> This is kinda like Docker/Podman thing on Linux – but secure instead.
How true is this? I know jails have been around longer than Linux containers, which are explicitly not designed as "secure" isolation (which is why people like fly.io use VMs instead).
How battle-tested are FreeBSD jails?
In particular, I note we're talking FreeBSD, not OpenBSD, which is the one that's all about security.
Sure - lets have a discussion about differences between security of FreeBSD Jails and Linux Podman containers.
Isolation: With rootless Podman it seems to be on the same level as Jails - but only if You run Podman with SELinux or AppArmor enabled. Without SELinux/AppArmor the Jails offer better isolation. When you run Podman with SELinux/AppArmor and then you add MAC Framework (like mac_sebsd/mac_jail/mac_bsdextended/mac_portacl) the Jails are more isolated again.
Kernel Syscalls Surface: Even rootless Podman has 'full' syscall access unless blocked by seccomp (SELinux). Jails have restricted use of syscalls without any additional tools - and that can be also narrowed with MAC Framework on FreeBSD.
Firewall: You can not run firewall inside rootless Podman container. You can run entire network stack and any firewall like PF or IPFW independently from the host inside VNET Jail - which means more security.
TL;DR: FreeBSD Jails are generally more secure out-of-the-box compared to Podman containers and even more secure if you take the time to add additional layers of security.
> How battle-tested are FreeBSD Jails?
Jails are in production since 1999/2000 when they were introduced - so 25 years strong - very well battle tested.
Docker is with us since 2014 so that means about 10 years less - but we must compare to Podman ...
Rootless support for Podman first appeared late 2019 (1.6) so only less then 6 years to test.
That means Jails are the most battle tested of all of them.
Running containers inside VMs in multitenant scenarios is so common that Google though of inventing gVisor which you can think of as a highly paravirtualized guest OS that is lighter than a full VM but still based on similar virtualization principles for isolation.
It probably has its advantages but until the UX reaches what we get with “docker run” this technology will never achieve its potential. When developing we need to think not only about what is possible but also how people do things currently and how does that compare to what we are proposing in terms of ergonomics. How many commands to get from 0 to hero with incumbent solution? How many with proposed solution? You get the point.
Better to use podman and build your own containers from Containerfile/Dockerfile (your own or open source ones, there are a ton on GitHub/GitLab/Codeberg that you can build yourself) and base layers.
That's not "broken". Docker Inc. is just rate-limiting access to their service. A service which, for what it's worth, has been used to bootstrap the technology required to sustain a pile of money for a lot of people.
There are other container repositories, and as you said, you can build your own containers and run those.
I personally really like Bastille for jail management. It's way more ergonomic than creating jails by hand and allows you to focus on the stuff running in the jails rather than the jails themselves.
I believe FreeBSD has podman running on top of jails now, so that should... exist? I mean, you can still run jails directly like this, but the days of `podman run` are either here or imminent.
Since there is not native (or source code) for Minecraft Bedrock for FreeBSD you can run Bedrock Minecraft server on FreeBSD using Linux Jail - with Linux Binary Compatibility FreeBSD feature.
Not to be picky, but they could be on a par. There doesn't have to be a massive difference in this regard. Jails are well established, and well understood. I prefer BSD solutions and I run jails and Linux kvm.
Jails have been around longer, but I'm not sure how much it really matters. Jails and containers both share the kernel across workloads. A kernel exploit is generally accepted as the barrier to break out (and of course implementation bugs). VMs don't share kernels across workloads, but do share a hypervisor which can also have breakout bugs. Both jails and containers depend on the kernel to be bug free.
VMs (depending on hypervisor) are easier to secure by default, you can't easily forget an overlay fs, or make other mistakes that expose some part of the host to containers.
How true is this? I know jails have been around longer than Linux containers, which are explicitly not designed as "secure" isolation (which is why people like fly.io use VMs instead).
How battle-tested are FreeBSD jails?
In particular, I note we're talking FreeBSD, not OpenBSD, which is the one that's all about security.