当前流行的虚拟化技术,除了VMWare、VirtualBox等重型虚拟机,Docker等中型虚拟机外,还有jail等轻型虚拟机解决方案。
jail的简介
Jail最早在FreeBSD 4.X便可使用,并且一直在持续强化它的功能、效率、稳定性以及安全性。
Jail建立在chroot概念之上,会更改一系列程序的根目录。这可以创造一个安全的环境,将程序与系统的其他部份分隔。在chroot的环境所建立的程序不能存取该环境以外的档案或资源。也因此,渗透一个在chroot的环境执行的服务并不会让整个系统被攻击者渗透。但chroot有许多限制,只适合用在简单的工作,不需要许多弹性或复杂性、进阶功能的工作。随着时间推移,许多可以逃离chroot的环境的方法已经被找到,让这个方法不再是确保服务安全的理想方案。
Jail用许多方式改进了传统chroot环境的概念。在传统chroot环境,程序仅限制在一部份档案系统可存取的地方。其余的系统资源、系统使用者、执行的程序以及网络子系统被chroot的程序及主机系统的程序所共享。Jail透过虚拟化存取档案系统、使用者及网络子系统来扩展这个模型,可使用更多细微的控制参数来调校Jail的环境存取方式,Jail可算是一种操作系统层级的虚拟化。
Jail的四个要素:
一个子树状目录:进入Jail的起点目录,一但在Jail中,程序便没有权限离开此目录之外。
一个主机名称:将会由Jail所使用。
一个IP位址:用来分配给Jail。Jail的IP位址通常是现有网络界面的别名位址。
一个指令:要在Jail中可执行的执行档路径名称。该路径是Jail环境根目录的相对路径。
Jail管理器
在FreeBSD系统中,jail的管理器有多种
| Name | License | Package | Documentation | 更新时间 | github地址 |
|---|---|---|---|---|---|
| BastilleBSD | BSD-3 | sysutils/bastille | Documentation | 2023.11 | GitHub - BastilleBSD/bastille: Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. |
| pot | BSD-3 | sysutils/pot | Documentation | 2023.12 | GitHub - bsdpot/pot: pot: another container framework for FreeBSD, based on jails, ZFS and pf |
| cbsd | BSD-2 | sysutils/cbsd | Documentation | 2024 | GitHub - cbsd/cbsd: Yet one more wrapper around jail, bhyve, QEMU and XEN |
| AppJail | BSD-3 | sysutils/appjail, for devel sysutils/appjail-devel | Documentation | 2024 | GitHub - DtxdF/AppJail: Simple and easy-to-use tool for creating portable jails. |
| iocage | BSD-2 | sysutils/iocage | Documentation | 2023.12 | https://github.com/iocage/iocage |
| ezjail | Beer Ware | sysutils/ezjail | Documentation | 2015.6 |
其它还有ocijail
https://github.com/dfr/ocijail
下面单独介绍几种比较流行的管理器
cbsd
cbsd同时还可以管理jail和bhyve (Yet one more wrapper around jail, bhyve, QEMU and XEN) ,代码:GitHub - cbsd/cbsd: Yet one more wrapper around jail, bhyve, QEMU and XEN。这里还有作者关于docker的解决方法:CBSD — FreeBSD Jail and Bhyve Management Tools
BastileBSD
BastileBSD手册:Bastille — Bastille 0.10.20231125-beta documentation 代码:GitHub - BastilleBSD/bastille: Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.
AppJail
AppJail is an open-source BSD-3 licensed framework entirely written in POSIX shell and C to create isolated, portable and easy to deploy environments using FreeBSD jails that behaves like an application. 手册:AppJail Handbook
源码:GitHub - DtxdF/AppJail: Simple and easy-to-use tool for creating portable jails.
AppJail的特点是它可以设置一种叫tiny jail的模式,只提供相关c代码的文件即可。 它还支持LinuxJails
AppJail主页写的几种管理器的对比图
除了没有cbsd,其它几种都在,好像就AppJail最牛
| AppJail | bastille | pot | iocage | ezjail | ||
|---|---|---|---|---|---|---|
| ZFS support | supported | supported | required | required | supported | ZFS support |
| Language | C, Bourne Shell | Bourne Shell | Rust, Bourne Shell | Python | Bourne Shell | Language |
| Automation | Makejail, Initscripts, Images | Templates | Flavours, Images | Plugins | Flavours | Automation |
| Jail Type | clone, copy, tiny, thin, thick, empty, linux+debootstrap | thin, thick, vnet, Linux, empty | thick | clone, basejail, template, empty, thick | basejail | Jail Type |
| VNET | Supported | Supported | Supported | Supported | Not Supported | VNET |
| Dynamic firewall | Yes | Requires a loopback interface | Yes | No | No | Dynamic firewall |
| Resource control | Full support | Yes, but it does not support statistics and all rctl(8) actions and does not support actions by rule | Basic: CPU and memory only | Legacy only | Not Supported | Resource control |
| CPU Sets | Yes | No | Yes | Yes | Yes | CPU Sets |
| IPv6 support | Yes (+SLAAC) | Yes | Yes | Yes | Yes | IPv6 support |
| Linux containers | Yes | Yes | ?? | Yes | ?? | Linux containers |
| Dynamic DEVFS Ruleset Management | Yes | No | No | No | No | Dynamic DEVFS Ruleset Management |
| Network management | Virtual networks, Bridges | No | Subnet, requires sysutils/potnet | No | No | Network management |
| Jail dependency | Yes | No | Yes | Yes | No | Jail dependency |
| Supervisor | Yes (Healthcheckers) | No | No | No | No | Supervisor |
| Log management | Yes | No | No | No | No | Log management |
Parse jail.conf(5) file for syntax errors | Yes | Not supported | Yes | Yes | Yes | Parse jail.conf(5) file for syntax errors |
| Volume management | Yes | No | Basic, Only supported when using the fscomp feature | Basic | No | Volume management |
| Parallel startup | Yes (Healthcheckers, jails & NAT) | No | No | No | No | Parallel startup |
| Netgraph | Yes | No | No | No | No | Netgraph |
| Startup order control | Yes | Yes, but don't support priorities | Yes, but don't support priorities | Yes | Yes, using rcorder(8) | Startup order control |
| X11 support | Yes | No | No | No | No | X11 support |
| import/export | Yes | Yes | Yes | Yes | Yes | import/export |
调试
bastille使用报错
bastille bootstrap release update freebsd
$bastille_zfs_enable is not set properly - see rc.conf(5).
ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)
y
$bastille_zfs_enable is not set properly - see rc.conf(5).
Usage: bastille bootstrap [release|template] [update|arch]
不会用...
