From owner-freebsd-questions@FreeBSD.ORG Wed Jul 14 07:27:26 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4754E106564A for ; Wed, 14 Jul 2010 07:27:26 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BF2DE8FC0A for ; Wed, 14 Jul 2010 07:27:25 +0000 (UTC) Received: by bwz12 with SMTP id 12so4395471bwz.13 for ; Wed, 14 Jul 2010 00:27:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=2lCGxY+MGmUGDw09gx17Czom/KWs9Jtj+85obgVa59c=; b=dk4HI3I+cVsH9BHHBCnabsqvYCjxnNYlPjY34e1lYdGkllj347iGTHLDmfxQKUV5a/ GeeB1561RgdCRMgfYZW5QNDjlPBQHu46qD/+i5nsL2jXCAi+uIp45LxQy5ExYXVXyXss rQwXkPL3ikhHD2Eu38xINK7J+WNzn/smoP2RA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=twFFB+rh3pI7HIlyGNDwrRmqPAmi4IF1Fp4YYv3BXoRjLOsOTZWQbmZRiVPsDOuw9b wWcVFvMPhoBk/gdpYEPSG4gkY6ThE3nVM71voTfvSZfOQbwMWzoiudbyVS5RUCTuUfdz OY9EQjGuJVq/9zMHhROkXAkkYl3S8z8uLfBSs= Received: by 10.204.82.206 with SMTP id c14mr13064111bkl.145.1279092444268; Wed, 14 Jul 2010 00:27:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.76.68 with HTTP; Wed, 14 Jul 2010 00:27:04 -0700 (PDT) In-Reply-To: <4C3CF701.9030009@comclark.com> References: <4C3CF701.9030009@comclark.com> From: Valentin Bud Date: Wed, 14 Jul 2010 10:27:04 +0300 Message-ID: To: Aiza Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Ed Flecko , freebsd-questions@freebsd.org Subject: Re: Clarification: "Jail" -vs- "Chroot" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 07:27:26 -0000 On Wed, Jul 14, 2010 at 2:30 AM, Aiza wrote: > Ed Flecko wrote: > >> Hi folks, >> I'm reading about "jails" and "chroot", and I'm not clear about the >> differences so I'm hoping someone can clarify this for me. >> >> Here's what I "think" is correct: >> >> 1.) FreeBSD has both "chroot" capability as well as "jail" capability. >> >> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? >> >> 3.) When reading something (book, article, etc.), is there a way to >> determine if the author is, in fact, talking about truly a "jail" or >> are they really just referring to a "chroot" environment? For example, >> I have a book ("Preventing web attacks with Apache") that says: >> >> "Chroot is short for change root and essentially allows you to run >> programs in a protected or jailed environment. The main benefit of a >> chroot jail is that the jail will limit the portion of the file system >> the daemon can see to the root directory of the jail. Additionally, >> since the jail only needs to support Apache, the programs available in >> the jail can be extremely limited." >> >> 4.) Jail is the more secure of the two options? >> >> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd >> edition of "Absolute FreeBSD" says: >> >> "Chrooting is useful for web servers that have multiple clients on one >> machine=97that is, web servers with many virtual hosts." >> >> Comments??? Suggestions??? >> >> Thank you! >> >> Ed >> > > Well let me take a shot at this. First of all we are only talking about t= he > FreeBSD operating system. The ability to chroot a directory tree has been > available since RELEASES 2.0. The jail utility first appeared in RELEASE > 4.0. The jail utility is just a basic effort to automate the building and > administration of an chrooted directory tree which is pretty much useless > unless it contains a complete copy of the Freebsd operating system binari= es. > The major short coming of the jail command jail system is each jail has i= t's > own copy of the hosts running system binaries. Freebsd reserves a limited > number of control structures for storing files and directories, called > inodes. Creating a few jails consumes many of these valuable inodes, > eventually preventing the creation of new jails and new files on the host= . > Worst yet is each jail loads it's own copy of it's running binaries into > memory which causes thrashing on the swap device as memory pages are swap= ped > in and out as the limited memory is shared between the host and jails. > Besides consuming resources and creating performance degradation, this al= so > causes a major administration headache when wanting to update the host > running system, because the host and the jails all have to be running the > same RELEASE version. > > Now with some considerable hand jobbing per the jail section of the > handbook, a jail environment can be created where by a single copy of the > jailed running binaries are shared among all the jails. But this still > leaves you with an administration nightmare as the number of jails deploy= ed > grows past 5. Now there are some ports in the port system that are utilit= y > wrappers around the jail command that tries to address this administratio= n > nightmare. My experience with these are they are very poorly documented a= nd > you really need to have a good grasp on how jails work and network ip > address usage before they are useful. Their easy of use quickly evaporate= s > as the number of jails deployed reaches 10. > > The next generation of a jail utility for the deployment of a large numbe= r > of jails is in project phase right now. Keep checking the ports system fo= r > qjail. > > Now about what to run in a jail. Well since each jail is like a complete > stand-a-lone operating system, you can populate it with any application y= ou > want. The real limitation is how is that jail going to gain public intern= et > access so the domain name of your apache website can be found and accesse= d. > A static ip address is pretty much required, though with some creative ip > address assignments this can be circumvented. Thats a whole other subject > area. Hello community, Aiza could you please tell us more about qjail. google isn't very helpful and I am very interested in the subject. thank you.