Apr 2015 16:21:19 +0300 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 14:02:05 -0000 --- Original message --- From: "Ernie Luzar" Date: 21 April 2015, 15:58:04 > Kai Gallasch wrote: > > Hi. > > > > Is it possible at all to log actions of IPFW > > firewall inside a running vnet/VIMAGE jail to the vnet/VIMAGE jail's syslog? > > NO. Not at this time. > > > > > I'm asking, because I see no firewall log entries inside the jail's > > /var/log/security log. > > > > What I find is, that log messages of jails with active IPFW rules are > > only logged on the jailhost (/var/log/security) - out of reach of any > > local jail admins.. > > > > My kernel is built without firewall support. The ipfw.ko is loaded > > dynamically when the server starts. No PF firewall is in use. > > Compiling IPFW into the hosts kernel makes no difference either. > > > > > - FreeBSD 10.1-RELEASE-p9 > > - /dev/bpf available inside jails > > - firewall logging enabled on the jailhost and also inside the jail > > > > I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178482 (2 > > years old, FreeBSD 9.1 related) > > > > Cheers, > > Kai. > > > > > > As PR# 178482 shows this bug has not been addressed in over 2 years and > your recent testing shows this bug is still present in the current > production RELEASE 10.1 of FreeBSD. > > In a nut shell, VIMAGE is experimental, IPFW was only made vimage aware > enough so it would not cause the host to abend. IPFW and vimage still > don't integrate correctly. > > The fact that IPFW can run on a host kernel with vimage compiled in and > also in a vnet jail at the same time with out blowing up DOESN'T mean > that IPFW is really functioning correctly in a vnet jail. The fact that > vnet/jail IPFW log messages are being written to the host's IPFW log > message file strongly indicates IPFW in a vnet jail is insecure and > violates the whole purpose of jail security. To me this is a major show > stopper to using vnet/vimage jails at all. The last 2 sentences is strange for me. Is problems with IPFW log is so big problem? You can log all traffic on base system and disable log in the guest host. You can disable ipfw in jail completely and do filter traffic on epair[0-9]a interfaces and no need to filter traffic twice. Cheers, Vitaliy From owner-freebsd-jail@FreeBSD.ORG Tue Apr 21 15:30:02 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6CCB235A for ; Tue, 21 Apr 2015 15:30:02 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 491B51631 for ; Tue, 21 Apr 2015 15:30:01 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 8768FA438D for ; Tue, 21 Apr 2015 15:29:57 +0000 (UTC) Message-ID: <55366CFE.3090605@freebsd.org> Date: Tue, 21 Apr 2015 11:30:06 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: what are the differences freebsd jails and docker References: In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qEMD7sxF9Nd0IkdNL0Dm3EfhPBg5Ucdk2" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 15:30:02 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qEMD7sxF9Nd0IkdNL0Dm3EfhPBg5Ucdk2 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-04-21 08:58, freekai wrote: >=20 > Nowdays,docker is popular,but what are the differences freebsd jails a= nd docker? > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Jails actually provide security and isolation. Docker, according to their documentation, does not. If you want a nice GUI for your jails, try the Warden utility from PCBSD, it is in the FreeBSD ports tree. --=20 Allan Jude --qEMD7sxF9Nd0IkdNL0Dm3EfhPBg5Ucdk2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJVNm0AAAoJEJrBFpNRJZKf+sMQAId447k44r1rrJPqTNuNZM76 rB2e4XaaCHHxzqBte/Q7jy+ZMnUhWcFzeUQi42JFuq/99tOVDTYwjQQa4x+klOwx cQopMM3UpZlmRkCKSfS1oYzqzChbk7S9Zt133go/c0uidnH8xqGHixq4MjVz9rWl 6Z2S/s8SnHFvkiLzkMndd1ZbTnrMMbtPvFBt2GfcDZhcvDE0m9cUw1mPoswQv4sT if15D/8qhSIYBmLQr7cOHIy12Gp1yeF+y9oSDLWgnL/55SZcj6HnV+Zcpuv//RX+ A0XOclYvWv1QXfYUoCV+4mjvwNghsuH6nqPvYSsEoy1cfDIUVlldaE8/KxWWIPmW hfx9yzzFbG9srjCo4T510qd/qQdAI3POgtCHMVdcPMqe60a6S5BxX0cXfMyC+AGe uTbcw2wTgs+5S5I/1ptSCSwthF35P+KDXAtss3NmeHHjhUaF3BunCuZSqbnD4GXU LX93kc+sJFMrN2e4QihtkQcIvPXKgQoGO2vXL7pvxZbmsmkG07XYhO26/EdCVClH oeUzpkQENUmiVghfnq9+tHpWh8JyBmJLW7Pl+WT3HzvGVkzuLuz+4aMoH9+MQHsF 6QnBdRoI707iafydOzOHJ+PStB1kT1RTkYIYpI910fMaDFaY/qY2wB3mS6slVyZZ ehY5R/rCEY/rbUsN0QBn =ED86 -----END PGP SIGNATURE----- --qEMD7sxF9Nd0IkdNL0Dm3EfhPBg5Ucdk2-- From owner-freebsd-jail@FreeBSD.ORG Tue Apr 21 15:53:56 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 270ECD07; Tue, 21 Apr 2015 15:53:56 +0000 (UTC) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B0BBA19C9; Tue, 21 Apr 2015 15:53:55 +0000 (UTC) Received: by wizk4 with SMTP id k4so144988386wiz.1; Tue, 21 Apr 2015 08:53:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=4d9NFljrbRxfkdeiAfrBhFKCl5H8G+w2qf8w/JvN+AM=; b=WnkiX1SLfy4lfbumrcfUjAeu02xB1JwSdvNyUGtehQ0TJjRJwQre0i1bkwgNSbyP29 bihuNlMMywI2HP9xIlAIDA4ml8NECqZux3UncB74+d09g6Rgte7ISoF3TWZnTRPg2P4s af6mZt6yIK1nM1KcWR7T5KyvkmJK/+DfOTDiX9QUaSjya9KBFUexCaGoKuj0YzTZcfiU 4VEwlatcHzKqQzudipV8bxrN94OLRKyPuC3IfxiJGARDiM4MSQpyGYBMsL8FTZoYHtiW NkcPvBSLeW3H0ptjHyc3JvGPhekja+3iUveymEKOrAk7ToYQoIAIYZTPjkUAO+drDWF5 1KkA== X-Received: by 10.180.93.193 with SMTP id cw1mr21087639wib.12.1429631634136; Tue, 21 Apr 2015 08:53:54 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id fo7sm3652051wic.1.2015.04.21.08.53.52 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 21 Apr 2015 08:53:53 -0700 (PDT) Date: Tue, 21 Apr 2015 17:53:50 +0200 From: Mateusz Guzik To: Allan Jude Cc: freebsd-jail@freebsd.org Subject: Re: what are the differences freebsd jails and docker Message-ID: <20150421155350.GB6312@dft-labs.eu> References: <55366CFE.3090605@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <55366CFE.3090605@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 15:53:56 -0000 On Tue, Apr 21, 2015 at 11:30:06AM -0400, Allan Jude wrote: > On 2015-04-21 08:58, freekai wrote: > > > > Nowdays,docker is popular,but what are the differences freebsd jails and docker? > > Jails actually provide security and isolation. Docker, according to > their documentation, does not. > > If you want a nice GUI for your jails, try the Warden utility from > PCBSD, it is in the FreeBSD ports tree. > I would say this is grossly oversimplified and the question itself is incorrect. According to http://docs.docker.com/articles/security/ they do make some claims about isolation and security. *jail* is a mechanism in the kernel, Docker is just a set of scripts using Linux counterpart. I don't know full extent of what's possible with Linux containers. Modulo some bugs and minor deficiences on either front I would expect them to be roughly feature-comparable, especially I don't expect either solution to have something inherently unfixable which would not be present in the other solution as well. Or in other words I would expect someone bored enough to be able to implement docker on top of jails. Docker folks definitely had some questionable stuff (like their capability handling, not to be confused with capsicum in FreeBSD), but that's standard with new projects and one could expect such issues to be plugged for the most part. The real security concern related to this stuff comes from the fact that there is only one kernel, so a flaw allowing e.g. arbitrafy code execution within it results in a compromise of the entire machine. So the question is what kernel exploitation prevention measures are put in place, what is the general state of kernel security etc. (for instance if you don't need a fully featured container and just want to sandbox something, capsicum on FreeBSD gives you great flexibility, which can be achieved to some extent with seccomp + selinux) Or in other words, a significant time effort is needed to come up with a reasonable comparison. However, in the meantime you can reasonably safely assume either solution will do the trick similarly well. -- Mateusz Guzik