Hacker News new | ask | show | jobs
by inkyoto 439 days ago
FreeBSD jails are advanced chroot++. Albeit they do set a precedent for a predessor of true containers, they have:

  1. Minimal kernel isolation.

  2. Optional network stack isolation via VNET (but not used by default).

  3. Rudimentary resource controls with no default enforcement (important!).

  4. Simple capability security model.
Most importantly, since FreeBSD was a very popular choice for hosting providers at the time, jails were originally invented to fully support partitioned-off web hosting, rather than to run self-sufficient, fully contained (containerised) applications as first-class citizens.

The claim to have invented true containers belongs to Solaris 10 (not Linux) and its zones. Solaris 10 was released in January 2005.
2 comments
throw0101d 439 days ago
> 3. Rudimentary resource controls with no default enforcement (important!).

Seems pretty extensive to me, including R/W bytes/s and R/W ops/s:

* https://docs.freebsd.org/en/books/handbook/jails/#jail-resou...

* https://klarasystems.com/articles/controlling-resource-limit...

* https://man.freebsd.org/cgi/man.cgi?query=rctl

link
vermaden 439 days ago
I believe you have wrong view of how secure FreeBSD Jails are - definitely a lot more secure the rootless Podman for a start.

Isolation: With rootless Podman it seems to be on the same level as Jails - but only if You run Podman with SELinux or AppArmor enabled. Without SELinux/AppArmor the Jails offer better isolation. When you run Podman with SELinux/AppArmor and then you add MAC Framework (like mac_sebsd/mac_jail/mac_bsdextended/mac_portacl) the Jails are more isolated again.

Kernel Syscalls Surface: Even rootless Podman has 'full' syscall access unless blocked by seccomp (SELinux). Jails have restricted use of syscalls without any additional tools - and that can be also narrowed with MAC Framework on FreeBSD.

Firewall: You can not run firewall inside rootless Podman container. You can run entire network stack and any firewall like PF or IPFW independently from the host inside VNET Jail - which means more security.

TL;DR: FreeBSD Jails are generally more secure out-of-the-box compared to Podman containers and even more secure if you take the time to add additional layers of security.

> How battle-tested are FreeBSD Jails?

Jails are in production since 1999/2000 when they were introduced - so 25 years strong - very well battle tested.

Docker is with us since 2014 so that means about 10 years less - but we must compare to Podman ...

Rootless support for Podman first appeared late 2019 (1.6) so only less then 6 years to test.

That means Jails are the most battle tested of all of them.

Hope that helps.

Regards,

vermaden

link