NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Jails

At Sun, 17 May 2020 11:11:22 +0200, Niels Dettenbach <> wrote:
Subject: Re: NetBSD Jails
> Am 17.05.2020 um 06:01 schrieb Greg A. Woods <>:
> >
> > I know some people do allow human users to login to FreeBSD "jails", but
> > I really have to wonder why.  I think if you want to give human users
> > the idea that they have their own machine then you really do need to
> > give them a whole VM (at least with Unix/POSIX systems -- modernized
> > multics-like systems might be a better way).
> if you really wonder, take a look at i.e. FreeNAS as other projects
> which uses BSD jails as containers for virtual multi host environments
> (i.e. mailservers, LAMP stuff, Database servers, Samba stuff and
> proprietary / binary software etc) which all have their own IPs as
> root as user contexts in fs as userspace and security isolation
> (system as net / firewalling etc) is a major reason. This is one of
> the most used scenarios today.

Indeed, as I say, I know people do this and I've seen lots of it.  I
have friends and colleagues who have tried to tell me how and why.  I've
gone to talks at BSDCan about the how's and why's and I've chatted to
people in the halls after about these talks.

But what I've been trying to express in my questions on this thread is
that I still don't understand the deep reasons why this is seen as a
_necessary_ approach.

Many folks are doing it because others do it.

Well, all I can say to that is have fun on your bandwagon, and don't let
me stop you!

Some think there are some security benefits.

I continue to see security issues which are a direct result of more
complex code, more complex configurations, and more complex management
overhead.  Chroot isn't 100% secure, especially not for processes with
superuser privileges, and jails are no better.

I.e. I think chroot environments are good, in so far as they go, but I'm
less trusting of even FreeBSD jails because of the added complexity,
both under the hood, and in configuration and management.  Other
competing technologies on other platforms such as those on Solaris and
Linux are even more complex and convoluted.

In the end there is inherently less security with any and all forms of
virtualization and/or sharing of resources.  If absolute security is
your requirement then you really need separate hardware for each circle
of trust (especially as we've seen with the issues coming from the very
fundamentals of modern CPU internals).

Some think there are performance benefits.

I do see there are performance tradeoffs, but if chroot is enough then
why add even the additional layers of code needed for FreeBSD jails?

If you actually really need a fully isolated and completely full
featured environment where you can run complex applications in
"reasonably secure" sandbox style isolation then why not choose the best
possible hardware you can afford that supports a full virtual machine
environment such as Xen, or nvmm/bhyve with qemu or virtualbox, etc.?
(e.g. I bought a used Dell server for about $500 and I can run Xen with
many domUs on it very efficiently)

					Greg A. Woods <>

Kelowna, BC     +1 250 762-7675           RoboHack <>
Planix, Inc. <>     Avoncote Farms <>

Attachment: pgpcJ6bZFM1tS.pgp
Description: OpenPGP Digital Signature

Home | Main Index | Thread Index | Old Index