|
|||
Jails for OpenBSD
Since jails have been around for some time, I don't expect OpenBSD to adopt them, but is there a reason why jails have not been added?
|
|
|||
OpenBSD's feature set comes from within -- meaning the developers have to be motivated enough to see ideas through to implementation. Few project developers visit this site, so the answers you will get here will be conjecture based on experience & reading OpenBSD's misc@ mailing list.
Having said that, it appears that the chroot(8) + systrace(1) combination is considered good enough that no one is motivated to do more. Numerous threads can be found on misc@ which basically comes to the same conclusion: http://marc.info/?l=openbsd-misc&w=2&r=2&s=jails&q=b In these misc@ threads, you will find occasional mention of the following project: http://sysjail.bsd.lv/ ...but note there is a statement at their Website stating that the project is now dormant. |
|
|||
I read on misc@ :
"Jail really is nice, but you can accomplish the same thing when using chroot + systrace if you just want a single running service per virtual jail. You can make it even tighter then a jail. But ok, it is a lot of work, jails make it easy to implement virtual servers. It is a nice feature, but I don't miss it on OpenBSD." The reason for jails is to run multiple domains on one machine and each jail would be a separate domain, such as, example.org; example.com; example.net. If I need to make changes or remove a domain it's simple. I understand how chroot works, but I am using Perl and MySQL for my sites and it is a little work to get that in chroot. According to the above statement chroot+systrace is tighter than jails, but is there an example somewhere of how to use chroot and systrace to make it that way for a specific domain. Also, could I chroot multiple domains, such as /var/www/example.org; /var/www/example.com; /var/www/example.net ? Thanks! |
|
|||
Quote:
http://openbsd.org/faq/faq10.html#httpdchroot As for tightening down what syscalls are allowed, both Lucas (author of Absolute OpenBSD) and Palmer & Nazario (authors of Securing Architectures with OpenBSD) cover this in the following sets of articles:
# systrace -A /usr/sbin/inetd The basic question you are asking is how can Apache be made to talk to multiple chroot(8)'s. While I suspect the answer will be quite tedious in looking through systrace -A output (which is error-prone & requires constant maintenance...), I would be remiss if I didn't mention three important points:
Quote:
|
|
|||
The jail functionality in FreeBSD required significant kernel changes in almost every area imaginable, it would be difficult to to introduce similar functionality in OpenBSD without a developing being really motivated to do so (..and perhaps such changes would be rejected by the other developers anyway).
In OpenBSD, daemons are privileged separated and use chroot(2) where it's deemed necessary.. if you absolutely require that 'domains' be separated, then consider obtaining additional systems. Hope that helps. |
|
||||
My suggestion is skip jails and use appropriate virtualization software.
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
Quote:
Ones ability to use OpenBSD as a host for virtualization is also impaired, QEMU is the only option available.. and due to portability issues, the port has been stuck at 0.9.x for some time. |
|
||||
Virtualization has its values, but neither -security- nor -isolation from all problems- are among them. And that is so, whether chroot, jail, virtual machine, or "hypervisor" solution is selected.
Before anyone asks -- yes, even "firmware" hypervisor virtual machine systems, such as those used in mainframe systems since the 1970s, or on large scale Unix servers beginning in the late 1990s. Even today, on the most modern systems, a failure of a component in one virtual machine can require the entire platform be reset, affecting all virtual machines. Firmware in microcode on the hardware platform is still software, written by human beings. |
|
|||
Thanks everyone for your helpful replies.
As mentioned before, I have three personal websites and might add one or two more and prefer to run on my own hardware. That being the case I was looking at OpenBSD as my platform. MySQL is my database for two sites and I run a caching-only name server on the server currently. Since this is personal only I want to run the database and domains on one server. My current platform in OpenSolaris with network virtualization (Crossbow) and zones. Currently I have an nginx reverse proxy that is redirected from ipf. Each domain is in a separate zone. I'm using ipf because OpenSolaris doesn't support pf. I did have VirtualBox running an OpenBSD guest but then when I tried to upgrade to the newest version of VirtualBox I couldn't start any guests, and when I attempted to go back to the previous version, I still couldn't get any guests to run. So I'm moving to another platform and would like to use OpenBSD. It seems that using Apache virtual hosts would be the way to go, or would it be possible to chroot nginx and then chroot each domain? |
|
|||
Quote:
|
|
|||
I'm coming from OpenSolaris where I used zones (similar to FreeBSD jails) so chroot is different to me. On OpenSolaris I had an ipf zone to rdr to my nginx reverse proxy zone which then directed traffic to each specific domain which had its own zone and own Apache instance. I also had a separate MySQL zone and mail zone. Just want to replicate this somehow on OpenBSD.
chroot lighthttpd as a reverse proxy and then send to the chroot apache with multiple virutal hosts doesn't sound like it will work either since chroot can't talk to other chroot's? If I can't chroot lighthttpd as a reverse proxy, then how do I direct traffic to multiple domains with chroot? |
|
||||
Because chroot -only- "virtualizes" the filesystem, the network stack is shared.
Without knowing your situation, and only from your brief descriptions here, it appears you are trying to kill a canary with a machine gun. Why not run a single instance of Apache, with multiple virtual hosts, and a single instance of your DBMS? Each virtual host "webserver" can still address a unique table space. |
Tags |
chroot, jail |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
jails, aliasing, router, and dmz? | neurosis | FreeBSD Security | 17 | 7th November 2008 03:47 AM |
Updating FreeBSD Jails after rebuilding world on host | anomie | Guides | 0 | 10th September 2008 03:23 AM |
Jails, ezjail, apache, very newbie question. | neurosis | FreeBSD General | 15 | 23rd August 2008 01:38 PM |
Jails - mount: /usr/home: No such file or directory | chris | FreeBSD General | 6 | 6th August 2008 10:47 PM |
Keeping ports in multiple jails up to date | cajunman4life | FreeBSD Installation and Upgrading | 1 | 9th May 2008 11:51 PM |