from Hacker News

FreeBSD Jails for Fun and Profit (2020)

by kettunen on 12/22/21, 1:34 PM with 154 comments

  • by rsync on 12/22/21, 4:44 PM

    One thing I find so valuable about jails is the ability to jail a single command with no other userland than what that binary requires.

    Here's an example from my personal name server:

      /usr/sbin/jail /jails/www www 10.10.10.36 /lighttpd -f conf/lighttpd.conf
    ... and although this jail has a lot of content files in it, the actual UNIX userland is only what is required to run 'lighttpd':

      # find /jails/www/usr | wc -l
  43
    So it's an extremely lightweight environment with very little attack surface.

    You can also share a lightweight environment with multiple commands - here are two other jail commands:

      /usr/sbin/jail /jails/dns ns1 10.10.10.30 /nsd/nsd -c /nsd/nsd.conf
  /usr/sbin/jail /jails/dns dns 10.10.10.37 /unbound/unbound -c /unbound/unbound.conf
    ... see how both jailings of 'nsd' and 'unbound' point to the same '/jails/dns' userland ? Once again, that userland is very, very compact:

      # find /jails/dns/|wc -l
  97
    ... so, 97 files total to run both name servers.

    No 'make world' necessary, no building and maintaining of a full FreeBSD system - just the lightest skeleton required for both 'nsd' and 'unbound'.

  • by drclau on 12/22/21, 3:20 PM

    FreeBSD Jails were so much better than everything else out there, for a long time. I'll just copy&paste part of a comment I wrote on another HN thread some time ago, since it's relevant here:

    [...] In fact, many years ago, when FreeBSD was my main OS (including on notebook) I went as far as to isolate each app that used internet into its own custom-setup jail [0][1]. I had Firefox, Thunderbird, Pidgin and a few others running in complete isolation from the base system, and from each other. I even had a separate Firefox jail that was only allowed to get out via a Tor socks proxy to avoid leaks (more of an experiment than a necessity, to be fair). Communication between jails was done via commonly mounted nullfs. I have also setup QoS via PF for each of them. They were all running on the host’s Xorg, which was probably also the weakness of this setup. It was a pretty sweet setup, but required quite a bit of effort to maintain, even tho I automated most of the stuff. [...]

    The original comment is here: https://news.ycombinator.com/item?id=27709256

  • by bigodanktime on 12/22/21, 3:37 PM

    A great wrapper UI I have used for FreeBSD Jails is iocage (https://iocage.readthedocs.io/en/latest/). Its a great project.

  • by luto on 12/22/21, 3:05 PM

    (FreeBSD) jails are amazing. I just wish there were easier ways to use them more "cattle"-like, so I can augment or replace Docker/Podman. At the moment tooling and many of the real-world setups remind me a lot of "pet" LXC containers or even VMs in the Linux world.

    The tooling is slowly moving in a direction I like, though :)

  • by okokwhatever on 12/22/21, 3:14 PM

    I am amazed at how many interesting things I still have to learn in this life. Too many tools, too little time to see them all... :(

  • by tambourine_man on 12/22/21, 3:30 PM

    I always hoped for macOS to borrow FreeBSD jails for itself.

    A Docker-like solution with a pretty UI could be really useful for pros. For novices, it could mean a less cumbersome security measure than the restrictions we’ve been experiencing since Catalina.

  • by shrubble on 12/22/21, 3:27 PM

    I have been playing around with the bastillebsd.org scripts for creating and managing jails. I think it aims to be more 'Docker like'.

    Worked well from the limited testing I have done so far

  • by freemint on 12/22/21, 3:03 PM

    I never understood the appeal of BSD jails over Solaris zones which seem to be more hardened and seem to vitualize more of the OS.

  • by movedx on 12/22/21, 11:12 PM

    With a community driver, HashiCorp's Nomad can handle FreeBSD Jails for you. Worth trying out if FreeBSD is your thing.

  • by SpaceInvader on 12/22/21, 11:07 PM

    I use jails for years, the only thing which is painful are upgrades from ports for all the jails. It's time consuming. Poudriere helps but the whole thing is far from ideal :(

  • by ComputerGuru on 12/23/21, 1:08 AM

    Another cool thing about jails is that they're really easy to convert to bhyve virtual machines if your security needs or general paranoia levels increase at any point.

  • by qqumut on 12/22/21, 3:22 PM

    Are Jails really that safe & secure?

  • by dgellow on 12/22/21, 4:00 PM

    Just curious, is there an equivalent (or at least similar in spirit) to FreeBSD jails in the Windows world?