Date: Tue, 21 Apr 2015 17:53:50 +0200 From: Mateusz Guzik <mjguzik@gmail.com> To: Allan Jude <allanjude@freebsd.org> Cc: freebsd-jail@freebsd.org Subject: Re: what are the differences freebsd jails and docker Message-ID: <20150421155350.GB6312@dft-labs.eu> In-Reply-To: <55366CFE.3090605@freebsd.org> References: <BLU403-EAS375686A78E4A0434635449CABEF0@phx.gbl> <55366CFE.3090605@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 21, 2015 at 11:30:06AM -0400, Allan Jude wrote: > On 2015-04-21 08:58, freekai wrote: > > > > Nowdays,docker is popular,but what are the differences freebsd jails and docker? > > Jails actually provide security and isolation. Docker, according to > their documentation, does not. > > If you want a nice GUI for your jails, try the Warden utility from > PCBSD, it is in the FreeBSD ports tree. > I would say this is grossly oversimplified and the question itself is incorrect. According to http://docs.docker.com/articles/security/ they do make some claims about isolation and security. *jail* is a mechanism in the kernel, Docker is just a set of scripts using Linux counterpart. I don't know full extent of what's possible with Linux containers. Modulo some bugs and minor deficiences on either front I would expect them to be roughly feature-comparable, especially I don't expect either solution to have something inherently unfixable which would not be present in the other solution as well. Or in other words I would expect someone bored enough to be able to implement docker on top of jails. Docker folks definitely had some questionable stuff (like their capability handling, not to be confused with capsicum in FreeBSD), but that's standard with new projects and one could expect such issues to be plugged for the most part. The real security concern related to this stuff comes from the fact that there is only one kernel, so a flaw allowing e.g. arbitrafy code execution within it results in a compromise of the entire machine. So the question is what kernel exploitation prevention measures are put in place, what is the general state of kernel security etc. (for instance if you don't need a fully featured container and just want to sandbox something, capsicum on FreeBSD gives you great flexibility, which can be achieved to some extent with seccomp + selinux) Or in other words, a significant time effort is needed to come up with a reasonable comparison. However, in the meantime you can reasonably safely assume either solution will do the trick similarly well. -- Mateusz Guzik <mjguzik gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150421155350.GB6312>