FreeBSD Mastery: Jails: IT Mastery, #15
5/5
()
About this ebook
CONFINE YOUR SOFTWARE
Jails are FreeBSD's most legendary feature: known to be powerful, tricky to master, and cloaked in decades of dubious lore. Deploying jails calls upon every sysadmin skill you have, and more—but unleashing lightweight virtualization is so worth it.
FreeBSD Mastery: Jails cuts through the clutter to expose the inner mechanisms of jails and unleash their power in your service. You will:
- Understand how jails achieve lightweight virtualization
- Understand the base system's jail tools and the iocage toolkit
- Optimally configure jail hardware
- Manage jails from the host and from within the jail
- Optimize disk space usage to support hundreds or thousands of jails
- Comfortably work within the limits of jails
- Implement fine-grained control of jail features
- Build virtual networks
- Deploy hierarchical jails
- Constrain jail resource usage
- And more!
Strip away the mystery. Read FreeBSD Mastery: Jails today!
"This is the sequel to Git Commit Murder, right ?"
/phk, creator of the jail system
Michael W. Lucas
Michael W Lucas lives in Detroit, Michigan. He is the author of several critically-acclaimed nonfiction books and assorted short stories. His interests include martial arts and Michigan history.
Read more from Michael W. Lucas
Cash Flow for Creators: How to Transform Your Art Into A Career Rating: 0 out of 5 stars0 ratingsEd Mastery (Manly McManface Edition) Rating: 0 out of 5 stars0 ratingsDomesticate Your Badgers: Become a Better Writer through Deliberate Practice Rating: 0 out of 5 stars0 ratingsLetters to ed(1): The FreeBSD Journal Letters column, years 1-3 Rating: 0 out of 5 stars0 ratings
Related to FreeBSD Mastery
Titles in the series (16)
FreeBSD Mastery: Storage Essentials: IT Mastery, #4 Rating: 0 out of 5 stars0 ratingsNetworking for System Administrators: IT Mastery, #5 Rating: 5 out of 5 stars5/5PAM Mastery: IT Mastery, #10 Rating: 0 out of 5 stars0 ratingsFreeBSD Mastery: Specialty Filesystems: IT Mastery, #8 Rating: 0 out of 5 stars0 ratingsFreeBSD Mastery: Advanced ZFS: IT Mastery, #9 Rating: 0 out of 5 stars0 ratingsTarsnap Mastery: IT Mastery, #6 Rating: 0 out of 5 stars0 ratingsRelayd and Httpd Mastery: IT Mastery, #11 Rating: 0 out of 5 stars0 ratingsSudo Mastery: IT Mastery, #13 Rating: 0 out of 5 stars0 ratingsSSH Mastery: OpenSSH, PuTTY, Tunnels and Keys - 2nd edition: IT Mastery, #12 Rating: 0 out of 5 stars0 ratingsEd Mastery: IT Mastery, #13 Rating: 0 out of 5 stars0 ratingsSNMP Mastery: IT Mastery, #15 Rating: 0 out of 5 stars0 ratingsTLS Mastery: Beastie Edition: IT Mastery, #16 Rating: 0 out of 5 stars0 ratingsFreeBSD Mastery: Jails: IT Mastery, #15 Rating: 5 out of 5 stars5/5TLS Mastery: Tux Edition: IT Mastery, #16 Rating: 0 out of 5 stars0 ratingsDNSSEC Mastery, 2nd edition: IT Mastery, #18 Rating: 0 out of 5 stars0 ratingsOpenBSD Mastery: Filesystems: IT Mastery, #19 Rating: 0 out of 5 stars0 ratings
Related ebooks
Sudo Mastery: IT Mastery, #13 Rating: 0 out of 5 stars0 ratingsMastering Linux Network Administration Rating: 4 out of 5 stars4/5Relayd and Httpd Mastery: IT Mastery, #11 Rating: 0 out of 5 stars0 ratingsEd Mastery: IT Mastery, #13 Rating: 0 out of 5 stars0 ratingsMastering KVM Virtualization Rating: 5 out of 5 stars5/5Mastering Proxmox - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Ubuntu Server Rating: 5 out of 5 stars5/5Containerization with LXC Rating: 0 out of 5 stars0 ratingsLinux in Action Rating: 0 out of 5 stars0 ratingsFreeBSD Mastery: Advanced ZFS: IT Mastery, #9 Rating: 0 out of 5 stars0 ratingsFreeBSD Mastery: Storage Essentials: IT Mastery, #4 Rating: 0 out of 5 stars0 ratingsNetworking for System Administrators: IT Mastery, #5 Rating: 5 out of 5 stars5/5Arch Linux: Fast and Light! Rating: 3 out of 5 stars3/5Linux Interview Questions: Open Source Operating Systems Interview Questions, Answers, and Explanations Rating: 5 out of 5 stars5/5Linux Bible Rating: 0 out of 5 stars0 ratingsLinux and the Unix Philosophy Rating: 0 out of 5 stars0 ratingsMastering Embedded Linux Programming Rating: 5 out of 5 stars5/5Proxmox Cookbook Rating: 0 out of 5 stars0 ratingsUbuntu Server Essentials Rating: 0 out of 5 stars0 ratingsOpenBSD Mastery: Filesystems: IT Mastery, #19 Rating: 0 out of 5 stars0 ratingsLinux: Embedded Development Rating: 0 out of 5 stars0 ratingsLINUX CLEARLY EXPLAINED Rating: 2 out of 5 stars2/5DNSSEC Mastery, 2nd edition: IT Mastery, #18 Rating: 0 out of 5 stars0 ratingsLearning RHEL Networking Rating: 0 out of 5 stars0 ratingsLearn Windows Subsystem for Linux: A Practical Guide for Developers and IT Professionals Rating: 0 out of 5 stars0 ratingsLPI Linux Certification Questions: LPI Linux Interview Questions, Answers, and Explanations Rating: 4 out of 5 stars4/5FreeBSD Mastery: Specialty Filesystems: IT Mastery, #8 Rating: 0 out of 5 stars0 ratingsTarsnap Mastery: IT Mastery, #6 Rating: 0 out of 5 stars0 ratingsBSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD Rating: 0 out of 5 stars0 ratingsMastering Proxmox Rating: 5 out of 5 stars5/5
Operating Systems For You
Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5Windows 11 All-in-One For Dummies Rating: 5 out of 5 stars5/5CompTIA Linux+ Study Guide: Exam XK0-004 Rating: 0 out of 5 stars0 ratingsHacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Windows 11 For Dummies Rating: 0 out of 5 stars0 ratingsLearn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsExploring Windows 11: The Illustrated, Practical Guide to Using Microsoft Windows Rating: 0 out of 5 stars0 ratingsLinux Bible Rating: 0 out of 5 stars0 ratingsiPhone Unlocked Rating: 0 out of 5 stars0 ratingsHacking Essentials - The Beginner's Guide To Ethical Hacking And Penetration Testing Rating: 3 out of 5 stars3/5Linux Command Line and Shell Scripting Bible Rating: 3 out of 5 stars3/5Linux Command-Line Tips & Tricks Rating: 0 out of 5 stars0 ratingsUltimate SwiftUI Handbook for iOS Developers: A complete guide to native app development for iOS, macOS, watchOS, tvOS, and visionOS Rating: 0 out of 5 stars0 ratingsMastering Windows PowerShell Scripting Rating: 4 out of 5 stars4/5UNIX For Dummies Rating: 3 out of 5 stars3/5Raspberry Pi Cookbook for Python Programmers Rating: 0 out of 5 stars0 ratingsWindows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5Linux for Beginners: Linux Command Line, Linux Programming and Linux Operating System Rating: 4 out of 5 stars4/5Macs All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsOneNote: The Ultimate Guide on How to Use Microsoft OneNote for Getting Things Done Rating: 1 out of 5 stars1/5Bash Command Line Pro Tips Rating: 5 out of 5 stars5/5The iPadOS 17: The Complete User Manual to Quick Set Up and Mastering the iPadOS 17 with New Features, Pictures, Tips, and Tricks Rating: 0 out of 5 stars0 ratingsTor Darknet Bundle: Master the Art of Invisibility Rating: 0 out of 5 stars0 ratingsMake Your PC Stable and Fast: What Microsoft Forgot to Tell You Rating: 4 out of 5 stars4/5PowerShell: A Comprehensive Guide to Windows PowerShell Rating: 4 out of 5 stars4/5Getting Started With MacBook Air (2020 Model): A Guide For New MacOS Users Rating: 0 out of 5 stars0 ratingsExploring Windows 10 May 2020 Edition: The Illustrated, Practical Guide to Using Microsoft Windows Rating: 0 out of 5 stars0 ratings
Reviews for FreeBSD Mastery
2 ratings0 reviews
Book preview
FreeBSD Mastery - Michael W. Lucas
FreeBSD Mastery: Jails
Michael W Lucas
Table of Contents
Title Page
Acknowledgements
Foreword by Poul-Henning Kamp
Chapter 0: Introduction
Virtualization and Jails
Jails versus Chroots
What Is A Jail?
Jail Security
Documentation and History
Prerequisites
Jails and ZFS
Jail Management Tools
What’s In This Book?
Chapter 1: The Jail Host
Storage
Networking
syslogd
ntpd
sshd
Enabling Jails
Iocage Setup
Chapter 2: Jail Essentials
Jail Networking
Jail Sysctls
Parameters and Properties
/etc/jail.conf
Defining Standard Jails
Default Settings
Overriding Defaults
Variables
Iocage Configuration
Changing Parameters
Iocage Booleans
Iocage Defaults
Standard Jail Userland
Iocage Userland
Your First Jail
Creating and Destroying Jails with jail(8)
Creating, Viewing, Renaming, and Destroying Iocage Jails
Jail Directory Testing
Final Jail Configuration
DNS
Time Zone
/etc/fstab
/etc/rc.conf
Root Password and Accounts
Other Configuration
Chapter 3: Jail Management
Startup and Shutdown
Startup and jail(8)
Startup and Iocage
Tuning Startup and Shutdown
Tuning Before Startup
Dying and Life After Death
Users and Jail Commands
Jail Debugging
Debugging Standard Jails
Debugging iocage Jails
Jail Return Codes
Jail Boot Order
Standard Jail Start Order
Iocage Start Order
Viewing Jails
Viewing Parameters
Other Output Formats
Viewing Iocage Jails
Process Management
Jailing Commands
Jailed Process Environment
Console Access
Console Logging
Chapter 4: Jail Filesystems
mount(8) And umount(8)
Filesystem Visibility
Mounting Filesystems at Startup
Mounting Special Filesystems
Standard Jails and Extra Mounts
Iocage and Extra Mounts
Device Filesystems and Jails
Configuring devfs(5)
Standard Jails and Devfs
Iocage and Devfs
Iocage Disk Usage
Chapter 5: Packages and Upgrades
Packages
pkg(8)
Iocage Packages
Patching Jails
Patching with freebsd-update
Backups and Patching with Iocage
Upgrading Jails
Upgrades with freebsd-update
Upgrades with Iocage
Chapter 6: Space Optimization
Clones
Standard Jail Clones
Iocage Clones
Cleaning Clones
Templates
Creating Iocage Templates
Using Iocage Templates
Templates and ZFS
Standard Jail Templates
Updating Templates
Base Jails
Base Jail Packages
Iocage Base Jails
Custom Iocage Base Jails
Iocage Base Jail Rebasing
Standard Base Jails
Default Base Jail fstab Files
Standard Base Jail Crashes
Packages and Standard Base Jails
Preparing an Origin Jail With Packages
Preparing a Derived Jail with Packages
Rebasing Standard Jails
Chapter 7: Living In A Jail
Restarting Your Jail
Processes and Jails
Network Visibility
Chapter 8: Jail Features And Controls
System V IPC
security.jail.sysvipc
Sysvipc and Standard Jails
Sysvipc and Iocage
Securelevels and chflags(1)
Setting Jail Securelevel
File Flags and Securelevel
Mounting Filesystems
Mounting Prerequisites
fdescfs
devfs
nullfs
procfs, linprocfs, and linsysfs
tmpfs
ZFS In A Jail
Configuring a Dataset
Configuring a ZFS-Delegated Standard Jail
Inside the Jail
Configuring a ZFS-Delegated iocage Jail
Minor Features
Change Hostname
Dmesg
Lock Physical Memory
Chapter 9: Networking
Interface Names and Jails
TCP/IP and Jails
Managing Network Access
Multiple Interfaces and Addresses
Ping, Traceroute, and Raw Sockets
Jails and the Loopback Interface
Virtual Networking Stacks: VNET
Virtual Network Design
Our First Virtual Network
Standard VNET Jails
The Jail and VNET
The Host and VNET
iocage VNET Jails
Alternate Interfaces
Complicated Networks
Multiple Bridges
Standard Jails with Multiple Interfaces
iocage With Multiple Interfaces
Manual Interface Plumbing
Other Networking Features
Get Jail Address from DNS
iocage and the Resolver
Chapter 10: Extreme Jails
Hierarchical Jails
Hierarchical Jail Networking
Creating a Parent Jail
Creating Child Jails
Managing Children
Old FreeBSD Versions
Identifying Your Jail
Pillaging the Old Server
Replicating the Old Server
Old Release Compatibility
Running Linux in a Jail
Which Linux?
Creating the Devuan Jail
Helping Linux Jails
Other Jail Tricks
Chapter 11: Resource Restriction and Removal
Periodic(8) and Jails
Resource Limiting
RCTL Rules
RCTL Resources
RCTL Actions
Managing Rules
Filters
RCTL and iocage
Processor Restrictions
Host CPU Topology
CPU Sets
Cpuset and Standard Jails
Cpuset and iocage
Incomplete Jails
Trimming FreeBSD
Network Inheritance
Jails as Control Groups
Chapter 12: iocage Bonuses
Migrating Jails
Migrations and Defaults
Exporting a Jail
Importing a Jail
Migration Cleanup
Iocage Plugins
Afterword
Sponsors
Print Sponsors
Ebook Sponsors
Patronizers
About the Author
Copyright Information
Acknowledgements
I am immensely indebted to the entire FreeBSD community. All the folks who left bread crumbs in twenty years of blogs, forums, and mailing list archives provided valuable trails I followed to assemble this book.
I must especially thank my Patronizers, as well as all the fine folks who sponsored this specific book. You can see these folks at the end of the book, but with one hundred twenty-three backers this book has received more support than any other book I’ve written. Thank you all.
The members of the FreeBSD community who provided technical reviews before publication are owed a special thanks. If this book works for you, it’s because of Fernando Apesteguía, Dave Cottlehuber, Lars Engels, Stefan Esser, Trix Farrar, Michael Gmelin, James Gritton, Poul-Henning Kamp, Marie Helene Kvello-Aune, Michael Dexter, Alexander Leidinger, Fuzz Leonard, Ed Maste, Edward Napierala, Colin Percival, Benedict Reuschling, Brandon Schneider, Matthew Seaman, Devin Teske, and Loganaden Velvindron from cyberstorm.mu. Any errors in this book are mine, and persist despite their valiant efforts.
Finally, I must thank Mateusz Guzik and Brooks Davis for eradicating iBCS2 support from the FreeBSD kernel. Without their timely rescue I would have needed to cover running Microsoft and/or SCO UNIX inside a jail, which would have transformed this from a happy little jails book into one of those madness-inducing Lovecraftian grimoires.
Without every one of these folks, this book would not exist.
Thank you all.
For Liz.
Foreword by Poul-Henning Kamp
This morning I received 'daily run output' emails from 34 FreeBSD systems: From my laptop, five hardware systems, four virtual machine systems and from 24 jails.
My CO2 footprint would be much larger if I hadn't come up with jails twenty years ago, but that was not /quite/ why I invented jails, the driver was more efficient use of hardware and rack-space, but the security value of the one-way-mirror rapidly overshadowed that.
On the Archimedes Scale of intellectual breakthroughs, jails measure around one slightly damp washcloth
: The breakthrough idea of having a private origin for a namespace was made in chroot(2), I just thought of writing some code to do that with more namespaces.
It was only after I had done it, that I realized that imperfect almost always beats perfect virtualization, and the rest of the world seems to agree. At least people have taken that core insight and run like mad with it: Solaris Zones, Docker, Containers, Unikernels and so on.
That stuff may have jumped the shark a bit and there is a YouTube video (PivpCKEiQOQ) with the memorable line You're a bunch of node.js hipsters that just HAVE to install everything you read on Hacker News
you may want to watch.
This book is about the real thing, FreeBSD jails, and if you are anything like me, you will find that jails is a wonderful tool to have in the toolchest: Less CO2 than hardware, simpler than VMs, almost no overhead and more flexible than even I ever imagined jails would become.
But to be honest: All those 'daily run output' emails can be a bit of an annoyance.
Poul-Henning
Chapter 0: Introduction
When I first became a system administrator, operating system installations were vital. Servers cost tens of thousands of dollars, and a medium-sized office had only one or two. Initial installations were rare events that senior sysadmins performed themselves—and with good reason, because everyone endured those decisions for five or ten years. We parsimoniously partitioned disks to balance performance and space utilization. We tuned or even rebuilt kernels to hoard every scrap of memory for our precious applications. What we’d today call routine updates and upgrades were tricky, dangerous events that required meticulous planning, several meetings, and hours or days of scheduled downtime.
Today, operating system installs are as common as sneezes and come in almost as many varieties. Virtualization has revolutionized system administration more than any other technology. We automatically deploy virtual systems to support increased load, and auto-destroy them once the need passes. The sheer number of operating system installs I’m responsible for would have horrified twentieth-century me.
Virtualization and Jails
Virtualization separates an operating system install from the underlying hardware, allowing you to stack operating system instances on top of one another. The operating system instance installed directly on the computer is called the host. The virtualization software running on the host provides virtual hardware for further operating system installs, called virtual machines or guests.
Full virtualization creates a virtual machine, from the BIOS or UEFI on up, for operating system installs. The virtualization system provides a keyboard, mouse, and remote console (usually over VNC or a similar protocol). The virtual machine gets a chunk of disk space, either on top of the host’s filesystem or passed through to a disk partition. A subset of the host’s memory gets set aside for the virtual machine. Full virtualization lets you run many wildly different operating systems simultaneously on one host. FreeBSD’s full virtualization server, bhyve, lets you run anything from Linux to Microsoft Windows on a FreeBSD host.
Lightweight virtualization uses its own userland programs but runs on the host’s kernel. Lightweight virtual machines don’t have private disks, but instead use part of the host’s filesystem. The host provides any networking. The host’s kernel directs the lightweight virtual machine’s memory, processor time, and networking. Lightweight virtual machines on the same host can share filesystems with one another. While the lightweight virtual machine cannot access the host, the host can usually access the lightweight virtual machine.
FreeBSD’s jails were the first lightweight virtualization system in open source Unix. Their capabilities have been continuously enhanced since their introduction in 2000. Today’s jails can run their own network stacks and packet filters, have private ZFS datasets, and do anything except run a different kernel. The modern FreeBSD kernel supports binary interfaces for FreeBSD versions back to FreeBSD 4, as well as certain versions of Linux. This compatibility is a great way to ditch that scary old hardware while keeping a vital application running.
Any time you see the word host,
it refers to the operating system install providing jail services. A host is the bottom layer of the stack of operating systems. The word jail
refers to a lightweight virtual machine running on the host.
Jails versus Chroots
Jails have been called chroots on steroids.
That’s not wrong, but it’s not wholly correct either.
Chroot, or changed root, locks a process into a subset of a filesystem, restricting the files it can access. Chroots limit how much damage a deranged or damaged process can inflict on the host. At one time, chrooting servers to proactively contain intruders was a commonly recommended practice.¹ Today it’s still an easy way to minimize potential damage, but not so widely recommended.
Chroot directories only contain files the chrooted program needs. Does the program need a shell? If not, don’t put /bin/sh in the chroot. The same goes for every other program, shared library, and script on the host. An intruder who compromises a properly chrooted small program won’t be able to do much with her access. Some servers, like OpenSSH’s sshd(8), chroot themselves into an empty directory to thoroughly handicap potential intruders.
While a chroot limits disk access, it does nothing to restrict network access. A chrooted program can access all of the host’s network interfaces and IP addresses. It shares the same process and memory space with all the other processes. Security tools like privilege separation and dropping privileges can help, but a chrooted daemon can still access a whole bunch of resources that aren’t the filesystem.
Jails unshare these resources.
What Is A Jail?
A jail is a collection of namespace transformations.
Uh, what?
Unix has many different named entities, each meant for a particular type of application. Each entity has a discrete namespace. Process IDs are a namespace—each PID is unique within it. The filesystem is a unique namespace, and each file path is unique within it. An IP address attached to the host is unique in the network namespace. Usernames are unique. Just as a single operating system install can’t have two PID 100s, it can’t have two files named /etc/passwd or attach 203.0.113.1 to multiple interfaces. You can create two identical usernames, but it won’t end well.
A jail creates new namespaces for each of these.
Much like a chroot, a jail has a root directory somewhere on the host’s filesystem. You might assign /var/www1 as the root directory for the jail www1. Processes inside the jail think the contents of /var/www1 are in the root directory. While a FreeBSD install can only have one /etc/passwd file, jailed processes see /var/www1/etc/passwd as /etc/passwd. The host knows of many passwd files across the filesystem, but a jailed process perceives only its own namespace.
A chroot-style transformation won’t work on the network. A jail is granted limited access to the host’s network stack, and can use only the IP addresses the host permits. The host might have the whole IP range 198.51.100.1 through 254 attached to a NIC, but if a jail is only allocated 198.51.100.99, running ifconfig em0 in the jail displays only 198.51.100.99. The host, though, can use the jail’s IP address. If the host sysadmin wants to send a ping from a jail’s IP, she can hijack that IP. The jail has no such option. (You can allocate a jail a private network stack, as we’ll see in Chapter 9, but even that’s subordinate to the host.)
Rather like the network stack, process IDs are unique across the host. Each jail gets a slice of the process namespace. Jailed processes can affect only other processes within that jail’s process namespace. The host can create, signal, terminate, and otherwise twiddle processes in any jail’s namespace.
The root user inside a jail is not the same as the root user of the host. A jail’s root account can start and stop that jail’s processes, administer that jail’s users, and even mount filesystems inside the jail if the host permits, but is helpless beyond the jail.
A jail is wholly subordinate to the host. Even if an intruder gains access to the jailed system, the host retains supervisory access and can intervene. Think of it like a literal jail cell. The inmates can freely use their own bed. The warden gets a one-way mirror that looks into the cell and can impose changes at will.
Most jail documentation assumes that you’ll put a complete operating system install in a jail, but that’s not necessary. You can populate a jail sparsely enough to make the most hard-core chroot fan nod approvingly.
Jail Security
Some people argue that jails are not secure. Others claim they are secure. Who’s right?
To be simultaneously correct and useless: both of them.
Like all security matters, the answer is it depends.
Today’s sysadmins practice in an environment where everything is a security risk. We can’t trust our hardware, our operating systems, or our software. Every so often, someone figures out a way to escape hypervisors. Developers patch and we all move on. So jails are not secure.
The solution isn’t to rely on bare metal. A FreeBSD security expert spotlighted a class of problems with Intel processors back in 2005 that recently reached critical mass. Even if your main CPU is solid, what about all the other hardware? Nowadays, many server components have their own operating system. You can attach a serial console to the proper pins on a hard drive and get a command prompt.
Nothing is secure. Everything is terrible.
Asking if a jail is secure means asking about your application, your environment, and your risks. Should you provide nuclear missile controls with a jail? No. You also shouldn’t control nuclear missiles on a public web site. Can you provide customer web sites in a jail? Probably, unless you have the sort of customers that get kicked off of one provider after another. Consider the risks that you, your organization, and your customers face.
Even if you utterly trust the security provided by jails, they’re only one component of a security strategy. You certainly need privilege management and properly