Hacker News new | comments | show | ask | jobs | submit login
CBSD – FreeBSD Jail Management Tools (bsdstore.ru)
87 points by tachion 1251 days ago | hide | past | web | 40 comments | favorite

This project seems great, but I feel there's something wrong with the submitted article title, it sounds weird (plus, there's no mention of Docker on the linked page). Sure, you can draw parallels between Docker and what FreeBSD jails and tools built on top do, but it would be fairer to say Docker is a Linux based alternative to jails, and not as powerful (as far as I understand Linux kernel infrastructure that Docker uses). The crucial difference is that jails are really a security feature in FreeBSD (and if you're not using them in production you're probably doing it wrong), whereas Docker is primarily deployment oriented (please correct me if I'm wrong about Docker here). Various jail management tools give you a nice, easy to use, set of deployment features on top.

Why do you say that lxc (and cgroups) are less powerful than FreeBSD jails?

From what I read in https://wiki.freebsd.org/Jails, jails don't yet have support for:

  * separate PID space
  * IO isolation
cgroups provide extremely fine grained isolation, including among other things:

  * per-container OOM handler (userspace)
  * per-container swap
  * per-container disk I/O scheduling
  * per-container memory reclaim
  * per-container dirty page (write throttling) limit.
These are very important features if you want to increase your utilization by mixing workload on shared machines.

> Why do you say that lxc (and cgroups) are less powerful than FreeBSD jails?

If I was wrong about this it's because I'm not up to date on things that happen in the Linux kernel, it wasn't my intention to bash it or anything like that.

The thing is that it is Docker that 'seems' to be leading the container movement right now, being a mainstream tool, even though Jails were available earlier and as of now seem to be more powerful than LXC. Also, Jails are not only security feature, but can be as good deployment feature, as Docker, if not better - it all depends what you want to do with them, and you can do a lot. I called CBSD an alternative to Docker, because Docker is more widely known, and Jails/FreeBSD/CBSD might interest someone as an viable and mature alternative to Docker/Linux.

Well, I had a hunch it was for this reason. I usually get grumpy when an arguably superior solution is presented as an 'alternative' to something that's just more popular because it's easier that way for people to grok what it's all about. But on the other hand, I've never been good at marketing, so who am I to complain. :)

Docker and Jails are not directly comparable, the same way Docker and raw lxc are not directly comparable. Docker operates at a higher level of abstraction, and uses lxc as a low-level sandboxing tool. It could (and soon will) offer a choice of multiple sandboxing backends beyond lxc, for example simple chroot (for older linux kernels), openvz, libvirt, etc.

There are also people experimenting with using Jails and Solaris zones as a backend to docker.

From what I'm reading, this project cbsd sounds like a more direct competitor of docker + a future jails backend.

Yeah, don't get me wrong, I think Docker is great. I remember when I first heard about it thinking "Finally, something approaching jails functionality in Linux." Of course, I know it's a different level of abstraction and all that. My comments were more directed at the underlying Linux infrastructure Docker uses. Granted, I may well be wrong, it's been a long time since I was seriously in Linux land (i.e. not just a mindless day-to-day user), I'm not current with hard technicalities so it's totally possible that I'm being unjust to LXC.

I'm happy to hear about plans for different backends, the jails one would be awesome if it comes to fruition.

From the website, main features are (with my comments):

* a ready repository for kernels and the worlds that takes buildworld/installworld steps not the obligatory.

* when steps of buildworld/installworld are undertaken, src.conf for a world customization is supported

* base the catalog can place on MD/RAM/TMPFS on a disk that can be useful at a big num of jails with RO mounted base

* support of ZFS of file system, ZFS of quotas, ZFS snapshots

* GUI configurator of jails (DIALOG/WEB)

* VIMAGE support (separate network stack per jail container)

* traffic count per jail, RACCT/RCTL support (resource restrictions)

* import/export of jails, jail replication, cold migration of a jails between nodes

* descriptions for jails

* management of sequence of start of jail and their priority

* a repository with ready jail template

* possibility to create own scenarios for creation of jails/repository

* jail converting into PXE/ISO/Memstick-image

* support for jail non-native architecture via Qemu User mode (eg: arm or mips64 jail on x86-64 host system)

FWIW, the PC-BSD project (think "FreeBSD fine-tuned for the Desktop") has written various tools to help managing such things as FreeBSD jails easier -- see, for example, warden [0]).

If you're looking to try it out but don't need/want the desktop/GUI, there's also TrueOS. It's basically FreeBSD plus all the cool management tools they've written but minus the desktop/GUI.

[0]: http://wiki.pcbsd.org/index.php/Warden%C2%AE/10.0

Can Warden be install on FreeBSD (not PC-BSD flavor)? Wondering, it looks nice.

The dependency list is amazingly minimal!

> rsync,sudo,libssh2,sqlite3

Now, I don't use FreeBSD, but that seems like a dream when it comes to provisioning.

That's possible because most of the technology behind CBSD is a intergated part of FreeBSD system for quite some time now: Jails have been there for ages, ZFS support dates back to 7.x with becoming default in 10.0-RELEASE. Sudo is not in default install, but sqlite should be there, as it is being used in the system (if I am correct, at least by pkg, the new package manager).

> but sqlite should be there, as it is being used in the system (if I am correct, at least by pkg, the new package manager).

AFAIK, no. PKGNG is intentionally not part of base, it's meant to always remain in ports. The reason is that it allows pkg developers to iterate quickly (and this ties nicely into the recent ports infrastructure overhaul efforts). Once something is part of base and goes into a RELEASE it pretty much has to stay frozen apart for security fixes, and this was deemed not flexible enough for pkg. The only thing in base is a shim pkg which on first invocation installs the real thing from ports (and, I think, later just routes everything to it, unless you remove it or change PATH). So nothing in base uses sqlite and it's in ports/packages.

PKGNG is the default (integrated) package managers in 10.0-RELEASE.

It's the default alright, but that has nothing to do with it being in the base (yes, it's an exception to the rule). You can look it up on the freebsd-ports@, there were somewhat heated discussions concerning this and some other issues. Unless I've missed something, this decision hasn't changed.

pkg can also bootstrap itself. I don't have a fresh FreeBSD install w/o pkg already installed but upon first use it basically goes like this:

  $ pkg foo
  pkg is not installed. Install it? (y/n) y
  pkg is now installed

Right, that's what I said[1]---there's a shim pkg in base to install pkg proper from ports. The real pkg is in ports so it can receive continuous upgrades, which wouldn't be possible in a RELEASE (or STABLE for the most part) if it were in base.

[1] https://news.ycombinator.com/item?id=7114744

The BSDs typically have more in their base distributions than many linux distributions do, and FreeBSD has had the `jail` system in their base system for a while now.

See also http://sourceforge.net/projects/zjails/ which is pretty cool because all of the jail config is stored in ZFS attributes, so they are backed up/replicated with snapshots and ZFS send/receive.

Interesting project, but I'm a little disappointed it's not a shiny new thing for the bhyve virtualization layer[1] introduced in freebsd-10, but rather builds on "plain" jails.

I'd say something like this on top of bhyve would be a closer match for docker (which sits on top of lxc).

[1] https://wiki.freebsd.org/action/show/bhyve?action=show&redir...

LXC is similar to jails and bhyve is more like KVM, so Docker would be the appropriate comparison for a jail management tool. Also, I wouldn't consider bhyve/KVM to be necessarily better than jails/LXC; one has better isolation and the other has better performance.

AFAIK bhyve only supports paravirtualization (and for now freebsd guests)?

dallagi: your comments are marked as dead. Judging from your comments there's no real reason for it, so I think a bot did it because you commented on a troll submission.

for the rest of HN:

Isn't one of Dockers killer features the layered file system? Using rsync for making new jails seems like it's going to be real slow for reprovisioning.

What kind of things to people use FreeBSD for? I wonder if they're really rooting for a docker coming to their environment.

> What kind of things to people use FreeBSD for?

ISPs have been big users of FreeBSD. While HN is a lot of startups going on about agile, continuous integration, Jenkins, etc., those of us in enterprise and ISP environments like stability and little change.

When deploying a new mail system for 100k users, for example, I want to set it up, get it working perfectly, and then not have to touch it (exception: security updates, of course) for the next few years.

FreeBSD is rock solid and lets you do just that. FreeBSD 8.0-RELEASE was announced in November 2009, if memory serves, and I still have DNS servers running 8.x that I rarely have to touch (and won't have to until June 30, 2015). It Just Works(TM).

> Isn't one of Dockers killer features the layered file system?

Use can mount anything you like to any mount point in jails. (Even without ZFS, with ZFS it's a different story.) I don't know about this CBSD, but ejail and qjail (similar tools) do that for you — they mount some “base” system in jail. Then you mount what you want, pkg install what want etc

> I wonder if they're really rooting for a docker coming to their environment.

WHAT? No, it's with docker GNU/Linux is finally going to have something like jails, which FreeBSD have has for decades.

LXC is to Jail as Docker is to CBSD

> LXC is to Jail as Docker is to CBSD

Yes, exactly.

> What kind of things to people use FreeBSD for?

HN for start. And then there's (off the top of my head) Netflix, NetApp, Juniper, Sony, countless ISPs, DuckDuckGo...

It seems that HN have switched to a different OS, but used be on FreeBSD:

(scroll to "Hosting History")


Linux in there is probably just because of CloudFlare. I had no idea what was HN running on until that outage a week or so ago with the switching of servers etc. A Tell HN[1] about the incident says they were using UFS and now switched to ZFS, and that can only mean FreeBSD.

[1] https://news.ycombinator.com/item?id=7069013

rsync.net is run entirely on FreeBSD.

Further, it may interest you to know that we (JohnCompanies) used FreeBSD and jail to provide the first VPS services[1], back in fall of 2001. The VPS as we know it (which appears to be dying in the world of EC2-style instances) came into existence as a direct result of jail.

[1] Yes, Verio did have that bizarro VPS-like service that cost an arm and a leg a year or so earlier, but the VPS as you think of it was first provided (AFAIK) by JohnCompanies in 2001.

Years ago I've been using Jails with nullfs mounted filesystems to avoid copying data for multiple containers. Nowdays you've ZFS, powerful snapshot system with copy-on-write, clones, remote snapshot streaming and many others. Killer feature. And what is FreeBSD being used for? Oh boy, where to start...

When i asked whether there are any equivalent of Docker and CoreOS for FreeBSD, i got downvoted by HN into Oblivion.

Good to see there is at least 74 points on the topic.

how does this compare to http://www.7he.at/freebsd/vps/?

VPS is entirely new OS level virtualization that's in beta as of now, while Jails have been in FreeBSD for years, are well tested, stable, actively developed.

What is the impetus for needing an alternative? I don't know much about Docker, so this is a serious question.

This runs on top of FreeBSD rather than Linux.


Not exactly. A more accurate comparison would be

docker:linux :: cbsd:freebsd

lxc:linux :: jails:linux

docker:lxc :: cbsd:jails

And if one day docker gets a jails execution driver:

docker:freebsd :: cbsd:freebsd docker:jails :: cbsd:jails


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact