FreeBSD Jails for Fun and Profit (2020) | Better HN

154 comments

69 comments · 13 top-level

freemint4y ago· 14 in thread

I never understood the appeal of BSD jails over Solaris zones which seem to be more hardened and seem to vitualize more of the OS.

drclau4y ago

Note that FreeBSD Jails were introduced in 1999, while Solaris Containers and Zones were introduces in 2004. At the time FreeBSD Jails were introduced, probably the only alternative that was wildly available was chroot, which is really far from what Jails offer. Full virtualization was too slow to be practical for most scenarios, back then. 1999 is the year when Pentium III was released.

pjmlp4y ago

Bringing other UNIX into the party, HP-UX Virtual Vaults, which were introduced in HP-UX 11, available in 1997.

betaby4y ago

> probably the only alternative that was wildly available was chroot

Opensource Linux-vserver https://en.wikipedia.org/wiki/Linux-VServer was available in 2001. At the same era commercial Virtuozzo was ubiquitous amount hosting providers.

I've seen nothing which would suggest that Solaris zones are more taxing than BSD jails. Did you imply that claim?

FreeBSD is the appeal.

Back in the earlier days of containerisation Linux had no options (Linux was pretty late to that particular game) and Solaris wasn’t free. So FreeBSD made a lot of sense.

These days the tooling around Linux is better and there are open source forks of Solaris so FreeBSD might seem like an odd choice for some. However I still think FreeBSD is a rock solid operating system and one that doesn’t get taken as seriously these days as it should do.

AndrewUnmuted4y ago

FreeBSD's appeal for me is the easy maintenance. Everything related to config is in /etc/rc.conf; tunables in /boot/loader.conf. The ZFS implementation is rock-solid. I therefore only have to fiddle with my FreeBSD server, running 80TB ZFS storage pool, once a year or so.

No other OS gives me this kind of comfort and stability.

lordgroff4y ago

While I'm thoroughly a Linux person, I agree. I understand why Docker and the Linux container won the day, but the fact that FreeBSD is one system helps a ton with the overall intelligibility of the system inside that container. Oh, this container is Debian based, this is Centos, that one is busybox... No, every jail is just a FreeBSD system you know what you get for its bones. That's really nice.

Same here, but I never understood how BSD jails or Solaris zones are better over normal hardware virtualization which is used in Qubes OS. In addition, you get a great UX in the latter.

Containerisation makes much more sense than virtualisation in a lot of areas:

* lower runtime overhead

* quicker deployment time

* smaller image foot print

Plus most of the advantages of VMs can still be applied.

However it does massively depend on individual use cases. Qubes aims to be ultra secure and containers in Linux weren’t up to that task at the time (the situation has since improved massively).

nix234y ago

> Same here, but I never understood how BSD jails or Solaris zones are better over normal hardware virtualization which is used in Qubes OS. In addition, you get a great UX in the latter.

Tells me you don't know the difference between HW-Virtualisation and OS-Virtualisation.

Also OS level emulation. Linux system calls can be translated to Solaris system calls allowing to run Linux specific workloads without having to emulate hardware and a full Linux kernels. Furthermore before Dtrace was ported Linux it allowed to debug Linux workloads under DTrace.

I don't think Qubes OS existed around 2000, did it?

The issue with zones was the lack in the early days of GNU software and the difficulty in compiling certain things.

For instance, awk can act differently and if you don't know the 25 year old decisions that led to the differences, it can be very confusing. (There are different behaviors and command line switches between GNU's AWK and the version from SVR4/XPG)

eddieh4y ago

Lack of GNU stuff would be a selling point.

drclau4y ago· 12 in thread

FreeBSD Jails were so much better than everything else out there, for a long time. I'll just copy&paste part of a comment I wrote on another HN thread some time ago, since it's relevant here:

[...] In fact, many years ago, when FreeBSD was my main OS (including on notebook) I went as far as to isolate each app that used internet into its own custom-setup jail [0][1]. I had Firefox, Thunderbird, Pidgin and a few others running in complete isolation from the base system, and from each other. I even had a separate Firefox jail that was only allowed to get out via a Tor socks proxy to avoid leaks (more of an experiment than a necessity, to be fair). Communication between jails was done via commonly mounted nullfs. I have also setup QoS via PF for each of them. They were all running on the host’s Xorg, which was probably also the weakness of this setup. It was a pretty sweet setup, but required quite a bit of effort to maintain, even tho I automated most of the stuff. [...]

The original comment is here: https://news.ycombinator.com/item?id=27709256

cnst4y ago

Sounds pretty cool! TBH, I don't understand how the "modern" app security models are not deemed to be fundamentally insecure in 2021 where any random app on any random system can simply leak your whole photo library to their servers, or delete all your files. Why do banking apps need full access to my filesystem? Why don't the reviewers of the app stores prohibit such practices of excessive permissions?

Yes, there's always a question of usability, but if you're an advanced user, it's still scary that you're not afforded any control to prevent these incidents unless you go ahead and redesign the whole way all these apps are working all by yourself.

It seems terribly inefficient if every engineer has to do it on their own, and in their own incompatible way. Obviously most people simply give up after a while, since maintaining such a setup might itself be a whole full-time job.

rsync4y ago

"... I even had a separate Firefox jail that was only allowed to get out via a Tor socks proxy to avoid leaks ..."

I have looked into doing this many times and it's neither simple nor straightforward.

Specifically: jailing a GUI app that you can interact with on your desktop.

I can't remember what the most promising recipe I saw for this was but it wasn't quite promising enough to compel me to built it up ... and this discussion is always (rightly) hijacked with "just use Qubes" ...

VTimofeenko4y ago

Firejail with spawning nested Xorg works fine for me, including text-only copypaste between "host" and "guest" and automatic file synchronization through bind-like mounts. For some firejails I also use Linux network namespaces to control traffic going through taps. My introduction to this approach was the alternative Gentoo handbook by Sakaki[1], but the principles would apply on any distro.

There's also a very interesting read on Qubes-like experience on NixOs with Wayland and XWayland[2,3].

[1]: https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Inst...

[2]: https://roscidus.com/blog/blog/2021/03/07/qubes-lite-with-kv...

[3]: https://roscidus.com/blog/blog/2021/10/30/xwayland/

Bastille template to bootstrap Firefox:

https://github.com/ddowse/jailfox

vegai_4y ago

Is there a reason why FreeBSD doesn't default to running all applications in jails? Seems like this would be a pretty huge advantage compared to the typical Unix system's almost complete lack of sandboxing.

what should run in a jail? you need the base system to run jails. and that is pretty much the only thing that is installed.

pjmlp4y ago

I beg to differ, given that HP-UX Virtual Vaults were quite alright and precede Jails.

drclau4y ago

(noticed your reply to my other comment too, please consider this a reply to both)

I wasn't aware of HP-UX Virtual Vaults, thanks. However, I'd say FreeBSD Jails still had an advantage, due to being free and running on various hardware platforms, and more importantly on commodity hardware.

hestefisk4y ago

In the same way LPARs preceded Virtual Vaults on System z? :)

ajross4y ago

Yes, but in a sense that's the essence of why the technology got left behind. Jails were a mechanism for expert admins to play with container ideas.

What the market actually wanted was Docker. And what Docker needed was Linux containers (complicated, flexible, piecewise technology) and not jails, which were higher level abstractions (but yet not high enough) with jargon and framework assumptions that didn't match Docker's needs 1:1.

pjmlp4y ago

And slowly the only thing left from Docker will be the image format.

StreamBright4y ago

The "market" did not want Docker. Docker as a product failed.

There are many reasons why FreeBSD jails count not get out for FreeBSD land, one, very important thing is the Linux community's NIH attitude.

rsync4y ago· 11 in thread

One thing I find so valuable about jails is the ability to jail a single command with no other userland than what that binary requires.

Here's an example from my personal name server:

  /usr/sbin/jail /jails/www www 10.10.10.36 /lighttpd -f conf/lighttpd.conf

... and although this jail has a lot of content files in it, the actual UNIX userland is only what is required to run 'lighttpd':

  # find /jails/www/usr | wc -l
  43

So it's an extremely lightweight environment with very little attack surface.

You can also share a lightweight environment with multiple commands - here are two other jail commands:

  /usr/sbin/jail /jails/dns ns1 10.10.10.30 /nsd/nsd -c /nsd/nsd.conf
  /usr/sbin/jail /jails/dns dns 10.10.10.37 /unbound/unbound -c /unbound/unbound.conf

... see how both jailings of 'nsd' and 'unbound' point to the same '/jails/dns' userland ? Once again, that userland is very, very compact:

  # find /jails/dns/|wc -l
  97

... so, 97 files total to run both name servers.

No 'make world' necessary, no building and maintaining of a full FreeBSD system - just the lightest skeleton required for both 'nsd' and 'unbound'.

hda1114y ago

How does it know what is needed to run? What if its a program that controls another program via CLI?

toast04y ago

One needs to assemble the jail. There may be tools for this, although I haven't used them. It's real easy if you can build a static executable, if it's a normal dynamic executable, you can use ldd (or something) to get all the libraries and just remember to pull in ld.so (the runtime linker). If it's dynamically loading modules (like Apache HTTP and PHP often are configured) or running other executables like you asked, that's harder to automate.

Totally feasible on Linux, btw.

Packaging an entire system is more about convenience than anything else. It's also pretty difficult to package just the libs one needs when you are dependent on libc and other C libs.

I suspect that if one was really ok with it, some tooling could be built to copy/link in system libs into the rootfs automatically from the host.

chriswarbo4y ago

> It's also pretty difficult to package just the libs one needs when you are dependent on libc and other C libs.

It's pretty easy using Nix, e.g. this example defines a container for running a shell script: https://ryantm.github.io/nixpkgs/builders/images/ocitools

That script depends on bash, bash depends on libc, etc. so those dependencies (and only those dependencies) will be put in the container. (See https://nixos.org/guides/nix-pills/enter-environment.html#id... for an example of what dependencies look like in Nix).

> I suspect that if one was really ok with it, some tooling could be built to copy/link in system libs into the rootfs automatically from the host.

Eww, no thanks! I want my containers to be reproducible.

pricci4y ago

Exodus?

Exodus – relocation of Linux binaries–and all of their deps–without containers - https://github.com/intoli/exodus

heavyset_go4y ago

Can you use jails with, say, and a bindfs / overlayfs / snapshot type of file-system, to run an executable in a jail that's a restricted and read-only view of your currently running system?

I did some reading and it looks like FreeBSD's unionfs or nullfs would handle the file-system part.

trasz4y ago

Yes. If it's literally read-only then it's safe and easy (just use read-only nullfs); if it's to be writable, but read-only below (like overlayfs), you'll have to use unionfs which is still a bit... temperamental.

And? How is this more secure.

Just seems unnecessarily complicated.

KZerda4y ago

It's more secure because you're minimizing the attack surface. The jailed process has no binaries an attacker can use to further exploit the system, not even a shell. It means that there's a minimal to non-existent /etc directory, meaning there is less information about the server and the network it's on. It also means there are fewer places to hide modules to persist, because you control so much of the tree.

Going further, you can place the few executable files you need in a read-only filesystem, so attackers can't copy their own payloads in, further restricting what they can do. You can continue that process with firewall rules that are much more restrictive than what you could use with a more general purpose server, such as blocking any traffic that isn't to or from port 80/443. You can also virtualize the network of a jail, so an attacker wouldn't even get information about the network's layout from a compromised jail.

justsomehnguy4y ago

Heard the same about SELinux.

Typical application attack path:

RCE in the app -> ability to use anything in the OS under the app user privileges -> privilege escalation -> The whole box pwned (including access to all your secrets and management credentials)

Remediation process: wipe the box

Attack path for an app within a jail:

RCE in the app -> ability to use anything in the OS but there is nothing to use, must bring own tools (not always feasible) -> privilege escalation -> JAIL is pwned but not the box

Remediation process: recreate the jail

lmm4y ago

The complete mess that is containers on linux seems a whole lot more complicated to me. Jails do what you want in a simple way that works; containers are endlessly customizable such that you require a whole runtime and management daemon and message-bus integration and goodness knows what else.

luto4y ago· 5 in thread

(FreeBSD) jails are amazing. I just wish there were easier ways to use them more "cattle"-like, so I can augment or replace Docker/Podman. At the moment tooling and many of the real-world setups remind me a lot of "pet" LXC containers or even VMs in the Linux world.

The tooling is slowly moving in a direction I like, though :)

kettunenOP4y ago

Author here!

This is an old post of mine which I happened to find useful. Orchestration of jails moved quite bit forward lately! For example, you can manage your jails quite nicely with containerd today! See great post from Samuel Karp about the topic: https://samuel.karp.dev/blog/2021/05/running-freebsd-jails-w...

milofeynman4y ago

I use LXC on Proxmox and I do everything with Ansible scripts. Is there something moving towards docker-like repository in LXC land? Would love to just run the latest pihole or nginx or what have you on LXC

stjohnswarts4y ago

Are they superior to firejail on linux? I kind of always figured they were similar level of "sandboxing" but I never had enough interest in BSD to dig in myself.

trasz4y ago

They are completely different mechanism for doing different kind of stuff. Firejail sounds like something closer to Capsicum, but without the security model.

heresie-dabord4y ago

On a Debian GNU/Linux or derivative:

apt-cache search jail

firejail - sandbox to restrict the application environment

firejail-profiles - profiles for the firejail application sandbox

firetools - Qt frontend for the Firejail application sandbox

dgellow4y ago· 5 in thread

Just curious, is there an equivalent (or at least similar in spirit) to FreeBSD jails in the Windows world?

mastax4y ago

There's Windows Containers[0], which are analogous to Docker containers. They can either be run shared-kernel or in a Hyper-V container. Also Virtualization-based security[1], which is supposed to be completely transparent so it's not really a developer or deployment tool.

[0]: https://docs.microsoft.com/en-us/virtualization/windowsconta... [1]: https://docs.microsoft.com/en-us/windows-hardware/design/dev...

VTimofeenko4y ago

There used to be Virtuozzo containers for Windows and looks like they are bringing it back as a technical preview:

https://docs.virtuozzo.com/virtuozzo_hybrid_server_7_users_g...

erkserkserks4y ago

There’s Sandboxie, which works decently, but does have some compatibility issues: https://sandboxie-plus.com/

hestefisk4y ago

Windows 10 kernel supports “Sandbox”, which might be what comes closest.

Do you mean the graphical Windows Sandbox tool? Can it also be used headless to run a service for example? That would come pretty close.

tambourine_man4y ago· 3 in thread

I always hoped for macOS to borrow FreeBSD jails for itself.

A Docker-like solution with a pretty UI could be really useful for pros. For novices, it could mean a less cumbersome security measure than the restrictions we’ve been experiencing since Catalina.

eddieh4y ago

macOS would definitely benefit from adding support for jails and a whole host other features like procfs, unionfs, bindfs, tmpfs, etc.

trasz4y ago

Erm, why would anyone want procfs? It's obsoleted in FreeBSD for a good reason.

jbverschoor4y ago

I would like an auto-jail, based on the directory you’re in (similar to asdf/rbenv). There’s just too much complexity in software, and so many things run on your machine these days. You can’t really trust any application anymore

qqumut4y ago· 3 in thread

Are Jails really that safe & secure?

They're approximately as safe as modern Docker is. Upside to Docker: more security knobs (eBPF, kernel MAC, &c); upside to jails: probably easier to get right out of the box, fewer footguns. Both jails and containers (and Solaris Zones) share a fundamental security weakness, which is a kernel shared between tenants.

bigodanktime4y ago

Counts what you are afraid against. There's always some side channel attack that could possibly used to gain information, even on VM's this is true. Off the top of my head there could be some timing attack to gain information on which libraries others are using by reading in libraries and seeing if they are warm in the buffer cache, counts if you care about sharing the same kernel. I generally find them secure enough considering how fast they can be brought up and down.

Can a process in them exec on the rest of your system?

bigodanktime4y ago· 1 in thread

A great wrapper UI I have used for FreeBSD Jails is iocage (https://iocage.readthedocs.io/en/latest/). Its a great project.

Timothycquinn4y ago

I was about to say the same. iocage is now the default jails wrapper on FreeNAS, which means that there is good documentation and support. The previous jails wrapper used by FreeNAS was not very well documented, but was written by some smart folks.

One thing I like about iocage is how easy it is to grant the jail access to the host ZFS datasets.

On a Jails note, I have had issues creating a jail that can do network inspection. I believe this is an issue with network restrictions of the jails subsystem itself. Eg, I could never run nmap or get mac addresses of remote hosts from within a jail.

okokwhatever4y ago· 1 in thread

I am amazed at how many interesting things I still have to learn in this life. Too many tools, too little time to see them all... :(

moeris4y ago

ars longa vita brevis

https://en.wikipedia.org/wiki/Ars_longa%2C_vita_brevis

SpaceInvader4y ago· 1 in thread

I use jails for years, the only thing which is painful are upgrades from ports for all the jails. It's time consuming. Poudriere helps but the whole thing is far from ideal :(

trasz4y ago

Why not prebuilt packages? As in, prebuilt by FreeBSD.org, as opposed to the ones built you build yourself with Poudriere?

I have been playing around with the bastillebsd.org scripts for creating and managing jails. I think it aims to be more 'Docker like'.

Worked well from the limited testing I have done so far

movedx4y ago

With a community driver, HashiCorp's Nomad can handle FreeBSD Jails for you. Worth trying out if FreeBSD is your thing.

ComputerGuru4y ago

Another cool thing about jails is that they're really easy to convert to bhyve virtual machines if your security needs or general paranoia levels increase at any point.

j / k navigate · click thread line to collapse