The jail mechanism is an implementation of

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

OS-level virtualisation OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called ''containers'' (LXC, Solaris containers, Docker, Podman), ''zones'' (Solaris containers), '' ...

that allows

system administrator A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to ensu ...

s to partition a

-derived computer system into several independent mini-systems called ''jails'', all sharing the same kernel, with very little overhead. It is implemented through a system call, jail(2), as well as a userland utility, jail(8), plus, depending on the system, a number of other utilities. The functionality was committed into FreeBSD in 1999 by

Poul-Henning Kamp Poul-Henning Kamp (; born 1966) is a Danish computer software developer known for work on various projects including FreeBSD and Varnish. He currently resides in Slagelse, Denmark. Involvement in the FreeBSD project Poul-Henning Kamp has been c ...

after some period of production use by a hosting provider, and was first released with FreeBSD 4.0, thus being supported on a number of FreeBSD descendants, including

DragonFly BSD DragonFly BSD is a free and open-source Unix-like operating system forked from FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and FreeBSD developer between 1994 and 2003, began working on DragonFly BSD in Ju ...

, to this day.

History

The need for the FreeBSD jails came from a small shared-environment hosting provider's (R&D Associates, Inc.'s owner, Derrick T. Woolworth) desire to establish a clean, clear-cut separation between their own services and those of their customers, mainly for security and ease of administration
jail(8)
. Instead of adding a new layer of fine-grained configuration options, the solution adopted by

was to compartmentalize the system – both its files and its resources – in such a way that only the right people are given access to the right compartments. Jails were first introduced in FreeBSD version 4.0, that was released on . Most of the original functionality is supported on DragonFly, and several of the new features have been ported as well.

Goals

FreeBSD jails mainly aim at three goals: # Virtualization: Each jail is a

virtual environment A virtual environment is a networked application that allows a user to interact with both the computing environment and the work of other users. Email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") betwee ...

running on the host machine with its own files, processes, user and

superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...

accounts. From within a jailed process, the environment is almost indistinguishable from a real system. # Security: Each jail is sealed from the others, thus providing an additional level of security. # Ease of delegation: The limited scope of a jail allows system administrators to delegate several tasks which require superuser access without handing out complete control over the system. Unlike chroot jail, which only restricts processes to a particular view of the

filesystem In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...

, the FreeBSD jail mechanism restricts the activities of a process in a jail with respect to the rest of the system. In effect, jailed processes are

sandboxed In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software Vulnerability (computing), vulnerabilities from spreading. The isolation metaphor is taken ...

. They are bound to specific

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

es, and a jailed process cannot access divert or routing sockets.

Raw socket A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming ...

s are also disabled by default, but may be enabled by setting the security.jail.allow_raw_sockets

sysctl sysctl is a software utility of some Unix-like operating systems that reads and modifies the attributes of the system kernel such as its version number, maximum limits, and security settings. It is available both as a system call for compiled ...

option. Additionally, interaction between processes that are not running in the same jail is restricted. The utility and

system call In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...

first appeared in FreeBSD 4.0. New utilities (for example to list jails) and system calls (for example to attach a new process to a jail) that render jail management much easier were added in FreeBSD 5.1. The jail subsystem received further significant updates with FreeBSD 7.2, including support for multiple IPv4 and IPv6 addresses per jail and support for binding jails to specific CPUs.

Virtualization

With it is possible to create environments, each having its own set of utilities installed and its own configuration. Jails on the permit software packages to view the system egoistically, as if each package had the machine to itself. Jails can also have their own, independent, jailed superusers. The FreeBSD jail does not however achieve true virtualization; it does not allow the virtual machines to run different kernel versions than that of the base system. All jails share the same kernel. There is no support for clustering or

process migration In computing, process migration is a specialized form of process management whereby processes are moved from one computing environment to another. This originated in distributed computing, but is now used more widely. On multicore machines (multip ...

Security

FreeBSD jails are an effective way to increase the security of a server because of the separation between the jailed environment and the rest of the system (the other jails and the base system). FreeBSD jails are limited in the following ways: * Jailed processes cannot interact with processes in a different jail, or on the main host. For example, the command will only show the processes running in the jail. * Modifying the running kernel by direct access and loading modules is prohibited. Modifying most

s and the securelevel is prohibited. * Modifying the network configuration, including interfaces, interface or IP addresses, and the

routing table In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with tho ...

, is prohibited. Accessing divert and routing sockets are also prohibited. Additionally, raw sockets are disabled by default. A jail is bound only to specific IP addresses and firewall rules cannot be changed. With the introduction of VNET(virtual network stack), the jails are free to modify their Network Configuration (including interfaces, IP addresses, etc.), provided the vnet is enabled for the jail. * Mounting and unmounting filesystems is prohibited. Jails cannot access files above their root directory (i.e. a jail is chroot'ed). * Jailed processes cannot create device nodes.

References

External links

Jails
by

jail(8) man page

at

ONLamp O'Reilly Media (formerly O'Reilly & Associates) is an American learning company established by Tim O'Reilly that publishes books, produces tech conferences, and provides an online learning platform. Its distinctive brand features a woodcut of a ...