Back to FreeBSD: Part 2 - Jails

My notes

Summary

FreeBSD jails are a single kernel primitive for OS-level isolation, in contrast to Linux containers which bolt together namespaces, cgroups, and seccomp. The article walks through building both an LXC container and a FreeBSD jail from scratch, showing the jail approach requires dramatically less glue, then covers three jail managers (Bastille, AppJail, Pot) and critiques their Dockerfile-mimicking DSLs as importing solutions to problems ZFS already solves natively.

Key Insight

• Linux containers are not one feature but a patchwork: namespaces (visibility), cgroups (resource limits), seccomp (syscall filtering), all glued together by LXC, then Docker’s libcontainer, then OCI/runc/containerd - layers upon layers.
• FreeBSD jails are a single jail(8) syscall: one directory, one config file, lifecycle hooks (exec.start, exec.stop, exec.prestart, exec.poststop). No bridge, no DHCP, no NAT needed for the basic shared-IP case - just an IP alias on the host interface.
• Creating a jail manually: fetch base.txz, extract to /jails/myjail, add IP alias, write /etc/jail.conf, run jail -c myjail. About 20 minutes to understand end-to-end.
• Bastille reduces this to 3 commands: bastille bootstrap 15.0-RELEASE, bastille create myjail 15.0-RELEASE 10.17.89.10, bastille start myjail.
• Key critique: all three major jail managers (Bastille, AppJail, Pot) converge on Dockerfile-inspired template DSLs (Bastillefile, Makejail, Potfile). But Docker’s layered format exists because Linux filesystems lack native layering. ZFS has had snapshots and clones since 2005 - copying the Dockerfile model onto jails imports a solution to a problem that does not exist on FreeBSD.
• Pot has first-class Nomad integration for Kubernetes-style orchestration if that is your infrastructure.
• VNET provides full network stack virtualisation per jail when you need actual network isolation beyond shared-IP.