When to use jails vs virtual machines for security?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When to use jails vs virtual machines for security?
Hello,
I've been reading about jails and wanted to ask when should they be used? Also when should you use a jail over using a virtual machine?
Searching this topic I find mostly threads about configuration of jails, so I hope this is a fresh topic. I come from mostly a Windows background but at my current job, working mostly on FreeBSD, the concept of using a jail for a specific service or process is new to me.
From what I understand, a jail is an isolated OS that is created on the host OS, but only shares access to the kernel. Beyond that, everything else is locked into that jail and cannot access files or services beyond the jail. The jail also does not share user accounts across the host to jail, so even these need to be created as well.
But the question that I wonder, is how do you implement this in a real world setting? Also why would you go with a jail over a virtual guest?
So for example, I need to create a LAMP host under a higher security system. Do I create a jail for each component? One for MySQL, one for Apache, one for PHP? Or do I create a jail holding all three?
I read that some of the problems of a jail is restarting services, would it be better to run a KVM virtual host? Instead of managing multiple commands for each jail, accessing the virtual machine directly sounds like it would be easier to manage?
that's not what a jail is, it's a little simpler / smaller than that. a jail just confines a user to a limited part of a directory tree, hiding the rest of it. It's still the same OS, just you're locked into /var/chroot/ (which becomes your /). as it is that restrictive, any binaries you need to run, e.g. bash, need to also be placed under that location so stuff can work. Chroot jails are not really configured as a thing in their own right, they are often just done by setting "chroot = yes" or something in whichever service you want to use it with. FTP servers are generally the most common place this is done.
If you're interested, openvz is more what you are describing, a lower level partitioning of the OS, rather than a small hack to cause a restriction, and is a half way house between a jail and the conventional view of virtualization.
I would not expect to run a jail for any of those components tbh. It depends on a heap of other things, but I would architecturally look to separate the database from the webserver, which could be on different VM's, but the overall environment needs to be set up in a suitable way to make it worth bothering with, e.g firewalls between them etc. If your environment did mean you were colocating these things on a single server which was dedicated to their existance only, then chrooting them is fine, and very possible. You wouldn't colocate them though, that doesn't really even make much sense, as the chroot is just a small directory tree, so pointless sharing really.
Last edited by acid_kewpie; 11-30-2011 at 01:50 PM.
FreeBSD jails are different to CHROOT jails. As Chris has pointed out a CHROOT jail simply confines a process to a specific root directory generally preventing it from accessing files outside that directory. A FreeBSD jail is essentially virtualising a "mini system" within your operating system. This separates not only files but also processes and users/superusers - the only thing each jail has in common is the system kernel itself.
In your example if you were wanting to create a secure LAMP server you'd create a single jail that contained the LAMP components: Apache, PHP, MySQL etc. In fact FreeBSD jails are commonly used on web servers - one reason is if the www user on a single jail is compromised via PHP exploit, the server and other jails remain uncompromised.
Check out the FreeBSD Manpages for more detailed information (I can't link them for you as this is my first post... just wanted to clear things up for you)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.