A desk­top envi­ron­ment in a jail.

Yeah! Final­ly I got time to fin­ish my work to put a desk­top envi­ron­ment (in this case GNOME) into a jail. At least I have a proof of con­cept (I write this with fire­fox run­ning in my “desk­jail”). No, I don’t do this for addi­tion­al secu­ri­ty (there’s more secu­ri­ty than in a non‐jailed set­up, but less secu­ri­ty than in an ordi­nary jail, as you have to allow access to a lot more devices than in an ordi­nary jail), I do this for addi­tion­al flex­i­bil­i­ty: Mov­ing my desk­top is now only the install of FreeB­SD on a new machine and rsync­ing the jail over to it. As the machine will also be a host of sev­er­al jails where I have some com­mon users with the same UID in each jail, I don’t pol­lute the jail‐host with the desk­top stuff and I have every­thing nice­ly sep­a­rat­ed.

With­out a ker­nel patch and good devfs rules you will not get Xorg up and run­ning in a jail (at least I didn’t man­aged to let it rec­og­nize my graph­ic card with­out the ker­nel patch). Now I have to beef up the patch a lit­tle bit and ask for review (it weak­ens up the secu­ri­ty a lit­tle bit like the sysctl security.jail.sysvipc_allowed=1 or security.jail.allow_raw_sockets=1).

But first I have to fin­ish the move of all my ser­vices I use at home to the jail‐host now.

Send to Kin­dle

6 thoughts on “A desk­top envi­ron­ment in a jail.”

  1. Hi, Alexan­der I spoke with Dru Lav­i­gne about “Trans­la­tors are vol­un­teers who are inter­est­ed” I inter­ests in that. He send a email about that.

    Best regards,

  2. Pingback: grUNIX » Blog Archiv » ZFS: FreeBSD mit ZFS im BASE
  3. You can at least run a head­less X lis­ten­ing for XDM requests in a jail, I just tried it.

  4. Hi Alexan­der,

    I’m cur­rent­ly test­ing also a X desk­top envi­ron­ment in a jail (with­out tcp for­ward­ing).
    I’m fight­ing with devfs.rules.
    Have you a link for ker­nel patch ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.