A desk­top envi­ron­ment in a jail.

Yeah! Final­ly I got time to fin­ish my work to put a desk­top envi­ron­ment (in this case GNOME) into a jail. At least I have a proof of con­cept (I write this with fire­fox run­ning in my “desk­jail”). No, I don’t do this for addi­tion­al secu­ri­ty (there’s more secu­ri­ty than in a non-jailed set­up, but less secu­ri­ty than in an ordi­nary jail, as you have to allow access to a lot more devices than in an ordi­nary jail), I do this for addi­tion­al flex­i­bil­i­ty: Mov­ing my desk­top is now only the install of FreeB­SD on a new machine and rsync­ing the jail over to it. As the machine will also be a host of sev­er­al jails where I have some com­mon users with the same UID in each jail, I don’t pol­lute the jail-host with the desk­top stuff and I have every­thing nice­ly separated.

With­out a ker­nel patch and good devfs rules you will not get Xorg up and run­ning in a jail (at least I did­n’t man­aged to let it rec­og­nize my graph­ic card with­out the ker­nel patch). Now I have to beef up the patch a lit­tle bit and ask for review (it weak­ens up the secu­ri­ty a lit­tle bit like the sysctl security.jail.sysvipc_allowed=1 or security.jail.allow_raw_sockets=1).

But first I have to fin­ish the move of all my ser­vices I use at home to the jail-host now.

6 thoughts on “A desk­top envi­ron­ment in a jail.”

  1. Carlos Watson says:

    Hi, Alexan­der I spoke with Dru Lav­i­gne about “Trans­la­tors are vol­un­teers who are inter­est­ed” I inter­ests in that. He send a email about that.

    Best regards,

  2. Pingback: grUNIX » Blog Archiv » ZFS: FreeBSD mit ZFS im BASE
  3. Ian Pulsford says:

    You can at least run a head­less X lis­ten­ing for XDM requests in a jail, I just tried it.

  4. openwiki says:

    Hi Alexan­der,

    I’m cur­rent­ly test­ing also a X desk­top envi­ron­ment in a jail (with­out tcp forwarding).
    I’m fight­ing with devfs.rules.
    Have you a link for ker­nel patch ?

    1. netchild says:

      Have a look at http://www.leidinger.net/FreeBSD/current-patches/ and at the jail-mailinglist, I wrote about the devfs.rules which are need­ed there.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.