FreeBSD Jails for Fun and Profit (2020)

One thing I find so valuable about jails is the ability to jail <i>a single command</i> with no other userland than what that binary requires.<p>Here&#x27;s an example from my personal name server:<p><pre><code> &#x2F;usr&#x2F;sbin&#x2F;jail &#x2F;jails&#x2F;www www 10.10.10.36 &#x2F;lighttpd -f conf&#x2F;lighttpd.conf </code></pre> ... and although this jail has a lot of <i>content</i> files in it, the actual UNIX userland is only what is required to run &#x27;lighttpd&#x27;:<p><pre><code> # find &#x2F;jails&#x2F;www&#x2F;usr | wc -l 43 </code></pre> So it&#x27;s an extremely lightweight environment with very little attack surface.<p>You can also <i>share a lightweight environment with multiple commands</i> - here are two other jail commands:<p><pre><code> &#x2F;usr&#x2F;sbin&#x2F;jail &#x2F;jails&#x2F;dns ns1 10.10.10.30 &#x2F;nsd&#x2F;nsd -c &#x2F;nsd&#x2F;nsd.conf &#x2F;usr&#x2F;sbin&#x2F;jail &#x2F;jails&#x2F;dns dns 10.10.10.37 &#x2F;unbound&#x2F;unbound -c &#x2F;unbound&#x2F;unbound.conf </code></pre> ... see how <i>both</i> jailings of &#x27;nsd&#x27; and &#x27;unbound&#x27; point to the same &#x27;&#x2F;jails&#x2F;dns&#x27; userland ? Once again, that userland is very, very compact:<p><pre><code> # find &#x2F;jails&#x2F;dns&#x2F;|wc -l 97 </code></pre> ... so, 97 files total to run both name servers.<p>No &#x27;make world&#x27; necessary, no building and maintaining of a full FreeBSD system - just the lightest skeleton required for both &#x27;nsd&#x27; and &#x27;unbound&#x27;.

FreeBSD Jails were so much better than everything else out there, for a long time. I&#x27;ll just copy&amp;paste part of a comment I wrote on another HN thread some time ago, since it&#x27;s relevant here:<p>[...] In fact, many years ago, when FreeBSD was my main OS (including on notebook) I went as far as to isolate each app that used internet into its own custom-setup jail [0][1]. I had Firefox, Thunderbird, Pidgin and a few others running in complete isolation from the base system, and from each other. I even had a separate Firefox jail that was only allowed to get out via a Tor socks proxy to avoid leaks (more of an experiment than a necessity, to be fair). Communication between jails was done via commonly mounted nullfs. I have also setup QoS via PF for each of them. They were all running on the host’s Xorg, which was probably also the weakness of this setup. It was a pretty sweet setup, but required quite a bit of effort to maintain, even tho I automated most of the stuff. [...]<p>The original comment is here: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27709256" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27709256</a>

A great wrapper UI I have used for FreeBSD Jails is iocage (<a href="https:&#x2F;&#x2F;iocage.readthedocs.io&#x2F;en&#x2F;latest&#x2F;" rel="nofollow">https:&#x2F;&#x2F;iocage.readthedocs.io&#x2F;en&#x2F;latest&#x2F;</a>). Its a great project.

(FreeBSD) jails are amazing. I just wish there were easier ways to use them more &quot;cattle&quot;-like, so I can augment or replace Docker&#x2F;Podman. At the moment tooling and many of the real-world setups remind me a lot of &quot;pet&quot; LXC containers or even VMs in the Linux world.<p>The tooling is slowly moving in a direction I like, though :)

I am amazed at how many interesting things I still have to learn in this life. Too many tools, too little time to see them all... :(

I always hoped for macOS to borrow FreeBSD jails for itself.<p>A Docker-like solution with a pretty UI could be really useful for pros. For novices, it could mean a less cumbersome security measure than the restrictions we’ve been experiencing since Catalina.

I have been playing around with the bastillebsd.org scripts for creating and managing jails. I think it aims to be more &#x27;Docker like&#x27;.<p>Worked well from the limited testing I have done so far

I never understood the appeal of BSD jails over Solaris zones which seem to be more hardened and seem to vitualize more of the OS.

With a community driver, HashiCorp&#x27;s Nomad can handle FreeBSD Jails for you. Worth trying out if FreeBSD is your thing.

I use jails for years, the only thing which is painful are upgrades from ports for all the jails. It&#x27;s time consuming. Poudriere helps but the whole thing is far from ideal :(

Another cool thing about jails is that they&#x27;re really easy to convert to bhyve virtual machines if your security needs or general paranoia levels increase at any point.

Are Jails really that safe &amp; secure?

Just curious, is there an equivalent (or at least similar in spirit) to FreeBSD jails in the Windows world?