Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Apr 2015 17:53:50 +0200
From:      Mateusz Guzik <mjguzik@gmail.com>
To:        Allan Jude <allanjude@freebsd.org>
Cc:        freebsd-jail@freebsd.org
Subject:   Re: what are the differences freebsd jails and docker
Message-ID:  <20150421155350.GB6312@dft-labs.eu>
In-Reply-To: <55366CFE.3090605@freebsd.org>
References:  <BLU403-EAS375686A78E4A0434635449CABEF0@phx.gbl> <55366CFE.3090605@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 21, 2015 at 11:30:06AM -0400, Allan Jude wrote:
> On 2015-04-21 08:58, freekai wrote:
> > 
> > 	Nowdays,docker is popular,but what are the differences freebsd jails and docker?
> 
> Jails actually provide security and isolation. Docker, according to
> their documentation, does not.
> 
> If you want a nice GUI for your jails, try the Warden utility from
> PCBSD, it is in the FreeBSD ports tree.
> 

I would say this is grossly oversimplified and the question itself is
incorrect.

According to http://docs.docker.com/articles/security/ they do make some
claims about isolation and security.

*jail* is a mechanism in the kernel, Docker is just a set of scripts
using Linux counterpart.

I don't know full extent of what's possible with Linux containers.
Modulo some bugs and minor deficiences on either front I would expect
them to be roughly feature-comparable, especially I don't expect either
solution to have something inherently unfixable which would not be
present in the other solution as well.

Or in other words I would expect someone bored enough to be able to
implement docker on top of jails.

Docker folks definitely had some questionable stuff (like their
capability handling, not to be confused with capsicum in FreeBSD), but
that's standard with new projects and one could expect such issues to be
plugged for the most part.

The real security concern related to this stuff comes from the fact that
there is only one kernel, so a flaw allowing e.g. arbitrafy code
execution within it results in a compromise of the entire machine.

So the question is what kernel exploitation prevention measures are put
in place, what is the general state of kernel security etc. (for
instance if you don't need a fully featured container and just want to
sandbox something, capsicum on FreeBSD gives you great flexibility,
which can be achieved to some extent with seccomp + selinux)

Or in other words, a significant time effort is needed to come up with a
reasonable comparison.

However, in the meantime you can reasonably safely assume either
solution will do the trick similarly well.

-- 
Mateusz Guzik <mjguzik gmail.com>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150421155350.GB6312>