pavement

Jail Facility

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
Line 34: Line 34:
 
[[Category:Securing FreeBSD]]
 
[[Category:Securing FreeBSD]]
 
[[Category:FreeBSD for Servers]]
 
[[Category:FreeBSD for Servers]]
 +
[[Category:Configuring FreeBSD]]

Revision as of 15:09, 6 August 2012

Jail Facility

The jail facility is the creation of a special purpose jail directory tree containing an entire FreeBSD distribution. Any processes run are confined to the jail directory tree, because the parent directory of the jail is chrooted.

The FreeBSD handbook describes the Manual method of creating Jails, but its hard to understand and very easy to make mistakes doing things by hand.

The port qjail utility is used to deploy small or large numbers of jails quickly.


Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail system that includes security and performance enhancements. Plus a new level of "user friendliness" enhancements dealing with deploying just a few jails or large jail environments consisting of 100's of jails.

Qjail eliminates all the jail rc.conf configuration statements normally required to define jails using the "jail" command. Qjail requires no knowledge of the jail command usage.

Qjail automatically populates each newly created jail with the host files necessary to gain network access from the jails first start.

It uses "nullfs" for read-only system binaries, sharing one copy of them with all the jails.

Uses "mdconfig" to create sparse image jails. Sparse image jails provide a method to limit the total disk space a jail can consume, while only occupying the physical disk space of the sum size of the files in the image jail.

Ability to assign IP address with their network device name, so aliases are auto created on jail start and auto removed on jail stop.

Ability to create "ZONE"s of identical qjail systems, each with their own group of jails.

Ability to designate a portion of the jail name as a group prefix so the command being executed will apply to only those jail names matching that prefix.

Qjail reduces the complexities of jail deployments to the novice level. Qjail has a fully documented manpage written for easy comprehension. Details are given to felicitate the use of qjail's capabilities to the fullest extent possible.


Full details can be found on the qjail project website.

Personal tools