jail(8

)
Hacking UNIX with FreeBSD jail(8), Secure Virtual Servers
Presentation for DefCon 14, by Isaac Levy, (.ike)

.ike Context
• I have used jails extensively for web
application servers and software
development purposes

• the methodology I’m presenting here is
attempting to be ‘stock’ UNIX (no ‘ike-
specific’ magic formulas)

• I am not a jail author, no commit bit...

Warranty / Announcement
• I’ll be out and about later if anyone has
more complex questions or strategies
they want to discuss

• I’m *trying* to stick to classic UNIX
process and ideas, and ‘stock’
methodology (no ike-specific magic)

• I’m assuming you all know your way
around various *NIX Operating Systems

complexity (a big picture exercise) . patterns.scale.

powersof10.com/watch?v=4i6B7HzijSo .youtube. Charles and Ray Eames http://www. 1977. http://www.com/ Film: Powers of Ten.

youtube. Charles and Ray Eames http://www. 1977.powersof10.com/watch?v=4i6B7HzijSo . http://www.com/ Film: Powers of Ten.

Charles and Ray Eames http://www.powersof10.com/watch?v=4i6B7HzijSo .com/ Film: Powers of Ten.youtube. http://www. 1977.

) . today.d etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us bin loc er al jails in sb src ports bin BSD UNIX Internet universe. (according to ike. 1 da ed0 hd2 da0 ed1 tmp em m var mnt em km dev null de v boot rc.

.

SNMP 161/162 CAT 1-5 Protocol (UDP) Version 4 (ipv4) RPC File Services NFS Ethernnet II Coaxial Cables Portmapper . PPP Version 6 ISDN Protocol (TCP) (ipv6) Web HTTP 80 Applications ADSL File Transfer FTP 20/21 ATM Host Sessions Telnet 23 Directory 802.Open Systems Interconnection (OSI) Reference Model Upper Layers Lower Layers Application Presentation Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Layer (7) Layer (6) (5) (4) (3) (2) (1) e-mail POP/SMTP POP/25 RS-X. CAT 1 Internet Transmission Protocol Newsgroups Usenet 532 Control SLIP.11 SNAP DNS 53 FDDI Services Internet User Datagram Protocol Network Mgmt.

) . (according to ike.d etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us bin loc er al jails in sb src ports bin BSD UNIX Internet universe. 1 da ed0 hd2 da0 ed1 tmp em m var mnt em km dev null de v boot rc. today.

yadda yadda .

d etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us bin loc er al jails in sb src ports bin BSD UNIX Internet universe. today. (according to ike.) . 1 da ed0 hd2 da0 ed1 tmp em m var mnt em km dev null de v boot rc.

d etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us n bi loc er al in sb src ports n bi . 1 da UNIX hd2 da0 ed0 ed1 tmp em m var mnt m e km dev null de v boot rc.

UNIX devices de v kernel userland .

d etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us n bi loc er al in sb src ports n bi . 1 da UNIX hd2 da0 ed0 ed1 tmp em m var mnt m e km dev null de v boot rc.

d boot v etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us n bi loc er al in sb src ports n bi Spiral Galaxy NGC 1232 Our world is complex (thx Dan Geer & ShmooCon). UNIX Spiral Galaxy 1 da ed0 hd2 da0 ed1 tmp em m var mnt em km dev null de rc. .

.. .UNIX Helium Atom devices de v kernel userland Our world is simple too.

d etc FreeBSD proc lib kernel sbin root bin e use m ho in usr r sb us n bi loc er al in sb src ports n bi . 1 da UNIX hd2 da0 ed0 ed1 tmp em m var mnt m e km dev null de v boot rc.

Julia set .Mandelbrot Fractal .

d etc FreeBSD proc lib kernel sbin root bin e use m in usr ho r sb us n bi loc e r al in sb src ports jails virtual n bi UNIX’s . 1 da ed0 hd2 da0 ed1 tmp em m var mnt mem k dev de v boot rc.

d ed0 hd 2 d a0 ed1 tmp em m var mnt mem k dev de v boot rc.d etc FreeBSD proc lib kernel sbin root bin e use m ho in u sr r sb us n bi loc er al in sb jails src ports n bi .

d etc FreeBSD proc lib kernel sbin root bin e use m ho in us r r sb n us bi loc e r al in sb jails src ports n bi . var mnt m m e k dev de v boot rc.

de v boot etc FreeBSD proc kernel in root in e use m ho n usr r n us bi loc er al in sb jails src ports n bi .

kernel root e use m ho usr r us loc e r al jails src ports .

root e use m ho us r r us er src ports .

us er ort s .

us er ts .

us er ts virtual UNIX’s .

You get the idea-

So what real-world contexts
warrant virtualizing the
ENTIRE operating system?

external security threats development messes .

Mutually Untrusted Users .

Mutually Untrusted Users .

Mutually Untrusted Users .

Mutually Untrusted Users telnet forever! .

Mutually Untrusted Users login:admin su pass:love 24/7 ? .

Mutually Untrusted Users .

Mutually Untrusted Users .

Mutually Untrusted Users You run *WHAT* as CGI? .

.Mutually Untrusted Users programs are users too.. .

Mutually Untrusted Users muscle memory kills! .

.

.Harmony.

Once upon a time. wasn’t UNIX *fun*? http://mckusick.com/beastie/ .

maintaining old junk? Rack full of stuff Example: • 3 webservers • 1 local-use dns cache • fileserver (for 2 people) • 2 dev servers .

1.11 dev de v boot rc.168.1.168.14 m me var mnt em km dev de v boot rc.10 lib sbin root bin e user m ho in usr sb us bin loca er l in sb src ports bin 1 da ed0 hd2 da0 ed1 tmp m me var mnt em km Jail 1 192.d etc FreeBSD proc lib kernel 1 local-use dns cache sbin root bin me use ho n usr r sbi use bin loca r l in sb jails src ports bin 1 da ed0 hd2 da0 ed1 tmp Jail 4 192.1.168.d etc FreeBSD proc lib kernel sbin root bin me use ho n usr r sbi use bin loca r l in fileserver (for 2 people) sb jails src ports bin 1 da ed0 hd2 da0 ed1 tmp m me Jail 5 192.168.1.168.16 var mnt em km dev de v boot rc.d etc FreeBSD proc lib kernel sbin root bin me use ho n usr r sbi use bin loca r l in sb jails src ports bin 2 dev servers 1 da ed0 hd2 da0 ed1 tmp m me Jail 6 192.1.d etc FreeBSD proc lib kernel sbin root bin me use ho n usr r sbi use bin loca r l in sb jails src ports bin 1 da ed0 hd2 da0 ed1 tmp m me var mnt em Jail 2 192.1.12 3 webservers km dev de v boot rc.d etc FreeBSD proc lib kernel sbin root bin me use ho n usr r sbi use bin loca r l in sb jails src ports bin 1 da ed0 hd2 da0 ed1 tmp m me Jail 3 192.17 km dev de v boot rc.d etc FreeBSD proc lib kernel sbin root bin me use ho n usr r sbi use bin loca r l in sb jails src ports bin .1.1.d etc FreeBSD proc lib kernel sbin root bin me use ho n usr r sbi use bin loca r l in sb jails src ports bin 1 da ed0 hd2 da0 ed1 tmp m me var mnt em Jail 7 192.d etc /dev/null proc kernel Jailing Server 192.15 var mnt em km dev de v boot rc. jail(8)! Rack full of stuff .168.168.13 var mnt em km dev de v boot rc.168. becomes 1u server! host:/path/to/jaildir/ ed0 hd2 da0 ed1 tmp em m var mnt em km dev null de v boot rc.

jail(8) .

Definitions • what is a jail(8): • a user space utility. like ifconfig(8) • produces a virtual system image • process tree based • what is jail(2): • a system call to imprison a process • it calls chroot and attaches to IP • a very few lines of source code! .

Definitions • what jail is not: • it is not a classical machine emulator • it is not chroot (‘jail’ vocabulary is commonly misused with other *NIX cultures) .

an entire OS can be dedicated to a given service • securely separate untrusted users/processes • learning/development/testing/hacking • insane high availability possibilities • honeypots • highly vulnerable network services . Great Uses for jail(8) • hardware resource sharing.

Poor Uses for jail(8) • kernel access (you don’t get a kernel) • limited network interface access • limited device driver access • when chroot(8) will simply do the job • some applications require particular low-level system calls: • Notably. PostgreSQL doesn’t run (securely) in jails based on SysV IPC .

(so to speak). 1. 2. create an IP alias on a network interface 3. minor tweaks. to ‘boot’ the jail. run the jail(8) call with the IP. How To jail(8) • DEFINITIVE instructions in jail man pages. and userland. . compile a FreeBSD userland from source somewhere on host machine.

d v boot etc rc. Practical Comparison 1 host:/path/to/jaildir/ da ed0 da0 ed 0 hd2 ed 1 da0 tmp tmp hd2 ed 1 em var m em mnt em var m km mnt em km dev null dev de null de v boot rc.d FreeBSD proc etc /dev/null proc lib kernel kernel lib sbin root root sbin bin bin e use m e use m ho in usr r ho sb in usr r n us sb us bi loc er bi n loc er a l a l in in sb src ports sb src ports n n bi bi .

making a jail .

Host Machine .

etc... disk mounts. make somewhere for the jails to live (partitions.d/jail can thrash violently in most contexts! Bad!) . get source to build with (cvsup is great) 2. preflight (simple) 1.) 3.make somewhere for jail-related start/mgmt scripts to live (starting jails from /etc/rc.

preflight. definitive) .(man.

preflight.(build from src) .

preflight.(build from src) .

preflight.(build from src) .

b kernel sbin bin e m ho in usr sb u i n b loc al in sb jails src ports n bi .

(build from src) .preflight.

cal preflight in ja ils s rc p n bi $D .

preflight.(build from src) compile! .

(build from src) compile! .preflight.

preflight host:/path/to/jaildir/ lib ports .

preflight host:/path/to/jaildir/ tmp var mnt etc lib sbin bin e m ho in usr sb n bi loc al ports .

preflight- (mount /dev)

preflight- (mount /dev)

preflight- (null kernel)

(null kernel) .preflight.

preflight host:/path/to/jaildir/ tmp var mnt etc lib sbin bin e m ho in usr sb n bi loc al ports .

preflight host:/path/to/jaildir/ 1 ed0 da da0 ed1 tmp em m var mnt m e km dev null de v etc lib sbin bin e m ho in usr sb n bi loc al .

once you have basics setup.preflight • Common Question: • Why isn’t there an automated build system for this stage? • . • (network. etc. time. users. it’s better to automate things later.Take care with the build procedure. packages.) .

(config host) jailinghost:/etc/rc.conf (stock) .preflight.

(config host) jailinghost:/etc/rc.preflight.conf .

preflight.(master system) jailinghost:/etc/ssh/sshd_conf .

d etc lib sbin FreeBSD kernel proc root ? bin e use m ho in usr r sb us n bi loc e r al in sb jails src ports n bi . 1 da ed0 hd2 da0 ed1 tmp em m var mnt m e km dev de v boot rc.

configure .call jailed sh (analagous to booting a machine in su mode) Text .

configure - call jailed sh
(analagous to booting a machine in su mode)

Text

configure - call jailed sh
(analagous to booting a machine in su mode)

Text

configure - call jailed sh
configure the jail, inside the jail

Text

call jailed sh configure the jail. inside the jail Text .configure .

configure .call jailed sh sysctl. whee! Text .

configure .call jailed sh root pw Text .

call jailed sh root pw Text .configure .

call jailed sh add users Text .configure .

call jailed sh add users Text .configure .

call jailed sh add users Text .configure .

configure .call jailed sh set timezone Text .

configure .call jailed sh set timezone Text .

call jailed sh set timezone Text .configure .

call jailed sh set timezone Text .configure .

configure .call jailed sh set timezone Text .

Text .configure ...call jailed sh network options.

configure . important Text .call jailed sh run ssh.

configure .conf in jail Text .call jailed sh check rc.

call jailed sh check rc.configure .conf in jail Text .

call jailed sh jail-specific stuff (just use common sense) Text .configure .

configure host:/path/to/jaildir/ 1 ed0 da da0 ed1 tmp em m var mnt m e km dev null de v etc /dev/null lib kernel sbin bin e m ho in usr sb n bi loc al .

configure host:/path/to/jaildir/ re0 1 ed 0 tmp da da0 ed 1 em m var mnt mem k dev null de v rc.d etc /dev/null lib kernel sbin root bin e use m ho in usr r sb us n bi loc er al in sb n bi .

configure .call jailed sh we’re finished configuring jailed system! Text .

configure .assign ip alias (use ifconfig) Text .

configure .assign ip alias (ip for the jail) Text .

assign ip alias (original ip for the host machine) Text .configure .

call jailed sh (analagous to booting a machine in su mode) Text .configure .

call jailed sh (analagous to booting a machine in su mode) Text .configure .

d etc /dev/null lib kernel sbin root bin e use m ho in usr r sb us n bi loc er al in sb n bi .preflight host:/path/to/jaildir/ re0 1 ed 0 tmp da da0 ed 1 em m var mnt mem k dev null de v rc.

1.168.200 192.2 lib kernel sbin root 192.x bin e use m ho in usr r sb us n bi loc er al in sb n bi .200 1 ed 0 tmp da da0 ed 1 em m var mnt mem k re0 dev null de v rc. preflight host:/path/to/jaildir/ 192.168.1.168.d etc /dev/null proc 192.1.168.1.

d is usually a bad idea? . start tangent! (script). remember how I said rc.

. start! we’re gonna start the jail manually here.. ..

.... start! we’re gonna start the jail manually here.

start! type some random junk to seed entropy. .

start! jail finished starting .

running jls(8) lists running jails. gives a jail ID .

treat it like a server. using the jail ssh into the jail. .

treat it like a server. using the jail ssh into the jail. .

using the jail ssh into the jail. . treat it like a server.

inside the jail just like any new server .

inside the jail just like any new server .

inside the jail just like any new server .

inside the jail you have root! .

org/cgi/query-pr.cgi?pr=95977 . . inside the jail how do you know you are inside a jail? http://www...will explain this url later.freebsd.

(ssh) .stop and start jail exit the jail.

stop and start jail look at jailed processes (man page goodies) .

stop and start jail look at jailed processes (man page goodies) .

stop and start jail use killall with -j flag .

stop and start jail watch out for stacking mount points! .

stop and start jail watch out for stacking mount points! .

.stop and start jail restarting with the script this time.

.stop and start jail restarting with the script this time.

to 6 . stop and start jail now the jid has incrimented once.

in practice) . running processes jexec to check processes (bad idea.

d v boot etc rc.d FreeBSD proc etc /dev/null proc lib kernel kernel lib sbin root sbin root bin bin e use m e use m ho in usr r ho sb in usr r n us sb us bi loc e r bi n loc er al a l n in i sb src ports sb jails src ports n n bi bi host jail . Practical Comparison 1 host:/path/to/jaildir/ da ed0 d a0 ed 0 hd2 ed1 da0 tmp tmp hd2 ed 1 em var m em mnt em var m km mnt em km dev dev de null de v boot rc.

d etc /dev/null proc \_daemon/process etc.. jail d1 \_jail (Jail 1) \_daemon/process etc.. use \_daemon/process etc... host:/path/to/jaildir/ em \_daemon/process etc. \_daemon/process etc.. v boot rc. r us er .... root \_jail (Jail 4) \_daemon/process etc..... e d0 m \_daemon/process etc.. tmp hd2 da0 e d1 em em m var mnt em m \_jail (Jail 2) km k dev null de \_daemon/process etc....... bin e use m ho in usr r sb \_jail (Jail 3) bi n loc al us er \_daemon/process etc. \_daemon/process etc... \_daemon/process etc. host \_daemon/process etc.. in sb src ports n proc bi \_daemon/process etc. \_daemon/process etc....... Process Tree: JailingServer \_init \_daemon/process etc... lib kernel root sbin \_daemon/process etc...

d etc /dev/null proc lib kernel sbin root bin e use m ho in r use usr sb us n bi loc er r al host jail n i sb src ports n bi us er .d1 em m mem k host:/path/to/jaildir/ e d0 proc tmp hd2 da0 e d1 em m var mnt em km dev null de root v boot rc.

d etc /dev/null proc lib kernel sbin root bin e use m ho in r use usr sb us n bi loc er r al host jail n i sb src ports n bi us er .d1 em m mem k host:/path/to/jaildir/ e d0 proc tmp hd2 da0 e d1 em m var mnt em km dev null de root v boot rc.

d1 em m mem k host:/path/to/jaildir/ e d0 proc tmp hd2 da0 e d1 em m var mnt em km dev null de root v boot rc.d etc /dev/null proc lib kernel sbin root bin e use m ho in r use usr sb us n bi loc er r al host jail n i sb src ports n bi us er .

.

.

essay by urban designer Christopher Alexander .jail(8) best practices diagrams from “A City is Not A Tree” .

. ..and opportunities.

ever. • If someone breaks jail.com/ who contributed it to FreeBSD around 1998.rndassociates.break out of jail? • Poul-Henning Kamp (PHK) wrote the jail feature for R&D Associates http:// www. • To my knowledge. nobody has broken out of a jail directly. . PHK wrote that he would love to know about it. as it is still considered ‘esoteric’. It is however assumed that nobody has tried that hard yet.

• Design your jailing system carefully. • Use your highest secure practices for host server. best practices • ssh into jails to manage their processes!!!! • You always can see the jailed filesystem/userland from host server. be creative with core UNIX utilities. .. be careful..

jkill. handy: pstree.x. disk images via mdconfig . jtop • 5. xtail. 6.x. sysctl features for jailing • Design your jailing system carefully.x. devfs) • additionally. kill • !plus jls(8). onward builtin ps. be creative (note about nullfs. jexec(8) jattach (2). jps. great utilities • 4.

conf] • process control • direct driver access • [flags to mount devfs. disk images] • fork bombs. login. procfs] . memory hogs • [securelevels.common weak points • lost jail? • [hostname lockdown] • resource attacks • disks full • [partitions.

procfs] . memory hogs • [securelevels.common weak points • lost jail? • [hostname lockdown] • resource attacks • disks full • [partitions.conf] • process control • direct driver access • [flags to mount devfs. disk images] • fork bombs. login.

Comments on Isolation 1 host:/path/to/jaildir/ da ed0 d a0 ed 0 hd2 ed1 da0 tmp tmp hd2 ed 1 em var m em mnt em var m km mnt em km dev dev de null de v boot rc.d FreeBSD proc etc /dev/null proc lib kernel kernel lib sbin root sbin root bin bin e use m e use m ho in usr r ho sb in usr r n us sb us bi loc e r bi n loc er al a l n in i sb src ports sb jails src ports n n bi bi .d v boot etc rc.

org/doc/en_US.ISO8859-1/books/arch-handbook/jail.html OpenRoot Project.com/documents/s=1151/sam0105d/0105d. fork-bombs. FreeBSD SecureLevels/maxproc.freebsd.htm http://www. and process control . memory/process attacks http://www.samag. reality.

memory/process attacks (check the Defcon 14 CD) # hog.c. (a fork bomb): while (1) hog 99m& end .sit and hog 10mb of ram. # To run a hog stampede. a small utility to hog system memory # written by Brian Redman (BER) sometime around 1986 # Basic Instructions.c -o hog # then run something like: hog 10 # and the hog will do just that. Compile this code to a binary: cc hog.

conf # STEP 3) # Set a higher securelevel on a per-jail basis # (5. 4. example: chflags schg $D/etc/login. read the man page for securelevel .conf file.x jailing only securlevels for entire host) # add the following line to the jailed /etc/sysctl. example of restricted values: :maxproc=30:\ :memoryuse=25M:\ # STEP 2) # Set immutable flags on jailed /etc/login.conf.securelevel=2 # securelevel 1 is minimum.memory/process attacks (check the Defcon 14 CD) # STEP 1) # jailed /etc/login.x onward.conf: kern.

cgi?pr=95977 .freebsd. fix sysctl: http://www. honeypot? compile and give the jail a kernel.org/cgi/query-pr.

insanely flexible. or perhaps each jail (rigid in practice) • File-Backed Disk Images (mdconfig. but take extra memory (usually negligible) . in handbook). disk resource control • Put at least your jailed systems on a seperate partition.

• watch out for device numbering (or things get lost).file-backed disks (.. but will always introduce some overhead in file I/O . here’s where Jailing strategies from 4..dmg) • WOW.x come in handy. unless someone has a better way of manging device nodes • speed is getting excellent for file-backed memorry disks. they’re convienent.

.dmg) FreeBSD handbook has tons more information! # writing 1gb blank file.. mdconfig -d -u 1101 .. (analagous to creating an unformatted harddrive) dd if=/dev/zero of=1gb.img bs=1k count=1024k # attaching the file (analagous to attaching a harddrive). mdconfig -a -t vnode -f 1gb. file-backed disks (.img -u 1101 # formating the disk. disklabel -r -w md1101 auto # detaching the disk (analagous to ejecting a harddrive)....

dmg) mount disks when starting jails. file-backed disks (.1.jail start script> mdconfig -a -t vnode -f /path/to/jaildisk_file. so it's easy to track down on host # system with many jailed servers. jail /path/to/jail_userland_mount_dir \ hostname.0.200 \ /bin/sh /etc/rc </snip> . # later in script. it can be handy to use some # variant of a jail's respective IP address for it's disk # image devide node id.dmg -u 200 mount /dev/md200c /path/to/jail_userland_mount_dir # regarding '-u 200' above. <snip .com \ 10.fqdn.

reliable. simple. be aware of dev/proc mounts be aware of symlinks • use FreeBSD Ports Mechanism! (not for the ports collection. that’s insanely presumptuous. clean. automation • Tarball packaging is your friend. [borderline irresponsible] • CVS/SVN anyone? .

(FROM HOST SYSTEM).freebsd.ISO8859-1/books/handbook/ makeworld. •toss buildworld DESTDIR flag.upgrading jailed systems •Simply use buildworld.org/doc/ en_US.html . with a jail’s userland path •follow the handbook: http://www.

``man 5 sysctl.socket_unixiproute_only=1 # default = 1 # access to routing sockets.jail.conf.jail.conf'' for details.jail.bsd.v 1. . #security..see_other_uids=0 # ikenote jailing additives security. security./etc/sysctl. security.. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID.sysvipc_allowed=0 # default = 0 # SysV shareed mem? Ha! security.chflags_allowed=0 # default = 0 # root less than root. security...enforce_statfs=2 # default = 2 # mount point info.jail.allow_raw_sockets=0 # default = 0 # for ping. security.conf (host) (check the Defcon 14 CD) # $FreeBSD: src/etc/sysctl.jail.set_hostname_allowed=0 # default = 1 # jailed resetting hostname.8 2003/03/13 18:43:50 mux Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values.jail. etc.

sysctl (stock values) (check the Defcon 14 CD) $ sysctl -a | grep jail security.jail.jailed: 0 .jail.jail.jail.socket_unixiproute_only: 1 security.set_hostname_allowed: 0 security.sysvipc_allowed: 0 security.chflags_allowed: 0 security.allow_raw_sockets: 0 security.jail.jail.jail.enforce_statfs: 2 security.

firewalls (quick comment)
• context:
• why jail in the first place again?
• threats affect an entire host server
• firewall at a higher level (mental shift to treat
the host like a network gateway!)

• global system firewalling, throttling
• different boxes? different rules?

Start Script w/ Disk Image
(check the Defcon 14 CD)
#!/bin/sh

# simple, complete script to start a jail.

# define the absolute path to the jail,
J=/usr/local/jails/jailed.userland.directory

# define the ip address for the jail,
I=10.0.1.192

# define a hostname,
H=fqdn.com

ifconfig en0 inet alias $I/32

mount -t procfs proc $J/proc
mount_devfs devfs $J/dev
## add additonal flags to mount_devfs, to hide unnecessary devices!!!
## check the man page for mount_devfs

jail $J $H $I /bin/sh /etc/rc

jail crontab misc...
(check the Defcon 14 CD)

# comment out the following, just to keep syslog quiet for irrelevant items.

# Save some entropy so that /dev/random can re-seed on boot.
# */11 * * * * operator /usr/libexec/save-entropy

# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time. See adjkerntz(8) for details.
# 1,31 0-5 * * * root adjkerntz -a

from PF/OpenBSD • GEOM • NFS Improvements • more NAS/SAN support (GEOM.. important fun: • CARP..x. 6. (7x!) .x. 5. ggated) • FreeBSD 4.future directions.x.

. CARP. net net switch1 switch2 carp1 carp2 carp3 carp4 application server application server application server application server application server application server application server application server switchA switchB NAS safe storage ... GEOM Gate..sick possibilities. fun with failover jails.

for better performance • GOTCHA: rm a jail directory? chflags -R noschg jaildir . misc • Compile md(4) into the kernel for File-Backed Disks.

Stillborn. Suggestions? .

.

com/ who contributed it to FreeBSD around 1998.buy him a drink. • Robert Watson wrote the extended documentation. ike is proud to be a part of the New York City *BSD Users Group.rndassociates. reality schooled me more BSD than he knows. and cleaned up the userland jail environment. taught me to jail(8).. added a few new features. He’s here somewhere. found a few bugs. Special Thanks: wintermute (of iMeme).. • Poul-Henning Kamp wrote the jail feature for R&D Associates http://www. and the Lower East Side Mac Unix Users Group .

isaac@diversaform.com ike is proud to be a part of the New York City *BSD Users Group. and the Lower East Side Mac Unix Users Group .