# Ways to offer user isolation



## j.carney1987 (Oct 30, 2022)

So first off, I used to be a Linux Guru and running a web hosting business for over 5 years, but decided to focus on HVAC engineering for about 6 years which is completely different skill set.  So as a result, I'm very rusty and forgot a lot of what I used to know.

I used to be decent in Perl programming and I'm looking to get back into it.

So what I want to do as a practice and hope that I can get a project group going is build an opensource web hosting control panel that isn't bloated like virtualmin, but would support basic perl, php, mysql.  
With that being said FreeBSD supports those features very well.

Reasons why I want to do this project.
FreeBSD is known to having a solid network stack. 
There is no real good web hosting control panel that is open source other than virtual min that I"m aware of. 
Its a good way to learn FreeBSD and get comfortable with it. 

Previously on Linux I would use things like Jail shell and monitoring scripts to help keep the server secure, but true user isolation became possible with cloudlinux which was based off of the Linux OpenVZ kernel and ran users in their respective containers.

Is there anything similar to that other than jailshell with BSD?

Thanks!


----------



## Alain De Vos (Oct 31, 2022)

There are jails...


----------



## j.carney1987 (Nov 1, 2022)

actual Jails, seems interesting, but if I understand correctly, If a user is running in a jail, he wouldn't have access to say apache, or mysql, etc.  It would have to be installed in his jail.

Correct?


----------



## CyberCr33p (Nov 1, 2022)

j.carney1987 said:


> actual Jails, seems interesting, but if I understand correctly, If a user is running in a jail, he wouldn't have access to say apache, or mysql, etc.  It would have to be installed in his jail.
> 
> Correct?


You can connect them using unix sockets. Also for files you can use nullfs mounts.


----------



## Alain De Vos (Nov 2, 2022)

The purpose of jails is isolation. But the level of isolation is configurable.


----------



## zirias@ (Nov 2, 2022)

j.carney1987 said:


> actual Jails, seems interesting, but if I understand correctly, If a user is running in a jail, he wouldn't have access to say apache, or mysql, etc.  It would have to be installed in his jail.
> 
> Correct?


No. For a database server that multiple users should be able to access, just install it in another jail and allow the network communication in your firewall rules. You could optionally use VNET jails, so every jail has its own network stack. Such a jail is more or less a full user-space virtual machine.

For a webserver, well, what do you want to achieve? If your users should have administrative control over "their" webserver, then sure, install one in every jail. Use some other jail with e.g. nginx as a reverse proxy that's reachable from the internet. If you just want one central webserver and only serve all the users' content, null-mounting all users' "web root" directories to the one jail running the webserver would be the straight-forward option.


----------



## Erichans (Nov 2, 2022)

These may be helpful:

 Chapter 15. Jails
 Virtualise your network on FreeBSD with VNET
 Jails and VNET, a guide
 20 Years of FreeBSD Jails & FreeBSD Mastery: Jails
 Why I prefer thick jails over thin jails
Reading your OP, the last entry in the list, _Why I prefer thick jails over thin jails_ by Dan Langille, may not seem to be of immediate interest. However, when delving into jails it is important to know the difference between _"thin jails"_ and _"thick jails"_, as Dan Langille speaks about why he transitioned from ezjails (ezjail(7)) to iocage jails (iocage(8)) respectively.

If you'd like to have a look at its foundings, _Bryan Cantrill on Jails and Solaris Zones_ - (video & slides) discusses it, based on two important papers:

 Daniel Price and Andrew Tucker - _Solaris Zones: Operating System Support for Consolidating Commercial Workloads_ -- (html) (pdf)
From: LISA'04 - Solaris Zones
 Poul-Henning Kamp and Robert N. M. Watson - _Confining the omnipotent root._
From: Jails – High value but shitty Virtualization


----------

