FreeBSD jail vs. User Mode Linux and Linux-vserver
Seth Gordon
sethg at ropine.com
Tue Dec 9 09:33:55 EST 2003
miah:
> As far as FreeBSD Jail, I belive its similar to UML. You end up
> running a completely virtual system inside the host system, which means
> more stuff to maintain. Its cool if you lack the hardware, but I don't
> see it really gaining you anything. You still need to chroot everything
> inside the jail, and the jail does impose some restrictions, but so does
> linux + grsecurity and a properly configured grsecurity ACL.
>
The main difference (for my purposes) between UML and jail is that with
UML, the virtual server's kernel process is separate from the host's
kernel process; with a jail, there's one kernel running everything. If
people were paying me money for shell accounts in which they needed root
access, I would sleep better using UML. However, from what I've read of
the documentation for both, jail would be easier for me to set up and
administer. (*BSD puts the kernel, libraries, and all the standard Unix
utilities in one big source tree, so "make world DESTDIR=/path/to/jail"
sets up almost everything I would need.)
I'm interested in learning more about mandatory access control systems
(like they have in grsecurity), and I suspect that a well-configured MAC
policy will do everything for security that the virtual servers will do.
However, I want to get virtual servers working first, because they
seem harder for a non-wizard like me to screw up.
--sethg
More information about the Discuss
mailing list