A while back I did some looking at FreeBSD jails to try to figure out why they don't have more mindshare (especially when paired with the nigh-superpower-granting ZFS).
I came away baffled that they weren't more widely-promoted, compared with Docker and friends. After thinking about it for a while, all I can figure is they're so straightforward to use and well-documented that there's no room to make one's name, or to make a buck, re-packaging them or wrapping them in complex tools, so there's little money or glory (= personal marketing via open-source project leadership/contributions) in promoting them.
[EDIT] that is: what would be a blog post in LXC/Docker land... doesn't exist, because it's covered perfectly well in the docs. What would be a simple open-source tool... becomes a blog post, because it's short, simple, and clear enough not to merit special software, but just a quick guide to existing tools. What would be a business, becomes a simple open-source tool without enough of a difficulty/convenience "moat" to support a business.
I'm sure that's some of it, but the trend seems to be moving away from leveraging OS-level tools anyway. As long as your containers (or jails) and the single important binary in each one start up OK and your network tuning on the parent OS isn't completely screwed up, the rest barely matters anymore.
As a developer, how do I run FreeBSD Jails on my MacBook during development? With Docker for Mac, it is trivial for me to do everything on my Mac, and the fact that there is a virtual machine is completely invisible to me. Everything "Just Works". With FreeBSD Jails, I would have to actually interact with a VM constantly, including the pain of shipping files back and forth.
As a developer, are popular databases and applications pre-packaged as FreeBSD Jails so that I can spin one up on my laptop with a single command? Where is the Docker Hub equivalent?
As a developer, how do I orchestrate a collection of FreeBSD Jails for each project? With Docker, I define a single `docker-compose.yml` file for each project. With a single `docker-compose up`, the entire project is running including dependencies such as databases and other related projects in a completely reproducible fashion. This makes it trivial for coworkers to spin up a project on their machine and immediately be productive without spending an hour trying to get all the right versions of everything installed and up and running.
As someone responsible for deploying an application to production, what is the story around FreeBSD Jails for deploying across a cluster? Is there a Kubernetes-equivalent that can manage the allocation of resources, blue-green deployments, and manage the lifecycle of my FreeBSD Jails?
As someone responsible for deploying an application to production, do any of the major clouds support FreeBSD Jails? With Docker images, I can deploy those straight to ECS Fargate, Google Cloud Run, and half a dozen other services. Then I don't even have to think about my own infrastructure unless I need some really specialized hardware for a specific application.
> the rest barely matters anymore.
Everything else matters so much.
As to your earlier point about ZFS, most Linux distros these days seem to trivially support ZFS. Even TrueNAS is working on switching to Linux with their TrueNAS Scale offering.
It's not that I'm opposed to FreeBSD... FreeBSD is just a hard sell. It's hard to pin down exactly what you're gaining by throwing out all the collective Linux knowledge of an organization and switching to FreeBSD. FreeBSD is an N-th tier platform for pretty much every programming language except C, so good luck when you run into random subtle problems. Also, good luck doing hardware accelerated machine learning inference or training on FreeBSD... it's probably possible?
> the single important binary
This is also such a weird thing to throw out there. I like a good Go program myself, but most companies are not only deploying single-binary statically linked applications. Most companies are also deploying some kind of Ruby, Python, or Java application... none of which are likely to be a single file in practice. Most of them will have a variety of shared libraries, and I don't know if I've ever seen a Ruby application shipped in a `FROM scratch` container before. Technically possible, but that's just not common reality as far as I've seen. It sounds like you're proposing that everyone is already running in `FROM scratch` containers, so a FreeBSD Jail is just a drop-in replacement.
Linux containers are far from perfect, but as a developer... I have played with FreeBSD Jails before, and come away frustrated by all the work you have to do yourself.
> This is also such a weird thing to throw out there. I like a good Go program myself, but most companies are not only deploying single-binary statically linked applications. Most companies are also deploying some kind of Ruby, Python, or Java application... none of which are likely to be a single file in practice.
Sure, but usual practice with containers is to put each thing in its own, unless they are very tightly coupled. Web-app with a SQL database and a memory cache? Three containers. You can do otherwise, but that's typical. Usually each container ends up with one main, important running process, and not much else.
[EDIT]
> As someone responsible for deploying an application to production, what is the story around FreeBSD Jails for deploying across a cluster? Is there a Kubernetes-equivalent that can manage the allocation of resources, blue-green deployments, and manage the lifecycle of my FreeBSD Jails?
> As someone responsible for deploying an application to production, do any of the major clouds support FreeBSD Jails? With Docker images, I can deploy those straight to ECS Fargate, Google Cloud Run, and half a dozen other services. Then I don't even have to think about my own infrastructure unless I need some really specialized hardware for a specific application.
These are exactly the kinds of things I was thinking of when I noted that the OS itself has been seriously diminished in importance, for modern workflows. I agree that most commercial or high-profile open-source "cloud" tools and platforms are built around LXC/Docker.
> Sure, but usual practice with containers is to put each thing in its own, unless they are very tightly coupled. Web-app with a SQL database and a memory cache? Three containers. You can do otherwise, but that's typical. Usually each container ends up with one main, important running process, and not much else.
I agree, but... getting all the application dependencies in there is more than just getting a single binary in there. If it's just a single-binary Go program, then a Jail works just fine, but it's not that simple for a Ruby application. I'm definitely not talking about databases running in the same container as the application. That's where Kubernetes and docker-compose come in for multi-container orchestration, which are things that FreeBSD Jails don't have as far as I know.
> These are exactly the kinds of things I was thinking of when I noted that the OS itself has been seriously diminished in importance
Yes, but... these are all the things that FreeBSD doesn't offer. These are the real reasons that people don't talk about FreeBSD Jails in the same breath as Docker. The Docker container itself (or the FreeBSD Jail) as a unit of isolation is the least interesting part of the ecosystem. All of the developer tools, orchestration tools, and prebuilt images are what make the Docker universe so interesting, and make FreeBSD Jails... less interesting.
You said you were confused why Jails don't have more mindshare. It has absolutely nothing to do with people being able to invent useless tools and write blog posts about them, and it has absolutely nothing to do with FreeBSD Jails being too well documented. You kind of implied those were the best explanations you could come up with. Those are not the problems at all, and it seems disingenuous to me to say you think those are the problems unless you really didn't know the things I mentioned in my first reply.
My personal favorite thing about Docker, and the part I'd most miss if I switched to Jails (which I'm fairly confident could meet my needs with some fairly simple scripts and aliases that wouldn't take me long to arrive at, which is why I think there's so much less of an "ecosystem" there, even a nascent and under-developed one) is the way it forces projects to un-fuck their configuration.
500-line config, much of which few people ever care about, with all kinds of ill-conceived nesting? Better put the ~20 options that 99% of users ever touch in environment variables, and document them. Weird state garbage that's not captured in your config-on-disk? Better figure it out and get it into env vars, and have your startup script use those to transparently manage whatever bad decisions you made re: state in the past. Shit files all over the system? Better get that sorted out so people can handle persistence with at the very most three total mounts—and oh, gee, look, now your simple example docker-compose also serves to document where exactly you store files. And so on.
(my second-favorite thing is that it's a de-facto cross-distro package manager with very up-to-date packages that are trivial to completely and cleanly uninstall)
It’s reasonable to be confused why Jails lacks the mindshare. “Because it lacks all these other over-the-top features that we need” might be reasonable in response, except that Docker didn’t have any of these things on day 0 either.
Jails had a 14 year head start, Docker reinvents the wheel, and nor particularly well at first. Why did it succeed more than Jails did? It wasn’t because of the piss-poor native Mac support.
People say this a lot too, but Illumos also uses shared-kernel isolation. Linux + gVisor is probably (significantly) superior to it as far as security goes.
Jails are still shared-kernel isolation. Docker's reputation is mired in its earlier implementations, when it wasn't really even intended for multitenant isolation. Modern Docker, running with unprivileged containers (which is the norm), is substantially hardened. The real win over Docker is losing the shared kernel, which is what lots of people are doing, so the win to Jails is marginal.
TrueNAS exposed me to FreeBSD jails but what put me off is that there does not seem to be an equivalent of "docker build".
Jails seem to be treated like OpenVZ containers in the Linux world: a lighter alternative to virtual machines, not a way to build and distribute applications like Docker.
This is just my take after playing a few hours with jails, I would happily be proven wrong.
Heretics! Vicitimizing all the Fashionistas! Where would be the fun of endless shiny new things? The thrill of employing l33t google skillz to find just another solution to cut&paste in haste, with no wasted time reading boring old style manuals and documentation. Attention deficit is the hottest shit! Deal with it!
I came away baffled that they weren't more widely-promoted, compared with Docker and friends. After thinking about it for a while, all I can figure is they're so straightforward to use and well-documented that there's no room to make one's name, or to make a buck, re-packaging them or wrapping them in complex tools, so there's little money or glory (= personal marketing via open-source project leadership/contributions) in promoting them.
[EDIT] that is: what would be a blog post in LXC/Docker land... doesn't exist, because it's covered perfectly well in the docs. What would be a simple open-source tool... becomes a blog post, because it's short, simple, and clear enough not to merit special software, but just a quick guide to existing tools. What would be a business, becomes a simple open-source tool without enough of a difficulty/convenience "moat" to support a business.