Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 11-30-2011, 12:45 PM   #1
Registered: Jul 2009
Location: Union City, CA, USA
Distribution: FreeBSD, Mint, CentOS
Posts: 35

Rep: Reputation: 16
When to use jails vs virtual machines for security?


I've been reading about jails and wanted to ask when should they be used? Also when should you use a jail over using a virtual machine?

Searching this topic I find mostly threads about configuration of jails, so I hope this is a fresh topic. I come from mostly a Windows background but at my current job, working mostly on FreeBSD, the concept of using a jail for a specific service or process is new to me.

From what I understand, a jail is an isolated OS that is created on the host OS, but only shares access to the kernel. Beyond that, everything else is locked into that jail and cannot access files or services beyond the jail. The jail also does not share user accounts across the host to jail, so even these need to be created as well.

But the question that I wonder, is how do you implement this in a real world setting? Also why would you go with a jail over a virtual guest?

So for example, I need to create a LAMP host under a higher security system. Do I create a jail for each component? One for MySQL, one for Apache, one for PHP? Or do I create a jail holding all three?

I read that some of the problems of a jail is restarting services, would it be better to run a KVM virtual host? Instead of managing multiple commands for each jail, accessing the virtual machine directly sounds like it would be easier to manage?

Old 11-30-2011, 01:48 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
that's not what a jail is, it's a little simpler / smaller than that. a jail just confines a user to a limited part of a directory tree, hiding the rest of it. It's still the same OS, just you're locked into /var/chroot/ (which becomes your /). as it is that restrictive, any binaries you need to run, e.g. bash, need to also be placed under that location so stuff can work. Chroot jails are not really configured as a thing in their own right, they are often just done by setting "chroot = yes" or something in whichever service you want to use it with. FTP servers are generally the most common place this is done.

If you're interested, openvz is more what you are describing, a lower level partitioning of the OS, rather than a small hack to cause a restriction, and is a half way house between a jail and the conventional view of virtualization.

I would not expect to run a jail for any of those components tbh. It depends on a heap of other things, but I would architecturally look to separate the database from the webserver, which could be on different VM's, but the overall environment needs to be set up in a suitable way to make it worth bothering with, e.g firewalls between them etc. If your environment did mean you were colocating these things on a single server which was dedicated to their existance only, then chrooting them is fine, and very possible. You wouldn't colocate them though, that doesn't really even make much sense, as the chroot is just a small directory tree, so pointless sharing really.

Last edited by acid_kewpie; 11-30-2011 at 01:50 PM.
Old 12-01-2011, 12:46 PM   #3
Registered: Jul 2009
Location: Union City, CA, USA
Distribution: FreeBSD, Mint, CentOS
Posts: 35

Original Poster
Rep: Reputation: 16
Thanks for the details, I'll look into openvz (never heard about it before).
Old 12-02-2011, 01:46 AM   #4
LQ Newbie
Registered: Dec 2011
Location: Melbourne, Australia
Distribution: Ubuntu, FreeBSD
Posts: 1

Rep: Reputation: Disabled
Hi there,

FreeBSD jails are different to CHROOT jails. As Chris has pointed out a CHROOT jail simply confines a process to a specific root directory generally preventing it from accessing files outside that directory. A FreeBSD jail is essentially virtualising a "mini system" within your operating system. This separates not only files but also processes and users/superusers - the only thing each jail has in common is the system kernel itself.

In your example if you were wanting to create a secure LAMP server you'd create a single jail that contained the LAMP components: Apache, PHP, MySQL etc. In fact FreeBSD jails are commonly used on web servers - one reason is if the www user on a single jail is compromised via PHP exploit, the server and other jails remain uncompromised.

Check out the FreeBSD Manpages for more detailed information (I can't link them for you as this is my first post... just wanted to clear things up for you)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Machines are No Security Blanket DragonSlayer48DX Linux - News 0 01-13-2010 06:52 AM
Connect two virtual linux machines via virtual USB or serial WebBeing Linux - General 4 07-22-2008 07:26 AM
virtual machines fazliddin Linux - Newbie 3 04-15-2008 01:22 AM
Virtual Machines, what are they and why would I need one? macele Linux - Newbie 1 10-22-2007 10:37 PM
virtual machines ?'s tlarkin SUSE / openSUSE 7 10-05-2006 04:15 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:51 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration