RECENT POSTS
- Introduction to FreeBSD Security Best Practices
- Working with Package Management in FreeBSD
- Understanding FreeBSD Security Advisories and Updates
- Troubleshooting Common System Administration Issues in FreeBSD
- Tips for Hardening FreeBSD to achieve System Protection
- Setting Up DHCP Server in FreeBSD
- Secure User and Group Management in FreeBSD Systems
- Secure Remote Access with SSH in FreeBSD
- Optimizing System Performance in FreeBSD
- Network Packet Capture with tcpdump in FreeBSD
- All posts ...
Do you have GDPR compliance issues ?
Check out Legiscope a GDPR compliance software, that will save you weeks of work, automating your documentation, the training of your teams and all processes you need to keep your organisation compliant with privacy regulations
Qjail
Jul 20, 2023
Utility to quickly deploy and manage jails
This qjail version only supports RELEASE-11.0 and newer.
Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail system that includes security and performance enhancements. Plus a new level of “user friendliness” enhancements dealing with deploying just a few jails or large scale jail environments consisting of 100’s of jails.
Qjail uses the jail8 jail.conf method. This provides the ability to enable the following options on a per-jail basis. exec.fib, securelevel, allow.sysvipc, devfs_rulesets, allow.raw_sockets, allow.quotas, allow.mount.nullfs, allow.mount.tmpfs, allow.mount.zfs, vnet.interface, and vnet. The vnet option gives a jail its own network stack using the experimental vimage kernel module. The vnet option has only been tested on i386 and amd64 equipment.
Qjail requires no knowledge of the jail command usage. It uses “nullfs” for read-only system executables, sharing one copy of them with all the jails.
Uses “mdconfig” to create sparse image jails. Sparse image jails provide a method to limit the total disk space a jail can consume, while only occupying the physical disk space of the sum size of the files in the image jail.
Ability to assign ip address with their network device name, so aliases are auto created on jail start and auto removed on jail stop.
Ability to create “ZONE”s of identical qjail systems, each with their own group of jails.
Ability to designate a portion of the jail name as a group prefix so the command being executed will apply to only those jail names matching that prefix.
Qjail has been incorporated into the Finch open source project, see http//dreamcat4.github.io/finch/ for details.
Checkout these related ports:
- Zxfer - Easily and reliably transfer ZFS filesystems
- Ztop - Display ZFS dataset I/O in real time
- Zsm - ZFS Snapshot Manager
- Zsd - Destroys ZFS snapshots
- Zrepl - ZFS dataset replication tool
- Zrep - ZFS based replication and failover solution
- Zpool-iostat-viz - ZFS pool I/O latency statistics
- Zoxide - Fast cd alternative that learns your habits
- Zogftw - Creates redundant backups on encrypted ZFS pools
- Znapzend - ZFS-centric backup tool
- Zisofs-tools - User utilities for zisofs
- Zidrav - File corruption detection and repair program
- Zfstools - OpenSolaris-compatible auto snapshotting for ZFS
- Zfsnap2 - Portable performant script to make rolling ZFS snapshots easy
- Zfsnap - Simple sh script to make zfs rolling snaphosts with cron