One thing I find so valuable about jails is the ability to jail <i>a single command</i> with no other userland than what that binary requires.<p>Here's an example from my personal name server:<p><pre><code> /usr/sbin/jail /jails/www www 10.10.10.36 /lighttpd -f conf/lighttpd.conf
</code></pre>
... and although this jail has a lot of <i>content</i> files in it, the actual UNIX userland is only what is required to run 'lighttpd':<p><pre><code> # find /jails/www/usr | wc -l
43
</code></pre>
So it's an extremely lightweight environment with very little attack surface.<p>You can also <i>share a lightweight environment with multiple commands</i> - here are two other jail commands:<p><pre><code> /usr/sbin/jail /jails/dns ns1 10.10.10.30 /nsd/nsd -c /nsd/nsd.conf
/usr/sbin/jail /jails/dns dns 10.10.10.37 /unbound/unbound -c /unbound/unbound.conf
</code></pre>
... see how <i>both</i> jailings of 'nsd' and 'unbound' point to the same '/jails/dns' userland ? Once again, that userland is very, very compact:<p><pre><code> # find /jails/dns/|wc -l
97
</code></pre>
... so, 97 files total to run both name servers.<p>No 'make world' necessary, no building and maintaining of a full FreeBSD system - just the lightest skeleton required for both 'nsd' and 'unbound'.
FreeBSD Jails were so much better than everything else out there, for a long time. I'll just copy&paste part of a comment I wrote on another HN thread some time ago, since it's relevant here:<p>[...] In fact, many years ago, when FreeBSD was my main OS (including on notebook) I went as far as to isolate each app that used internet into its own custom-setup jail [0][1].
I had Firefox, Thunderbird, Pidgin and a few others running in complete isolation from the base system, and from each other. I even had a separate Firefox jail that was only allowed to get out via a Tor socks proxy to avoid leaks (more of an experiment than a necessity, to be fair).
Communication between jails was done via commonly mounted nullfs. I have also setup QoS via PF for each of them.
They were all running on the host’s Xorg, which was probably also the weakness of this setup.
It was a pretty sweet setup, but required quite a bit of effort to maintain, even tho I automated most of the stuff.
[...]<p>The original comment is here: <a href="https://news.ycombinator.com/item?id=27709256" rel="nofollow">https://news.ycombinator.com/item?id=27709256</a>
A great wrapper UI I have used for FreeBSD Jails is iocage (<a href="https://iocage.readthedocs.io/en/latest/" rel="nofollow">https://iocage.readthedocs.io/en/latest/</a>). Its a great project.
(FreeBSD) jails are amazing. I just wish there were easier ways to use them more "cattle"-like, so I can augment or replace Docker/Podman. At the moment tooling and many of the real-world setups remind me a lot of "pet" LXC containers or even VMs in the Linux world.<p>The tooling is slowly moving in a direction I like, though :)
I always hoped for macOS to borrow FreeBSD jails for itself.<p>A Docker-like solution with a pretty UI could be really useful for pros. For novices, it could mean a less cumbersome security measure than the restrictions we’ve been experiencing since Catalina.
I have been playing around with the bastillebsd.org scripts for creating and managing jails. I think it aims to be more 'Docker like'.<p>Worked well from the limited testing I have done so far
I use jails for years, the only thing which is painful are upgrades from ports for all the jails. It's time consuming. Poudriere helps but the whole thing is far from ideal :(
Another cool thing about jails is that they're really easy to convert to bhyve virtual machines if your security needs or general paranoia levels increase at any point.