FreeBSD Jails and Containers - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Jails with Chroot

Jails build upon the chroot concept, which is used to change the root directory of a set of processes. This creates a safe environment, separate from the rest of the system.

  • Processes created in the chrooted environment can not access files or resources outside of it
  • If an attacker compromises a service running in a chrooted environment, they shouldn't be able to compromise an entire system.

Chroot limitations

  • Suited for easy tasks that don't require flexibility or complex, advanced features
  • There have been many ways to escape from a chrooted environment

Jails improve upon the chrooted environment. In the traditional Chroot environment, processes are limited to the parts of the file system they can access. The rest of the system resources, system users, running processes, and networking subsystem are shared by the chrooted processes and the processes of the host system. Jails expands this model by virtualizing access to the file system, the set of users, and the networking subsystem.

Types of Jails

Thick Jails

In a thick jail, a complete copy of the base system is replicated within the jail's environment. This means that the jail has its own separate instance of the FreeBSD base system, including libraries, executables, and configuration files.

  • Thought of as a complete standalone FreeBSD installation, running within the confines of the host system.

Advantages:

  • High degree of isolation - processes are isolated from the host system and other jails

  • Independence - can have different versions of libraries, configurations and software than the host system or other jails

  • Security - Vulnerabilities or issues affecting the jail environment won't directly impact the host or other jails

Disadvantages:

  • Resources Overhead - consume more resources compared to thin jails due the jail having its own separate base system.

  • Maintenance - each jail requires its own maintenance and updates for its base system

Thin Jails

A thin jail is a type of FreeBSD jail that replicates a substantial portion, but not all, of the base system within the isolated environment. A thin jail shares the base system using OpenZFS snapshots or NullFS mounts from a template. Only a minimal subset of the base system is duplicated for each thin jail, resulting in less resource consumption compared to a thick jail. This means that thin jails have less isolation and independence. Changes in shared components could potentially affect multiple thin jails simultaneously.

OpenZFS is an open-source implementation of the ZFS file system and volume manager

Advantages:

  • Resource Efficiency - share most of the base system so they consume less disk space and memory. This allows you to run more jails on the same hardware.

  • Faster Deployment - Creating and launching thin jails is faster compared to thick jails.

  • Unified Maintenance - Updates and maintenance of common base system components only need to be done once on the host

  • Shared Resources - Jails can easily share common resources with the host system. Can lead to more efficient disk caching and improved performance for applications within the jail.

Disadvantages:

  • Reduced Isolation - Vulnerabilies/Issues affecting shared components could potentially impact multiple jails simultaneously

  • Security Concerns - Reduced isolation can pose security risk as one jail being compromised can lead to the compromise of other jails or the host system.

  • Dependency Conflicts - jails might needs different versions of the same libraries or software

  • Compatibility Challenges - applications within the thin jail might encounter compatibility issues if they assume a certain base system environment that differs from the shared components provided by the template.

VNET Jails

A FreeBSD VNET jail is a virtualized environment that allows for the isolation and control of network resources for processes running within it. It provides a high level of network segmentation and security by creating a separate network stack for processes within the jail, ensuring that network traffic within the jail is isolated from the host system and other jails.

VNET jails add a network configuration mechanism, so VNET jails can be thick or thin jails.

Linux Jails

A feature of the FreeBSD OS that enables the use of Linux binaries and applications within a FreeBSD jail. The purpose of the Linux jail is to facilitate the execution of Linux software on a FreeBSD system without needing a separate Linux VM or environment.

Link used: https://docs.freebsd.org/en/books/handbook/jails/

image