Contents
This page is currently work in progress. Content can be discussed in freebsd-jail@freebsd.org mailinglist.
General
Jails were introduced in FreeBSD 4.X by Poul-Henning Kamp
You can read more about Jails in the FreeBSD handbook and man pages:
Existing Patches
Feature |
Status |
Author |
Description |
CPU + RAM limits |
Not fully working / stalled |
Jails can now have the amount of memory available to their processes' resident sets (RSS) |
|
Multi-IPv4/v6/no-IP jails |
In progress |
Bjoern A. Zeeb |
The multi-IPv4/v6 jails project was resumed in early January after previous work had been abandoned in 2006. |
Wildcard IP (INADDR_ANY) should not bind inside a jail |
done / stalled |
Frank Behrens |
If there is a jail, the assigned IP address should not considered as valid address for INADDR_ANY in host. With this change an easy jail setup is possible without further modifications of hosts base configuration! PR 84215 patch |
jexec - selection by jail name |
done / commited |
Frank Behrens |
jexec(8) needs the numeric id of jail. This id is not constant and changes on jail restarts. Therefore it is desirable to select a jail by it's name. The attached patch is a sample implementation. PR 119305 patch |
Set priority in rc.d |
done / not commited |
Jan Srzednicki |
A simple rc.d jail patch to enable priority patch |
Do not keep JID incrementing forever |
done / commited |
Ed Schouten |
Jail numbers are incrementing forever, this makes jls/ps output a lot easier. No more 4-5 digit numbers in your test setup, where you only have 10-20 jails. PR 122270 |
Per prison process count limit |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
Separated UID hash |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
Separated SysV IPC |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
File handles usage limit |
done / stalled |
Alex Lyashkov |
Done as part of FreeVPS |
Future plans in FreeBSD Jails / virtualization
If you have any ideas / request, please use freebsd-jail@ mailinglist to discuss it.
freebsd-arch@ kernel level virtualisation requirements / quota system changes
freebsd-arch@ kernel level virtualisation requirements / list of ideas
This is list of well known / often discussed requests, some of them will never be done in Jail, some is/will be covered by other ways
- be able to specify a different root for the virtual machine
- be able to specify a different output for "uname"
- be able to specify a different network address
- be able to specify a different routing table
- be able to specify a completely different network universe
- be able to dedicate an interface to it
- be able to have a separate PID space for it
- be able to specify a separate UID space for it
- be able to specify a CPU maximum quota
- be able to confine it to some set of CPUs
- be able to have different mount tables for it
be able to specify a different security level for it [sysctl kern.securelevel is already per jail]
- be able to specify a disk IO limits for it
- SNMP monitoring of jail resources
- exposure of certain sysctl values inside jails
wildcard ip (INADDR_ANY) should not bind inside a jail PR 84215 this is known problem from beginning of the Jails and is stated in manpage section bugs jail(8)
Unprivileged jail_attach / a way to do jail_attach as non-root; Done as port sysutils/jailme by Bill Moran - jailme
Known problems and bugs
impossible to kill a jail / zombie jail PR 89528 Fixing old TTY bugs
This will (hopefully) be fixed by new TTY layermultiple postgresql servers in multiple jails (SysV IPC problem) initial question continuation
In a short answer - use different UIDs for PostgreSQL in each jail
You can also use some loader.conf tunables for IPC kern.ipc.shmmni=2048 kern.ipc.shmseg=2048 kern.ipc.semmni=128 kern.ipc.semmns=512
And of course allow IPC in jails by jail_sysvipc_allow="YES" in hosts rc.conf (or security.jail.sysvipc_allowed=1 in hosts sysctl.conf)
Tips
By default jails can read the system message buffer (ie: the console buffer). In many cases this isn't desired. Add the following line to /etc/sysctl.conf to turn it off: security.bsd.unprivileged_read_msgbuf=0
If you need to use ping inside jail, you must have jail_socket_unixiproute_only="NO" in hosts rc.conf.
Useful utilities
Some of them can be used only on older versions of FreeBSD (4.x / 5.x)
Let me know if you know / wrote some others.
- ezjail
A framework to easily create, manipulate and run FreeBSD jails
sysutils/ezjail- jailadmin
A system for managing a set of named jails
sysutils/jailadmin- jailaudit
Script for generating portaudit reports for jails
ports-mgmt/jailaudit- jailctl
Jail management tool
sysutils/jailctl- jailer
Manage FreeBSD jail startup, shutdown and console
sysutils/jailer- jailme
A setuid version of jexec to allow normal users access to jails
sysutils/jailme- jailutils
Several utilities for managing jails
sysutils/jailutils- jkill
Shutdowns a running jail and all its processes
sysutils/jkill- jps
Wrapper to ps(1) that maps pids to jails
sysutils/jps- jtop
Wrapper to top(1) that maps pids to jails
sysutils/jtop- p5-BSD-Jail-Object
An object oriented perl interface to jail(2)
sysutils/p5-BSD-Jail-Object- mod_jail
Apache 1.3.x/2.0.xx module to enable an easy alternative to mod_chroot
www/mod_jail