FreeBSD jail

jailjailsBSD jailsjail()
The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called jails, all sharing the same kernel, with very little overhead.wikipedia
47 Related Articles

Poul-Henning Kamp

The functionality was committed into FreeBSD in 1999 by Poul-Henning Kamp after some period of production use by a hosting provider, and was first released with FreeBSD 4.0, thus being supported on a number of FreeBSD descendants, including DragonFly BSD, to this day.
a vast quantity of systems code including the FreeBSD GEOM storage layer, GBDE cryptographic storage transform, part of the UFS2 file system implementation, FreeBSD Jails, malloc library, and the NTP timecounters code.

FreeBSD

TrustedBSDFreeBSD kernel*BSD
The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called jails, all sharing the same kernel, with very little overhead.
The main difference between bhyve and FreeBSD jails is that jails are an operating system-level virtualization and therefore limited to only FreeBSD guests; but bhyve is a type 2 hypervisor and is not limited to only FreeBSD guests.

FreeBSD version history

FreeBSD 4.0FreeBSD 5.0
The jail(8) utility and jail(2) system call first appeared in FreeBSD 4.0.
DTrace support was integrated in version 7.1, and NetBSD and FreeBSD 7.2 brought support for multi-IPv4/IPv6 jails.

OS-level virtualization

operating-system-level virtualizationcontainersoperating system-level virtualization
The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called jails, all sharing the same kernel, with very little overhead.
Such instances, called containers (Solaris, Docker), Zones (Solaris), virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernel (DragonFly BSD) or jails (FreeBSD jail or chroot jail), may look like real computers from the point of view of programs running in them.

Comparison of platform virtualization software

Comparison of platform virtual machineshardware levelplatform hypervisors

Virtual machine

virtual machinesVMvirtual server
With jail it is possible to create various virtual machines, each having its own set of utilities installed and its own configuration.
The pioneer implementation was FreeBSD jails; other examples include Docker, Solaris Containers, OpenVZ, Linux-VServer, LXC, AIX Workload Partitions, Parallels Virtuozzo Containers, and iCore Virtual Accounts.

Chroot

chroot jailchroot "jailsChroot jails
Unlike chroot jail, which restricts processes to a particular view of the filesystem, the FreeBSD jail mechanism restricts the activities of a process in a jail with respect to the rest of the system.
To make it useful for virtualization, FreeBSD expanded the concept and in its 4.0 release in 2000 introduced the jail command.

Securelevel

When used with FreeBSD jails, each jail maintains its own securelevel in addition to the global securelevel.

Vkernel

Virtual KernelDragonFly BSD
The vkernel concept is different from FreeBSD jail in that jail is only meant for resource isolation, and cannot be used to develop and test new kernel functionality in the userland, because each jail is sharing the same kernel.

System administrator

system administrationadministratorsystem administrators
The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called jails, all sharing the same kernel, with very little overhead.

DragonFly BSD

DragonflyBSDDragonFlyDragonFly BSD 2.0
The functionality was committed into FreeBSD in 1999 by Poul-Henning Kamp after some period of production use by a hosting provider, and was first released with FreeBSD 4.0, thus being supported on a number of FreeBSD descendants, including DragonFly BSD, to this day.

File system

filesystemfile systemsfilesystems
Unlike chroot jail, which restricts processes to a particular view of the filesystem, the FreeBSD jail mechanism restricts the activities of a process in a jail with respect to the rest of the system.

Sandbox (computer security)

sandboxsandboxingsandboxed
In effect, jailed processes are sandboxed.

IP address

IP addressesIPdynamic IP address
They are bound to specific IP addresses, and a jailed process cannot access divert or routing sockets.

Network socket

socketsocketsInternet socket
Raw sockets are also disabled by default, but may be enabled by setting the sysctl option.

Sysctl

Raw sockets are also disabled by default, but may be enabled by setting the sysctl option.

System call

syscallcallaccess
The jail(8) utility and jail(2) system call first appeared in FreeBSD 4.0.

Superuser

rootroot accessroot user
And since the jail is limited to a narrow scope, the effects of a misconfiguration or mistake (even if done by the in-jail superuser) does not jeopardize the rest of the system's integrity.

Web server

web serverswebserverHTTP server
For example, it is possible to run different versions or try different configurations of a web server package in different jails.

XFree86

XFree86 1.1 License
Without jails, configuring multiple software versions in different directories and ensuring they do not encroach on each other isn't always possible or easy to maintain (e.g. XFree86 is notoriously hard to move around).

Computer cluster

clusterclusteringclusters
There is no support for clustering or process migration, so the host kernel and host computer is still a single point of failure for all virtual servers.

Process migration

migrate a processthread migration
There is no support for clustering or process migration, so the host kernel and host computer is still a single point of failure for all virtual servers.

PHP

PHP5PDOPHP programming language
For example, in a non-jailed system, a web server running as user www that introduces a PHP-include vulnerability would compromise the entire system: the attacker would have the rights of the user www which can typically modify files on the web server, wander about in the directory tree and get lots of information, such as the full user list, shell and home directory from /etc/passwd.

File inclusion vulnerability

Remote File Inclusionfile inclusionInclude vulnerability
For example, in a non-jailed system, a web server running as user www that introduces a PHP-include vulnerability would compromise the entire system: the attacker would have the rights of the user www which can typically modify files on the web server, wander about in the directory tree and get lots of information, such as the full user list, shell and home directory from /etc/passwd.

Shell (computing)

shellshellsgraphical shell
For example, in a non-jailed system, a web server running as user www that introduces a PHP-include vulnerability would compromise the entire system: the attacker would have the rights of the user www which can typically modify files on the web server, wander about in the directory tree and get lots of information, such as the full user list, shell and home directory from /etc/passwd.