Jails on FreeBSD



@st3fan 4d
I upvoted this because I have a lot of love for FreeBSD and I think Jails are great.

However, I really wish the FreeBSD folks would educate themselves a bit more about what is actually available on Linux and how those options compare to FreeBSD Jails.

@thehigherlife 4d
Since this is gaining some traction. I'm curious if you are using jails and a jail manager, what are you're using now? I'm still using IOCAGE (Version 1.2) on freeBSD 13, but it seems like its not the best way to do it anymore? Documentation is all over the place on what is the best way to manage jails now.
@soupbowl 4d
There are a lot of jail tools these days, it would be nice if we posted more modern FreeBSD guides. Myself I use BastilleBSD heavily for personal and small business use.


@jmclnx 4d
Very nice

I used jails on FreeBSD and nothing in Linux comes close. Yes, it is not a pointy-clicky setup like Linux likes to do. But IMHO Jails are far more secure, in a way: you get what you 'pay' for.

@1over137 4d
Instruction are for FreeBSD 12, I wonder if it's still current for 13 and 14...?
@jmillikin 4d
Whenever an article about FreeBSD's jails gets posted here, the comments tend to drift toward an argument about jails vs Docker containers. People call them "Linux containers", but really they're talking about Docker (or its clones like Podman).

This may be me shouting into the void, but I wish there were an article directly comparing jails with namespaces, which is the Linux functionality that Docker uses. I can totally believe that FreeBSD jails provide a better / more unified / more secure experience than Docker, but to extend that into saying "FreeBSD jails are better than Linux namespaces" feels like a category error.

Questions I would like to see answered in that article:

* Can jails be used to run subprocesses in the normal filesystem, but with a different network environment (for example making a given command run its net traffic through TAP)?

* Can jails be used to limit memory/cpu/IO/network for subprocesses? For threads within a process?

* Can live processes be moved into or out of a jail?

* Can jails be used to make a process think it's running as a different user?

I feel like the answer to these questions is generally "no, that's not what jails are for", which is (1) a fine answer given the apparent goal of being a better chroot(), and (2) reinforces that jails and namespaces are addressing different problem domains.

@layer8 4d
In the aughts (2000s) I rented a "managed" VPS that was based on FreeBSD jails and an overlay filesystem. It was great in that you didn't have to maintain most of the software yourself (e.g. security updates) because it was maintained by the hoster on the base filesystem layer, while at the same time you were still root on your own filesystem overlay, where you could add or modify any file from the base filesystem. If you messed up somehow, you could simply revert to the base filesystem version of the respective files. Furthermore only the files on your overlay counted against your filesystem quota. Unfortunately the hoster discontinued that offering after a couple of years.
@codetrotter 4d
Let me chime in and say, Michael W Lucas has an awesome book about FreeBSD Jails. I bought it recently and I read the whole thing and it helped me a lot. I still had to figure some things out by myself because the book is for a slightly older version of FreeBSD. But it is an awesome book.

I use only the tools included in base system for setting up my jails. No “ezjail” or anything.

If you read his whole book you will see how it might be the correct choice to just do it yourself. Depending on what you want to do etc.

For me I am definitely much better off having set it up myself with the help of mwl’s book.


Buy the physical copy of the book.

PS: Use vnet interfaces for most of your jails.

@alberth 4d
Off topic: I miss the days when web pages looked like this link.

High info density, consistent look, “responsive” without being responsive.

@mikece 4d
Is there a "best article" out there comparing BSD Jails to Docker and the strengths and weaknesses of choosing one or the other?

(I'm also curious if BSD Jails are the same thing as Solaris Zones but with a different name or if there is significant nuance making them different).

@jedberg 4d
Just one nit, FreeBSD had jails before March of 2000. I know this because I was using them in 1999. And in fact they were merged into CURRENT in early 1999 and STABLE in mid/late 1999. It was merged into RELEASE in March 2000.
@gumballindie 3d
Every time I think of freebsd and how cool it was and is I wondering what caused linux to overtake it. I like linux as well, but I just don't understand the mechanics behind freebsd not gaining traction.
@Detrytus 3d
Offtopic, but isn't it funny that the system that calls itself FreeBSD has a concept of "jails"? Couldn't they come up with better name? :)