download

Chapter 5Jail LimitationsThe FreeBSD jails do not provide true virtualization as all the jails running on a hostsystem are using the same kernel and sharing a lot of resources. This will lead tosome security issues that may affect all the jails on a system. For example, if a rootuser in a jail has the ability to put the network interface in the promiscuous mode,the user will be able to tap the network traffic for all the other jails running onthe system.Also, due to the fact that all the jails as well as the host system are sharing thesame kernel, the root user inside a jail cannot load or unload any kernel module.Moreover, it has very limited access to sysctl variables. The administrator cannotmodify network configuration such as the IP address, or any other network interfaceconfiguration, or the routing table. The imprisoned root user also has no access to thefirewall rules and always obeys the host system's firewall setup.There are also a few limitations from the perspective of the file system, such as theprohibition of mounting or unmounting the file system inside a jail, because theenvironment is chrooted. Moreover, a root user inside a jail cannot create the devicenodes, as we had discussed earlier in the section—Jails security.SummaryJails offer very low overheads, lightweight virtualization features for FreeBSD.You may run multiple jails on a host system, creating multiple virtual servers, eachof which acts almost like a real server with a few limitations. Jails can be used forcontent hosting, software development, and testing new features without harmingthe host system.Jails can be installed in a few steps, and removed by simply removing thejail's directory.Like other features, jail subsystem is under constant development. The best resourceavailable on the latest updates on jail subsystem is jail(8) manual pages. It isrecommended that a system administrator, who plans to make serious use of jails,reads through this.[ 85 ]