In recent years, containers and virtualization have become a buzzword in the Linux community, especially with the rise of Docker and Kubernetes. What many people probably don’t realize is that these ideas have been around for a very long time. Today, we will be looking at Jails and how they became part of FreeBSD.

IBM Creates Hardware Virtualization

The idea of virtualization goes all the way back to 1960’s IBM. At that time, IBM offered a series of computer systems. Each system has its own architecture and each following generation was slightly different. This led to customers having trouble keeping up with the updates. So, IBM created the S/360 mainframe system to replace many of their previous systems and offer backward compatibility to the systems they replaced.

After losing a contract because they were “not willing to make a commitment towards a time-sharing computer“, IBM realized that there was a demand for such a computer. So, they created an operating system for the S/360 range of mainframes named CP/CMS. CP stood for Control Program and CMS stood for Console Monitor System. “CMS was a small single-user operating system designed to be interactive. CP was the program which created Virtual Machines. The idea was the CP ran on the Mainframe and created Virtual Machines which ran the CMS; which the user would then interact with.” The first version (imaginatively named CP-40) was only used in the labs. The first stable version of CP/CMS was released in 1972.

CP/CMS handled multiple users differently than other systems of the time. A typical time-sharing computer would split up system memory and resources between all the users. Instead, CP/CMS “allowed each user to have their own complete operating system which effectively gave each user their own computer”. This new virtual machine method was more efficient because the users shared the system resources, instead of having them split up. It also meant that a user would not bring down the entire system if they goofed something up. Just their operating system would be affected.

Be Sure to Eat Your chroot Vegetables

The next evolution on the way to Jails was the creation of chroot or Change Root. According to Marshall Kirk McKusick (one of the early developers of BSD), chroot was created by Bill Joy to create a test build of 4.2BSD. McKusick based this on the SCCS (or Source Code Control System) logs in the system.

However, this appears to be incorrect. According to Warner Losh, chroot was introduced in “7th Edition Unix from Bell Labs” in 1979. 2BSD was released the same year. It appears that the error occurred because the code was moved around in the kernel to “make the system calls more generic”. Michael W Lucas also points to the fact that “the earliest Jail like code appeared between 18 July 1975 and the 7 May 1979 Unix snapshots”.

chroot allows the user to change the root directory of a process and its children. Directories outside of this new root direction are no longer visible to the chrooted processes. According to Poul-Henning Kamp, the creator of Jails, “chroot(2) was never intended to be a security mechanism nor a solid container, it was simply a name-space based hack, but at some point, it was employed as a little bit of both”.

Unfortunately, there were ways for a process to escape chroot “because of some corner-cases of the filesystem”. For example, “if a folder is moved out of the chroot directory, an attacker can exploit that to get out of the chroot directory as well.” Some people believed that chroot offered more security than it did. As Kamp said, “This was, more or less, the state of affairs when the Internet exploded into our homes.”

A Need Arises, Jails is Born

In the late 1990s, Kamp was contacted by a man from South Carolina named Derrick T. Woolworth. Woolworth had a problem and was looking for a solution. He ran a web hosting company named R&D Associates Inc and he “had this idea for running multiple different versions of Apache and MySQL on the same server”. Woolworth “complained about the fact that different customers in his webhotel needed different versions of apache, mysql, perl etc, and that this forced him to run many machines, each almost idle, just for these different software loads.”

Woolworth offered to pay for the development of such a feature. “The deal was that he would pay for the development and then after one year I would commit them to FreeBSD.” With that Jails were born. After Woolworth’s year of exclusivity expired, Jails were included in FreeBSD 4.

(Interestingly, the first use of jail in the computer world was in 1991. An AT&T researcher named Bill Cheswick created what he called a “chroot ‘Jail’ ” to watch a hacker trying to get into their systems.)

Jails allow “administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration.” Jails is a method for giving “permission to access certain isolated areas of the operating system. Other jails remain completely untouched. Almost the entire isolation magic occurs at the kernel level; users only ever see the components they are supposed to see.”

As Kamp explains it, “Jails is like a one-way mirror.” He said further, “This means that an unjailed process can see all the jailed processes and, subject to UNIX access controls, send them signals, attach debuggers to them and so on. But the jailed processes cannot ‘see’ out of their jails, neither into other jails, nor into the unjailed part of the system.”

In fact, he mentioned that several security researchers used jails to create honeypots to track hackers. If a hacker breaks into a jail, “you can stand on the main machine and look into the jail and they will not spot another process in the jail. They won’t be able to see that you are spying on them.”

One of the first uses of Jails was to protect an “often defaced and terribly written web-application”. The web app was put in a jail. There was a process outside of the app monitoring it. If the monitoring process detected the web app has been defaced, the jail was stopped and a new jail was started from a master. “The net effect was that defacements lasted only a few seconds at a time, and after some hours even script-kiddies gets tired of that.”

FreeBSD Jails – Now More Than 20 Years Old

Since the original version introduced in 1999, jails have been extended to support having their own entirely isolated network stack, and improved ability to partition and limit resources. Jails provide a lightweight way to instantiate additional instances of FreeBSD on a single machine, and unlike with virtualization, all unused resources remain in the host system, available to all of the instances.

Like this article? Share it!