From owner-freebsd-jail@FreeBSD.ORG Tue Apr 21 15:53:56 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 270ECD07; Tue, 21 Apr 2015 15:53:56 +0000 (UTC) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B0BBA19C9; Tue, 21 Apr 2015 15:53:55 +0000 (UTC) Received: by wizk4 with SMTP id k4so144988386wiz.1; Tue, 21 Apr 2015 08:53:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=4d9NFljrbRxfkdeiAfrBhFKCl5H8G+w2qf8w/JvN+AM=; b=WnkiX1SLfy4lfbumrcfUjAeu02xB1JwSdvNyUGtehQ0TJjRJwQre0i1bkwgNSbyP29 bihuNlMMywI2HP9xIlAIDA4ml8NECqZux3UncB74+d09g6Rgte7ISoF3TWZnTRPg2P4s af6mZt6yIK1nM1KcWR7T5KyvkmJK/+DfOTDiX9QUaSjya9KBFUexCaGoKuj0YzTZcfiU 4VEwlatcHzKqQzudipV8bxrN94OLRKyPuC3IfxiJGARDiM4MSQpyGYBMsL8FTZoYHtiW NkcPvBSLeW3H0ptjHyc3JvGPhekja+3iUveymEKOrAk7ToYQoIAIYZTPjkUAO+drDWF5 1KkA== X-Received: by 10.180.93.193 with SMTP id cw1mr21087639wib.12.1429631634136; Tue, 21 Apr 2015 08:53:54 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id fo7sm3652051wic.1.2015.04.21.08.53.52 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 21 Apr 2015 08:53:53 -0700 (PDT) Date: Tue, 21 Apr 2015 17:53:50 +0200 From: Mateusz Guzik To: Allan Jude Cc: freebsd-jail@freebsd.org Subject: Re: what are the differences freebsd jails and docker Message-ID: <20150421155350.GB6312@dft-labs.eu> References: <55366CFE.3090605@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <55366CFE.3090605@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 15:53:56 -0000 On Tue, Apr 21, 2015 at 11:30:06AM -0400, Allan Jude wrote: > On 2015-04-21 08:58, freekai wrote: > > > > Nowdays,docker is popular,but what are the differences freebsd jails and docker? > > Jails actually provide security and isolation. Docker, according to > their documentation, does not. > > If you want a nice GUI for your jails, try the Warden utility from > PCBSD, it is in the FreeBSD ports tree. > I would say this is grossly oversimplified and the question itself is incorrect. According to http://docs.docker.com/articles/security/ they do make some claims about isolation and security. *jail* is a mechanism in the kernel, Docker is just a set of scripts using Linux counterpart. I don't know full extent of what's possible with Linux containers. Modulo some bugs and minor deficiences on either front I would expect them to be roughly feature-comparable, especially I don't expect either solution to have something inherently unfixable which would not be present in the other solution as well. Or in other words I would expect someone bored enough to be able to implement docker on top of jails. Docker folks definitely had some questionable stuff (like their capability handling, not to be confused with capsicum in FreeBSD), but that's standard with new projects and one could expect such issues to be plugged for the most part. The real security concern related to this stuff comes from the fact that there is only one kernel, so a flaw allowing e.g. arbitrafy code execution within it results in a compromise of the entire machine. So the question is what kernel exploitation prevention measures are put in place, what is the general state of kernel security etc. (for instance if you don't need a fully featured container and just want to sandbox something, capsicum on FreeBSD gives you great flexibility, which can be achieved to some extent with seccomp + selinux) Or in other words, a significant time effort is needed to come up with a reasonable comparison. However, in the meantime you can reasonably safely assume either solution will do the trick similarly well. -- Mateusz Guzik