Contents
This page is currently work in progress. Content can be discussed in freebsd-jail@freebsd.org mailinglist.
General
Jails were introduced in FreeBSD 4.X by Poul-Henning Kamp
You can read more about Jails in the FreeBSD handbook and man pages:
Existing Patches
Feature |
Status |
Author |
Description |
CPU + RAM limits |
Not fully working / stalled |
Jails can now have the amount of memory available to their processes' resident sets (RSS) |
|
Multi-IPv4/v6/no-IP jails |
done / commited |
Bjoern A. Zeeb |
As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce status overview SVN 188281 |
Wildcard IP (INADDR_ANY) should not bind inside a jail |
done / stalled |
Frank Behrens |
If there is a jail, the assigned IP address should not considered as valid address for INADDR_ANY in host. With this change an easy jail setup is possible without further modifications of hosts base configuration! PR 84215 patch |
jexec - selection by jail name |
done / commited |
Frank Behrens |
jexec(8) needs the numeric id of jail. This id is not constant and changes on jail restarts. Therefore it is desirable to select a jail by it's name. The attached patch is a sample implementation. PR 119305 patch |
Set priority in rc.d |
done / not commited |
Jan Srzednicki |
A simple rc.d jail patch to enable priority patch |
Do not keep JID incrementing forever |
done / commited / reverted |
Ed Schouten |
Jail numbers are incrementing forever, this makes jls/ps output a lot easier. No more 4-5 digit numbers in your test setup, where you only have 10-20 jails. PR 122270 |
Per prison process count limit |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
Separated UID hash |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
Separated SysV IPC |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
File handles usage limit |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
Hierarchical jails |
work in progress |
Jamie Gritton |
Hierarchical jails under the new framework (jails inside jail) |
Future plans in FreeBSD Jails / virtualization
If you have any ideas / request, please use freebsd-jail@ mailinglist to discuss it.
freebsd-arch@ kernel level virtualisation requirements / quota system changes
freebsd-arch@ kernel level virtualisation requirements / list of ideas
This is list of well known / often discussed requests, some of them will never be done in Jail, some is/will be covered by other ways
- be able to specify a different root for the virtual machine
- be able to specify a different output for "uname"
- be able to specify a different network address
be able to specify a different routing table setfib(1)
- be able to specify a completely different network universe
- be able to dedicate an interface to it
- be able to have a separate PID space for it
- be able to specify a separate UID space for it
- be able to specify a CPU maximum quota
be able to confine it to some set of CPUs cpuset(1)
- be able to have different mount tables for it
be able to specify a different security level for it [sysctl kern.securelevel is already per jail]
- be able to specify a disk IO limits for it
SNMP monitoring of jail resources port by Stef Walter
- exposure of certain sysctl values inside jails
wildcard ip (INADDR_ANY) should not bind inside a jail PR 84215 this is known problem from beginning of the Jails and is stated in manpage section bugs jail(8) [fixed by Multi-IPv4/v6/no-IP jails patch]
Unprivileged jail_attach / a way to do jail_attach as non-root; Done as port sysutils/jailme by Bill Moran - jailme
Hierarchical jails (Multilevel jails) mailing list discussion patches by Jamie Gritton: jh jhu
Known problems and bugs
impossible to kill a jail / zombie jail PR 89528 Fixing old TTY bugs
This will (hopefully) be fixed by new TTY layermultiple postgresql servers in multiple jails (SysV IPC problem) initial question continuation
In a short answer - use different UIDs for PostgreSQL in each jail
You can also use some loader.conf tunables for IPC kern.ipc.shmmni=2048 kern.ipc.shmseg=2048 kern.ipc.semmni=128 kern.ipc.semmns=512
And of course allow IPC in jails by jail_sysvipc_allow="YES" in hosts rc.conf (or security.jail.sysvipc_allowed=1 in hosts sysctl.conf)bug in cpuset(1) - At the moment it is possible for a superuser inside a jail to modify the root cpuset of that jail. PR 134050
Tips
- leak of system message buffer from host system to jails
By default jails can read the system message buffer (ie: the console buffer). In many cases this isn't desired. Add the following line to /etc/sysctl.conf to turn it off: security.bsd.unprivileged_read_msgbuf=0
- allow ping inside jail
If you need to use ping inside jail, you must set sysctl security.jail.allow_raw_sockets=1 (add security.jail.allow_raw_sockets=1 in hosts sysctl.conf).
Useful utilities
Some of them can be used only on older versions of FreeBSD (4.x / 5.x)
Let me know if you know / wrote some others.
- ezjail
A framework to easily create, manipulate and run FreeBSD jails
sysutils/ezjail- jailadmin
A system for managing a set of named jails
sysutils/jailadmin- jailaudit
Script for generating portaudit reports for jails
ports-mgmt/jailaudit- jailctl
Jail management tool
sysutils/jailctl- jailer
Manage FreeBSD jail startup, shutdown and console
sysutils/jailer- jailme
A setuid version of jexec to allow normal users access to jails
sysutils/jailme- jailutils
Several utilities for managing jails
sysutils/jailutils- jkill
Shutdowns a running jail and all its processes
sysutils/jkill- jps
Wrapper to ps(1) that maps pids to jails
sysutils/jps- jtop
Wrapper to top(1) that maps pids to jails
sysutils/jtop- p5-BSD-Jail-Object
An object oriented perl interface to jail(2)
sysutils/p5-BSD-Jail-Object- mod_jail
Apache 1.3.x/2.0.xx module to enable an easy alternative to mod_chroot
www/mod_jail