Comment by McAlpine5892

7 days ago

BSD jails are architected wholly differently from what something like Docker provides.

Jails are first-class citizens that are baked deep into the system.

A tool like Docker relies using multiple Linux features/tools to assemble/create isolation.

Additionally, iirc, the logic for FreeBSD jails never made it into the Darwin kernel.

Someone correct me please.

6 comments

McAlpine5892

AdieuToLogic 7 days ago

> BSD jails are architected wholly differently from what something like Docker provides. > Jails are first-class citizens that are baked deep into the system.

Both very true statements and worth remembering when considering:

> Additionally, iirc, the logic for FreeBSD jails never made it into the Darwin kernel.

You are quite correct, as Darwin is is based on XNU[0], which itself has roots in the Mach[1] microkernel. Since XNU[0] is an entirely different OS architecture than that of FreeBSD[3], jails[4] do not exist within it.

The XNU source can be found here[2].

0 - https://en.wikipedia.org/wiki/XNU

1 - https://en.wikipedia.org/wiki/Mach_(kernel)

2 - https://github.com/apple-oss-distributions/xnu

3 - https://cgit.freebsd.org/src/

4 - https://man.freebsd.org/cgi/man.cgi?query=jail&apropos=0&sek...

bandoti 6 days ago
Thank you for the links I will take a closer look at XNU. It’s neat to see how these projects influence each other.
- AdieuToLogic 5 days ago
  
  > Thank you for the links I will take a closer look at XNU.
  Another great resource regarding XNU and OS-X (although a bit dated now) is the book:
  Mac OS X Internals A Systems Approach[0]
  0 - https://openlibrary.org/books/OL27440934M/Mac_OS_X_Internals
McAlpine5892 4 days ago

This is great! Thank you!

dboreham 7 days ago

> what something like Docker provides

Docker isn't providing any of the underlying functionality. BSD jails and Linux cgroups etc aren't fundamentally different things.

nyrikki 6 days ago

Jails were explicitly designed for security, cgroups were more generalized as more about resource control, and leverages namespaces, capabilities, apparmor/SELinux to accomplish what they do.
> Jails create a safe environment independent from the rest of the system. Processes created in this environment cannot access files or resources outside of it.[1]
While you can accomplish similar tasks, they are not equivalent.
Assume Linux containers are jails, and you will have security problems. And on the flip side, k8s pods share UTM,IPC, Network namespaces, yet have independent PID and FS namespaces.
Depending on your use case they may be roughly equivalent, but they are fundamentally different approaches.
[1] https://freebsdfoundation.org/freebsd-project/resources/intr...