From owner-freebsd-questions@freebsd.org  Mon Aug 15 19:43:30 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70A9CBBB462
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 15 Aug 2016 19:43:30 +0000 (UTC)
 (envelope-from afiskon@devzen.ru)
Received: from relay14.nicmail.ru (relay14.nicmail.ru [195.208.3.99])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 23E631808
 for <freebsd-questions@freebsd.org>; Mon, 15 Aug 2016 19:43:29 +0000 (UTC)
 (envelope-from afiskon@devzen.ru)
Received: from [109.70.25.225] (port=51053 helo=e733)
 by f19.mail.nic.ru with esmtp (Exim 5.55)
 (envelope-from <afiskon@devzen.ru>)
 id 1bZNZM-000GVR-9i; Mon, 15 Aug 2016 22:29:08 +0300
Received: from [188.123.231.37] (account afiskon@devzen.ru HELO e733)
 by proxy03.mail.nic.ru (Exim 5.55)
 with id 1bZNZL-0001JQ-Tr; Mon, 15 Aug 2016 22:29:07 +0300
Date: Mon, 15 Aug 2016 22:27:54 +0300
From: Aleksander Alekseev <afiskon@devzen.ru>
To: Sergei G <sergeig.public@gmail.com>
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: isolation of GO lang application (jail and chroot)
Message-ID: <20160815222754.39c3da1d@e733>
In-Reply-To: <CAFLLzCNm4uQS9gPeX32xaZqB+fEyhtF3tpf7hsyhm0++Y7yV5Q@mail.gmail.com>
References: <CAFLLzCNm4uQS9gPeX32xaZqB+fEyhtF3tpf7hsyhm0++Y7yV5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 19:43:30 -0000

Hello, Sergei

There is a good chapter about jails in a handbook:

https://www.freebsd.org/doc/handbook/jails.html

However in my opinion since your application is already "all in one"
executable which is written in safe high level language there is little
benefit of using jails in your case. Perhaps running it under a user
with appropriate permissions and quotas, plus setting up a firewall will
be good enough.

I believe jails are more for applications you don't really trust. For
instance if you are creating a shared web hosting or selling VDS'es.
For all this "running everything in a container and only one executable
per container" stupid rules we should be grateful to Docker and people
who sell it. Most of the time you don't need it since it's just doesn't
solve any problem.

-- 
Best regards,
Aleksander Alekseev