How many of you run jails?
What methods do you use to manage them? How do you like to set them up? How do you deal with disk and bandwidth quotas?
For those of you that do not know what a freebsd jail is:
A jail is a environment isolated and restricted from the host environment. You can create a jail to run a specific process like a web server or a ftp server. This provides the ultimate in protection against compromised services. If someone gains root access to your jail via an exploit of ProFTPd they will only have access to the jail environment and not your main host system.
A jail can also be used to run a whole other instance of freebsd userland. That is, your jail would appear to be a virtual server on top of your main server. This is no vmware or emulation. There is no CPU overhead in running these jails. The only requirement is enough disk to house another copy of freebsd and a free IP address. In this jail, you're free to run another web server, or MTA, or shells for resale. You can use this jail almost just as you would your host system.
The cons:
You can't ping or traceroute from within a jail.
top does not function within a jail.
I think postgresql does not function in a jail.
Making the host system "jail friendly" is no fun.
I use jails to create multiple independant servers for each user. I take a Super Celeron 1.7 package with 5 IP addresses and create 4 jails on the server. I use one or two jails for myself and rent the other jails out to help cover the cost of the server.
If you'd like to learn more about jails, the best place to start is "man jail" It's an excellent man page that will walk you through the whole process of setting up your jail.
Full Version: The Jail Thread
I run a few client sites and any site that is running php-puke in a jail 8 vserver. Been running them for over a year now on a 4.8 box and its been great. The sites are rock solid and each user can do their own thing without stepping on anyone elses toes.
For more info check out these links
man 8 jail
http://memberwebs.com/nielsen/freebsd/jails/
http://garage.freebsd.pl/
http://subwiki.honeypot.net/cgi-bin/view/F...dAndUpdateJails
The man 8 jail page is all you really need and there is some other "Jailadmin" ports you can now install to help manage the jails.
Thanks
Jeremy
For more info check out these links
man 8 jail
http://memberwebs.com/nielsen/freebsd/jails/
http://garage.freebsd.pl/
http://subwiki.honeypot.net/cgi-bin/view/F...dAndUpdateJails
The man 8 jail page is all you really need and there is some other "Jailadmin" ports you can now install to help manage the jails.
Thanks
Jeremy
I run a jail on my 5.2 fileserver at home to handle all the public stuff (like web serving.. ssh/ftp from the outside, etc). I've been starting them in rc.local. System uptime is only 54 days because I had to mess with my UPS.
I haven't run across too many jails here at SM though. I'd love to gather stats on who is though. If any of you are running jails on your SM box speak up!
I haven't run across too many jails here at SM though. I'd love to gather stats on who is though. If any of you are running jails on your SM box speak up!
Sorry to bring up an old post, but this looks like what I am looking for....hopefully.
I am running RHEL3, and want to jail users to their home directory. All I really need is for users not to be able to get out of their home directory. I don't know if you have to chroot to do so, but any means to keep them in their home directory is what I am looking for.
Can you point me in the direction of this jail stuff for linux rather than BSD?
I am running RHEL3, and want to jail users to their home directory. All I really need is for users not to be able to get out of their home directory. I don't know if you have to chroot to do so, but any means to keep them in their home directory is what I am looking for.
Can you point me in the direction of this jail stuff for linux rather than BSD?
How are your users accessing the box? If it's just ftp, then your ftpd should be able to chroot them into their home directory. As far as jails go, those are specific to BSD. There are linux virtual servers that are similar to the freebsd jail tho. But I don't get the impression that you're looking for a virtual server. Sounds like you just want to chroot them to their home dir.
UD.
UD.
Yeah chroot is what I am looking for I guess...cPanel has that option built right into WHM for users with shell access, but I have Plesk and don't know how to do that, and it does not have that option.
QUOTE (klaude)
I haven't run across too many jails here at SM though. I'd love to gather stats on who is though. If any of you are running jails on your SM box speak up!
Yup, only the one here (for ssh and qmail (yes qmail is the dogs balls none of this sendmail rubbish
www.qmailrocks.org if your wanting a "easy" install guide))
I run 4 virtual servers (jails) on my box. The only service that is not running in a jail is sshd (so that I can control the box), but I have all my daemons running in my jail. I resell each jail to friends who have need of such a thing. It is also a very good security feature b/c if my dns server gets hacked then they will only have access to my jail, which I can reclaim my data and rebuild my world and start from scratch again. I love jails, but I really wish that there were fewer limits. I stumbled upon this http://www.tel.fer.hr/zec/vimage/ the other day. Network Stack Cloning. Looks interesting. It would allow jails to be able to do all those lovely things that I have wanted. Appears that multi ips per jail, per jail firewalls, and full tcp access (icmp, etc) would be allowed. Too bad I don't have the balls to do a remote reboot on my server. I'm @ 272days up and I like it that way. I use DNS entries to keep my jails staight vs0.leetsauce.net is my main server with only sshd running as I mentioned. It is also the only ip which accepts icmp at all. I block icmp to all my other jails. I store jail data in /usr/jail/$HOSTNAME where $HOSTNAME is obviously the hostname of the jail. So currently I have 4 dirs in thier this makes things very easy to keep staright. I really enjoy jails and just wish I could apply that patch, rebuild world, and know that my system would come back up nicely, but I don't trust myself enough for that, I'm sure I would forget something. Heck I'd love to upgrade to 4.10 and apply that patch, but remote build world just scares me!
-trippin
-trippin
That's exactly how I'm using jails on my server. Cept I'm running sshd and net-snmpd on the host. Got 4 jails setup. I'm only actually using one right now. Haven't found anyone interested in renting any of the other 3 jails. Doing the src upgrade remotely isn't a big deal. It's just that I have to upgrade the host, then each of the jails. Too much work for someone as lazy as me. 
UD.
UD.
I want to look into jails so that i can hand out root to a few friends without being worried that i will come back to a box that is dead.
Personally run a jail for samba. All my files are synced between /usr/storage/ and /usr/jail/samba.network.home/ so both drives always have the same files and info. Twas a pain in the arse to get it all up and running. Ill see if i want to add jails to a few servers i admin.
Personally run a jail for samba. All my files are synced between /usr/storage/ and /usr/jail/samba.network.home/ so both drives always have the same files and info. Twas a pain in the arse to get it all up and running. Ill see if i want to add jails to a few servers i admin
.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.