I was talking to somebody at OSCON last week and they made an off-hand comment about using FreeBSD jail to isolate software applications in a development environment.
Being a linux guy, it took a while to sink in that jail was a form of operating system virtualization.
On linux, there’s dozens of virtualization options these days in various states of development, reliability and licensing. There’s only 3 linux “OS virtualization” options, FreeVPS, OpenVZ and Linux V-Server.
Generally linux virtualization requires a custom kernel with the relevant patches, so installation requires installing the kernel, rebooting and testing the new kernel – usually a hassle.
FreeBSD has jail, and Solaris has zones.
What’s great about jail is that:
- limits access to filesystem, process space and network
- it’s been built-in since FreeBSD 4.0 – no-hassles, mature feature
- a new jail can be created with one command
- it’s fast – native, not emulated
- it consumes almost no resources – only 6-10MB hard disk space per jail
- it’s simple to use and requires no OS reinstallation or configuration – great for remote boxes
- it’s free.
The downsides of jail are that you can’t run different versions of the OS than what was originally installed, there’s no way to limit RAM or CPU used in each jail, and demons should be configured to listen on the appropriate IP addresses instead of 0.0.0.0.
Originally adding jail support only required changing about 350 lines of kernel code and adding 400 more – not that intrusive.
Linux-VServer
wikipedia: FreeBSD jail
Virtualization with FreeBSD Jails
wikipedia: Comparison of virtual machines
ibm.com: Virtual Linux – An overview of virtualization methods, architectures, and implementations
Virtualization in Xen 3.0
Installing Linux-VServer
New virtualization option for Linux: KVM (and Linux virtualization summary)
KernelTrap: Abusing chroot
Related Projects to jail and vserver
ostatic.com: Considering FreeBSD Jails
FreeBSD 7.2 Review: Improved Virtualization
iocage – A FreeBSD jail manager HN Comments
FreeBSD Jails for Fun and Profit (2020) HN
“you canβt run different versions of the OS than what was originally installed”
AFAIK, you can run older versions of FreeBSD in the jail. For example, if you’re running 6.2 in the host, you could run 6.1 in the jail.
Hi James, that must have been me you’re referring to… π
Yeah, jails are cool for isolating services and for configuration testing and such. Since it is not really virtualization the way vmware or xen or such are, you have much less overhead. Everything is running on one kernel — the processes inside the jail are just processes that are in a chroot environment and have limited networking. One big thing that is not available is the ability to alter the network stack in any way per jail.
One small correction – it’s been built in since FreeBSD 4.0, not 5.0.
I’ve been using jails for heavily trafficked production servers for years, it’s an awesome solution.
Hi,
Actually a jailed daemon can listen on 0.0.0.0; the kernel will simply remap it to the jail’s IP address.
One point which is worth mentioning as well is that the FreeBSD handbook provides a complete chapter about jails.
Regards,
— Jeremie
It looks like you have a typo, the wikipedia page you linked to says jail was introduced back in FreeBSD 4.0 (backed up by the man page for jail at http://www.freebsd.org/cgi/man.cgi?query=jail)
Wow, you FreeBSD users sure are vocal! I’ll have to post some more on BSD I guess.
Thanks for the tips.
can we run linux inside freebsd jail??? or different bsd like netbsd/openbsd/etc…???
with openvz (similar, os level virtualization), we can run any other linux inside.
I may think that FreeBSD is a great way for stability and performance regarding this it perfectly fits to servers market. In addition you can run a VirtualBox along if you need other OS than Linux (e.g. M$). It’s also interesting to learn more about those old days of BSD, how the system runs etc. I’m Arch Linux user since old good times and I don’t have any complains of any other Linux distributions I’ve used – most of systems worked fine.