Comment by doublerabbit

FBSD Host > Jail > [FreeBSD bHyve Vm] > Jails

You have web services you desire to host. Let's call our first jail, infrastructure.

Within our infrastructure jail we want to create a Virtual Machine for actual web services.

You have a AMP stack and you wish to keep MySQL, Apache and PHP isolated. Security right?

We construct a VM named Web Services running FreeBSD. This VM now enables us to construct more jails to handle isolated MySQL and Apache/PHP instances. These jails have no idea about the host underneath as they're being hosted in a floating hive.

The VM is now the host so all jails connected traditionally via a Bridge and this is where netgraph comes in. However to explain NG over HN would be painful.

bHyve too isn't just limited to a single jail, you could then create a second jail on the FBSD host and construct the same. "Network Infrastructure" where you handle routing between jails.

So you now have two jails, each running virtual machines isolated from each other running hierarchical jails.

In my case I have a storage virtual machine. Using ZFS, space is dynamic and storage jail within issue all my nfs zfs shares, my smb shares et cetera. This makes backups easy as all I ever need to do is backup the storage virtual machine.

A media jail where I hold all my streaming services and a network jail where all things network infrastructure go. Routers, monitoring, dns et cetera.

You can go deeper than that. I was playing with a host where you had a, VM, Jail with hosted a dedicated firewall for jails which hosted jails for services.

Host > Jail > VM > FW Jail > Service Jail A > Jail A, B, C

And because all is contained in a virtual machine, I just power off the VM and backup the raw image.