Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

(FreeBSD) jails are amazing. I just wish there were easier ways to use them more "cattle"-like, so I can augment or replace Docker/Podman. At the moment tooling and many of the real-world setups remind me a lot of "pet" LXC containers or even VMs in the Linux world.

The tooling is slowly moving in a direction I like, though :)



Author here!

This is an old post of mine which I happened to find useful. Orchestration of jails moved quite bit forward lately! For example, you can manage your jails quite nicely with containerd today! See great post from Samuel Karp about the topic: https://samuel.karp.dev/blog/2021/05/running-freebsd-jails-w...


I use LXC on Proxmox and I do everything with Ansible scripts. Is there something moving towards docker-like repository in LXC land? Would love to just run the latest pihole or nginx or what have you on LXC


Are they superior to firejail on linux? I kind of always figured they were similar level of "sandboxing" but I never had enough interest in BSD to dig in myself.


They are completely different mechanism for doing different kind of stuff. Firejail sounds like something closer to Capsicum, but without the security model.


I was under the impression they were like jails, to sandbox a program and make it more siloed off and secure? Whatever the underlying mechanisms for obtaining that. I'll research some more I guess.


Could you elaborate on the differences? As far as I understood it firejail, or rather the Linux features that it depends upon, is far more powerful than FreeBSD jails.


From what I understand, firejail is a "syscall filter". This moves it to the same category as capsicum (https://www.freebsd.org/cgi/man.cgi?capsicum), but without Capsicum's security model, instead implementing something ad-hoc, probably by using Linux' seccmp.

Jails, on the other hand, are not a sandboxing mechanism - they are system-level virtualization, like Linux namespaces, but with a simpler interface. You can use it for sandboxing, but it's not what the mechanism fundamentally is.


Firejail does more than just syscall filtering.


Please tell more.


Check this out: https://firejail.wordpress.com/features-3/


Looks like a GUI wrapper around jails, with some seccmp hacks to work around deficiencies in namespaces.


On a Debian GNU/Linux or derivative:

apt-cache search jail

firejail - sandbox to restrict the application environment

firejail-profiles - profiles for the firejail application sandbox

firetools - Qt frontend for the Firejail application sandbox




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: