# Back to FreeBSD: Part 2 - Jails

> FreeBSD jails provide OS-level isolation through one kernel primitive, unlike Linux containers combining namespaces, cgroups, and seccomp. Comparison with LXC.

Published: 2026-04-01
URL: https://daniliants.com/insights/back-to-freebsd-part-2-jails/
Tags: freebsd, jails, containers, linux-containers, zfs, bastille, self-hosting, systems-programming

---

## Summary

FreeBSD jails are a single kernel primitive for OS-level isolation, in contrast to Linux containers which bolt together namespaces, cgroups, and seccomp. The article walks through building both an LXC container and a FreeBSD jail from scratch, showing the jail approach requires dramatically less glue, then covers three jail managers (Bastille, AppJail, Pot) and critiques their Dockerfile-mimicking DSLs as importing solutions to problems ZFS already solves natively.

## Key Insight

- Linux containers are not one feature but a patchwork: namespaces (visibility), cgroups (resource limits), seccomp (syscall filtering), all glued together by LXC, then Docker's libcontainer, then OCI/runc/containerd - layers upon layers.
- FreeBSD jails are a single `jail(8)` syscall: one directory, one config file, lifecycle hooks (`exec.start`, `exec.stop`, `exec.prestart`, `exec.poststop`). No bridge, no DHCP, no NAT needed for the basic shared-IP case - just an IP alias on the host interface.
- Creating a jail manually: `fetch base.txz`, extract to `/jails/myjail`, add IP alias, write `/etc/jail.conf`, run `jail -c myjail`. About 20 minutes to understand end-to-end.
- Bastille reduces this to 3 commands: `bastille bootstrap 15.0-RELEASE`, `bastille create myjail 15.0-RELEASE 10.17.89.10`, `bastille start myjail`.
- Key critique: all three major jail managers (Bastille, AppJail, Pot) converge on Dockerfile-inspired template DSLs (Bastillefile, Makejail, Potfile). But Docker's layered format exists because Linux filesystems lack native layering. ZFS has had snapshots and clones since 2005 - copying the Dockerfile model onto jails imports a solution to a problem that does not exist on FreeBSD.
- Pot has first-class Nomad integration for Kubernetes-style orchestration if that is your infrastructure.
- VNET provides full network stack virtualisation per jail when you need actual network isolation beyond shared-IP.