Hello,

I've been reading about jails and wanted to ask when should they be used? Also when should you use a jail over using a virtual machine?

Searching this topic I find mostly threads about configuration of jails, so I hope this is a fresh topic. I come from mostly a Windows background but at my current job, working mostly on FreeBSD, the concept of using a jail for a specific service or process is new to me.

From what I understand, a jail is an isolated OS that is created on the host OS, but only shares access to the kernel. Beyond that, everything else is locked into that jail and cannot access files or services beyond the jail. The jail also does not share user accounts across the host to jail, so even these need to be created as well.

But the question that I wonder, is how do you implement this in a real world setting? Also why would you go with a jail over a virtual guest?

So for example, I need to create a LAMP host under a higher security system. Do I create a jail for each component? One for MySQL, one for Apache, one for PHP? Or do I create a jail holding all three?

I read that some of the problems of a jail is restarting services, would it be better to run a KVM virtual host? Instead of managing multiple commands for each jail, accessing the virtual machine directly sounds like it would be easier to manage?

Thanks!
Rob

that's not what a jail is, it's a little simpler / smaller than that. a jail just confines a user to a limited part of a directory tree, hiding the rest of it. It's still the same OS, just you're locked into /var/chroot/ (which becomes your /). as it is that restrictive, any binaries you need to run, e.g. bash, need to also be placed under that location so stuff can work. Chroot jails are not really configured as a thing in their own right, they are often just done by setting "chroot = yes" or something in whichever service you want to use it with. FTP servers are generally the most common place this is done.

If you're interested, openvz is more what you are describing, a lower level partitioning of the OS, rather than a small hack to cause a restriction, and is a half way house between a jail and the conventional view of virtualization.

I would not expect to run a jail for any of those components tbh. It depends on a heap of other things, but I would architecturally look to separate the database from the webserver, which could be on different VM's, but the overall environment needs to be set up in a suitable way to make it worth bothering with, e.g firewalls between them etc. If your environment did mean you were colocating these things on a single server which was dedicated to their existance only, then chrooting them is fine, and very possible. You wouldn't colocate them though, that doesn't really even make much sense, as the chroot is just a small directory tree, so pointless sharing really.

Thanks for the details, I'll look into openvz (never heard about it before).

Hi there,

FreeBSD jails are different to CHROOT jails. As Chris has pointed out a CHROOT jail simply confines a process to a specific root directory generally preventing it from accessing files outside that directory. A FreeBSD jail is essentially virtualising a "mini system" within your operating system. This separates not only files but also processes and users/superusers - the only thing each jail has in common is the system kernel itself.

In your example if you were wanting to create a secure LAMP server you'd create a single jail that contained the LAMP components: Apache, PHP, MySQL etc. In fact FreeBSD jails are commonly used on web servers - one reason is if the www user on a single jail is compromised via PHP exploit, the server and other jails remain uncompromised.

Check out the FreeBSD Manpages for more detailed information (I can't link them for you as this is my first post... just wanted to clear things up for you)