
CBSD – FreeBSD Jail Management Tools - tachion
http://www.bsdstore.ru/html/about_en.html
======
nzp
This project seems great, but I feel there's something wrong with the
submitted article title, it sounds weird (plus, there's no mention of Docker
on the linked page). Sure, you can draw parallels between Docker and what
FreeBSD jails and tools built on top do, but it would be fairer to say Docker
is a Linux based alternative to jails, and not as powerful (as far as I
understand Linux kernel infrastructure that Docker uses). The crucial
difference is that jails are really a security feature in FreeBSD (and if
you're not using them in production you're probably doing it wrong), whereas
Docker is primarily deployment oriented (please correct me if I'm wrong about
Docker here). Various jail management tools give you a nice, easy to use, set
of deployment features on top.

~~~
tachion
The thing is that it is Docker that 'seems' to be leading the container
movement right now, being a mainstream tool, even though Jails were available
earlier and as of now seem to be more powerful than LXC. Also, Jails are not
only security feature, but can be as good deployment feature, as Docker, if
not better - it all depends what you want to do with them, and you can do a
lot. I called CBSD an alternative to Docker, because Docker is more widely
known, and Jails/FreeBSD/CBSD might interest someone as an viable and mature
alternative to Docker/Linux.

~~~
nzp
Well, I had a hunch it was for this reason. I usually get grumpy when an
arguably superior solution is presented as an 'alternative' to something
that's just more popular because it's easier that way for people to grok what
it's all about. But on the other hand, I've never been good at marketing, so
who am I to complain. :)

~~~
shykes
Docker and Jails are not directly comparable, the same way Docker and raw lxc
are not directly comparable. Docker operates at a higher level of abstraction,
and uses lxc as a low-level sandboxing tool. It could (and soon will) offer a
choice of multiple sandboxing backends beyond lxc, for example simple chroot
(for older linux kernels), openvz, libvirt, etc.

There are also people experimenting with using Jails and Solaris zones as a
backend to docker.

From what I'm reading, this project cbsd sounds like a more direct competitor
of docker + a future jails backend.

~~~
nzp
Yeah, don't get me wrong, I think Docker is great. I remember when I first
heard about it thinking "Finally, something approaching jails functionality in
Linux." Of course, I know it's a different level of abstraction and all that.
My comments were more directed at the underlying Linux infrastructure Docker
uses. Granted, I may well be wrong, it's been a long time since I was
_seriously_ in Linux land (i.e. not just a mindless day-to-day user), I'm not
current with hard technicalities so it's totally possible that I'm being
unjust to LXC.

I'm happy to hear about plans for different backends, the jails one would be
awesome if it comes to fruition.

------
tachion
From the website, main features are (with my comments):

* a ready repository for kernels and the worlds that takes buildworld/installworld steps not the obligatory.

* when steps of buildworld/installworld are undertaken, src.conf for a world customization is supported

* base the catalog can place on MD/RAM/TMPFS on a disk that can be useful at a big num of jails with RO mounted base

* support of ZFS of file system, ZFS of quotas, ZFS snapshots

* GUI configurator of jails (DIALOG/WEB)

* VIMAGE support (separate network stack per jail container)

* traffic count per jail, RACCT/RCTL support (resource restrictions)

* import/export of jails, jail replication, cold migration of a jails between nodes

* descriptions for jails

* management of sequence of start of jail and their priority

* a repository with ready jail template

* possibility to create own scenarios for creation of jails/repository

* jail converting into PXE/ISO/Memstick-image

* support for jail non-native architecture via Qemu User mode (eg: arm or mips64 jail on x86-64 host system)

------
jlgaddis
FWIW, the PC-BSD project (think "FreeBSD fine-tuned for the Desktop") has
written various tools to help managing such things as FreeBSD jails easier --
see, for example, warden [0]).

If you're looking to try it out but don't need/want the desktop/GUI, there's
also TrueOS. It's basically FreeBSD plus all the cool management tools they've
written but minus the desktop/GUI.

[0]:
[http://wiki.pcbsd.org/index.php/Warden%C2%AE/10.0](http://wiki.pcbsd.org/index.php/Warden%C2%AE/10.0)

~~~
davidcollantes
Can Warden be install on FreeBSD (not PC-BSD flavor)? Wondering, it looks
nice.

------
cordite
The dependency list is amazingly minimal!

> rsync,sudo,libssh2,sqlite3

Now, I don't use FreeBSD, but that seems like a dream when it comes to
provisioning.

~~~
tachion
That's possible because most of the technology behind CBSD is a intergated
part of FreeBSD system for quite some time now: Jails have been there for
ages, ZFS support dates back to 7.x with becoming default in 10.0-RELEASE.
Sudo is not in default install, but sqlite should be there, as it is being
used in the system (if I am correct, at least by pkg, the new package
manager).

~~~
nzp
> but sqlite should be there, as it is being used in the system (if I am
> correct, at least by pkg, the new package manager).

AFAIK, no. PKGNG is intentionally not part of base, it's meant to always
remain in ports. The reason is that it allows pkg developers to iterate
quickly (and this ties nicely into the recent ports infrastructure overhaul
efforts). Once something is part of base and goes into a RELEASE it pretty
much has to stay frozen apart for security fixes, and this was deemed not
flexible enough for pkg. The only thing in base is a shim pkg which on first
invocation installs the real thing from ports (and, I think, later just routes
everything to it, unless you remove it or change PATH). So nothing in base
uses sqlite and it's in ports/packages.

~~~
enduser
PKGNG is the default (integrated) package managers in 10.0-RELEASE.

~~~
nzp
It's the default alright, but that has nothing to do with it being in the base
(yes, it's an exception to the rule). You can look it up on the freebsd-
ports@, there were somewhat heated discussions concerning this and some other
issues. Unless I've missed something, this decision hasn't changed.

~~~
jlgaddis
_pkg_ can also bootstrap itself. I don't have a fresh FreeBSD install w/o
_pkg_ already installed but upon first use it basically goes like this:

    
    
      $ pkg foo
      pkg is not installed. Install it? (y/n) y
      ...
      pkg is now installed

~~~
nzp
Right, that's what I said[1]---there's a shim pkg in base to install pkg
proper from ports. The real pkg is in ports so it can receive continuous
upgrades, which wouldn't be possible in a RELEASE (or STABLE for the most
part) if it were in base.

[1]
[https://news.ycombinator.com/item?id=7114744](https://news.ycombinator.com/item?id=7114744)

------
kev009
See also
[http://sourceforge.net/projects/zjails/](http://sourceforge.net/projects/zjails/)
which is pretty cool because all of the jail config is stored in ZFS
attributes, so they are backed up/replicated with snapshots and ZFS
send/receive.

------
e12e
Interesting project, but I'm a little disappointed it's not a shiny new thing
for the bhyve virtualization layer[1] introduced in freebsd-10, but rather
builds on "plain" jails.

I'd say something like this on top of bhyve would be a closer match for docker
(which sits on top of lxc).

[1]
[https://wiki.freebsd.org/action/show/bhyve?action=show&redir...](https://wiki.freebsd.org/action/show/bhyve?action=show&redirect=BHyVe)

~~~
wmf
LXC is similar to jails and bhyve is more like KVM, so Docker would be the
appropriate comparison for a jail management tool. Also, I wouldn't consider
bhyve/KVM to be necessarily better than jails/LXC; one has better isolation
and the other has better performance.

~~~
e12e
AFAIK bhyve only supports paravirtualization (and for now freebsd guests)?

------
tinco
dallagi: your comments are marked as dead. Judging from your comments there's
no real reason for it, so I think a bot did it because you commented on a
troll submission.

for the rest of HN:

Isn't one of Dockers killer features the layered file system? Using rsync for
making new jails seems like it's going to be real slow for reprovisioning.

What kind of things to people use FreeBSD for? I wonder if they're really
rooting for a docker coming to their environment.

~~~
lelf
> _Isn 't one of Dockers killer features the layered file system?_

Use can mount anything you like to any mount point in jails. (Even without
ZFS, with ZFS it's a different story.) I don't know about this CBSD, but ejail
and qjail (similar tools) do that for you — they mount some “base” system in
jail. Then you mount what you want, _pkg install_ what want etc

> _I wonder if they 're really rooting for a docker coming to their
> environment._

WHAT? No, it's with docker GNU/Linux is finally going to have something like
jails, which FreeBSD have has for decades.

~~~
Aqueous
LXC is to Jail as Docker is to CBSD

~~~
shykes
> _LXC is to Jail as Docker is to CBSD_

Yes, exactly.

------
ksec
When i asked whether there are any equivalent of Docker and CoreOS for
FreeBSD, i got downvoted by HN into Oblivion.

Good to see there is at least 74 points on the topic.

------
ubikation
how does this compare to
[http://www.7he.at/freebsd/vps/](http://www.7he.at/freebsd/vps/)?

~~~
tachion
VPS is entirely new OS level virtualization that's in beta as of now, while
Jails have been in FreeBSD for years, are well tested, stable, actively
developed.

------
natch
What is the impetus for needing an alternative? I don't know much about
Docker, so this is a serious question.

~~~
jlgaddis
docker:Linux::jails:FreeBSD

~~~
shykes
Not exactly. A more accurate comparison would be

docker:linux :: cbsd:freebsd

lxc:linux :: jails:linux

docker:lxc :: cbsd:jails

And if one day docker gets a jails execution driver:

docker:freebsd :: cbsd:freebsd docker:jails :: cbsd:jails

:)

