FreeBSD jail vs. User Mode Linux and Linux-vserver

Seth Gordon sethg at ropine.com
Tue Dec 9 09:33:55 EST 2003


miah:
> As far as FreeBSD Jail, I belive its similar to UML. You end up
> running a completely virtual system inside the host system, which means
> more stuff to maintain. Its cool if you lack the hardware, but I don't
> see it really gaining you anything. You still need to chroot everything
> inside the jail, and the jail does impose some restrictions, but so does
> linux + grsecurity and a properly configured grsecurity ACL. 
> 

The main difference (for my purposes) between UML and jail is that with 
UML, the virtual server's kernel process is separate from the host's 
kernel process; with a jail, there's one kernel running everything.  If 
people were paying me money for shell accounts in which they needed root 
access, I would sleep better using UML.  However, from what I've read of 
the documentation for both, jail would be easier for me to set up and 
administer.  (*BSD puts the kernel, libraries, and all the standard Unix 
utilities in one big source tree, so "make world DESTDIR=/path/to/jail" 
sets up almost everything I would need.)

I'm interested in learning more about mandatory access control systems 
(like they have in grsecurity), and I suspect that a well-configured MAC 
policy will do everything for security that the virtual servers will do. 
  However, I want to get virtual servers working first, because they 
seem harder for a non-wizard like me to screw up.

--sethg




More information about the Discuss mailing list