Solved FreeBSD and Docker

fred974

Daemon

Reaction score: 46
Messages: 1,628

Hi Guys,

I was looking at the video release of FreeNAS Coral last nigth and realise that the team at Freenas as stopped using native FreeBSD jail in favour of docker...

Our server is curently using CBSD and does a good job with Bhyve..
So question:
is docker safer then jail?

I am not planning to use FreeNAS, I am simply trying to understand how things work

Thank you
 
  • Thanks
Reactions: Oko

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,325
Messages: 38,841

is docker safer then jail?
Not really.

You also need to realize that docker containers are basically small Linux installations. So it requires the Linux emulation layer.
 
OP
fred974

fred974

Daemon

Reaction score: 46
Messages: 1,628

So have they used docker purely to be able to have better 'plugin' selection?
umm i'm not getting why they no longer using jails.. But then maybe question for FreeNAS forum not here
 

forquare

Well-Known Member

Reaction score: 180
Messages: 329

This is true. It would be strange for them to use Docker over jails. In fact, it makes no sense at all.

And yet that seems to be what they have done, from here:
FreeNAS Corral now supports Docker containers for doing all of its "application hosting" and existing jails/plugins data will simply continue to live in the jails/ dataset in your ZFS volume but will be inactive, since jails are no longer used in Corral.

It's a shame, seeing as I was going to use FreeNAS 10 as a Bhyve and Jails manager on a workstation I only lightly use (I know about CBSD, but haven't had much luck with it in tests). I'm just using vanilla FreeBSD now.
 

sko

Aspiring Daemon

Reaction score: 403
Messages: 708

is docker safer then jail?

No, Linux containers are a horrible patchwork, thats why on FreeNAS the docker images are deployed in bhyve VMs, which adds the huge overhead of HW-virtualization. This is BTW also the 'safe' approach on Linux (with KVM VMs). So basically, Linux had no safe OS-virtualization, added cgroups and namespaces, plastered lots of wallpaper over the airgaps and called it containers - but to confine them safely you should run only a single container on a full blown host-installation within a VM. So why not using the installation in the VM directly?

The IMHO nicest approach if you really 'have' to run docker offers SmartOS/Triton, where docker containers run in LX-Zones on bare metal. No VM-overhead, safely confined within a Zone and really powerful, fast and yet easy to manage virtualized networking with crossbow on the SmartOS host.
Although I often wondered if this approach might be also possible on FreeBSD with (VIMAGE-)Jails and the Linux compat-layer. The building bricks are all there, so I think its 'only' the glue and an abstraction layer for docker thats missing...
OTOH: With the docker-mentality of intentionally breaking stuff with nearly every release, I don't think it's worth the hassle of constantly updating such a 'glue-layer'. Docker might be the first 'big thing' in the container-hype, but I'm still hoping there will/must follow some better/saner container concepts or implementations. And I'd really love to see a native FreeBSD approach - after all, with Jails and ZFS there's already a pretty powerful working (and safe!) basis for containers.
 

ANOKNUSA

Aspiring Daemon

Reaction score: 374
Messages: 675

IX Systems is a for-profit company. Docker support is where the money is. End of story.
 

ANOKNUSA

Aspiring Daemon

Reaction score: 374
Messages: 675

What's wrong with that? Do you expect people to work as slaves?

The OP asked a question based on an unfounded assumption: that the reason for the switch was "obviously" an objective, technical one. I countered with another, more likely possibility for the switch. You then made an unfounded assumption about my motivation for stating a simple fact.

Unfounded assumptions aggravate me. And you can bet your first-born child's soul that most casual FreeNAS users are going to make the exact same assumption the OP did and jump to the conclusion that there's something wrong with FreeBSD jails. Rather than asking if jails are less secure than Docker, one should instead be asking why the switch was made.
 

gkontos

Daemon

Reaction score: 488
Messages: 2,160

And you can bet your first-born child's soul that most casual FreeNAS users are going to make the exact same assumption the OP did and jump to the conclusion that there's something wrong with FreeBSD jails. Rather than asking if jails are less secure than Docker, one should instead be asking why the switch was made.

The most casual user would ask why the switch was made.
 

sko

Aspiring Daemon

Reaction score: 403
Messages: 708

For SysAdm and TrueOS they are planning a iocage-based jail deployment API and GUI. Mid-term goal seems to be some kind of jail-based app deployment, kind of what PC-BSD once had with warden, but more generalized so it is useful for desktops and servers. I assume this will be added to TrueNAS as soon as it is usable enough...
Kris Moore talked about this in the latest episode of BSD Now!. I especially like that they are adding a nice, simple API to iocage. This should be also useful for automated jail deployments e.g. via Ansible.
 

scottro

Daemon

Reaction score: 902
Messages: 2,050

Yeah, I pretty much agree with ANOKNUSA . I don't think someone is going to say, Gee, I am not going to use FreeBSD, because FreeNAS found that docker is better for them, whether they are casual, in which case, they'd get fed up too quickly, or serious, in which case they probably have enough knowledge to realize that it is usually less a matter of one being better than the other, and more likely that whatever developer is currently making the decision has their own personal preference.
 

gkontos

Daemon

Reaction score: 488
Messages: 2,160

Unfounded assumptions aggravate me. And you can bet your first-born child's soul that most casual FreeNAS users are going to make the exact same assumption the OP did and jump to the conclusion that there's something wrong with FreeBSD jails. Rather than asking if jails are less secure than Docker, one should instead be asking why the switch was made.

The most casual user would ask why the switch was made.

The most casual user won't know the difference and might not even care. That's what defines a "casual user."

Contradictions aggravate me also.
 

tobiam

Member

Reaction score: 28
Messages: 87

That thread makes a lot of sense. If you want to make a plugin, ie. utilize a network service then they most likely have a Dockerfile. So if you wanna make a plugin the effort to create a Jail is bigger, just because the Docker file already exists.

I am sure that if VIMAGE was more stable and something like adhokku or similar would provide a default interface similar to a Dockerfile that would be big win. Sadly for such tools the community is a bit fragmented currently. There is iocage, iocell, cbsd, adhokku, etc. Docker isn't doing anything special, it's also less secure, which is why people put it in VMs a lot of the time, which might also be less secure than jails (there have been a lot of ways to break out cause the complexity is higher there).

What's important would be some kind of standard that people settle on. This is the main achievement of Docker in the Linux world. Not that it does something great, but just that it's something people settled on, so an ecosystem around it was able to grow, despite very serious shortcomings that Linux "container technologies" still have.

How to make things better? Well, Devs are working on improving vimage and everything, but unless there is something that comes with the base system it's up to the community to settle around something. The Wiki has something on AppContainers which links to Jetpack.

People here in the FreeBSD are smart so they want to create something better, but in this case it means that something not extremely smart (certainly not dumb either) works better in the Linux world, just because people there are settling on it. But gladly this isn't something that some programmer of a small group of can't do rather quickly. I think it's more about a will to sit together and sketch things out a bit. And I actually think the will is there. That can be seen with iocell, cbsd, CloudBSD, addhoku, etc. Even the Flightaware folks mentioned this topic in the recent issue of the FreeBSD journal.

Work is going on in this field. It just seems to be a bit fragmented from my perspective. And once something emerges I am actually sure that money will come too, because there is quite a lot of companies and users who want something like that.

Sorry, for the longer response, but I think one has to zoom out a bit to really answer the question of why one would use Docker on FreeBSD and I wanted to point out that this isn't about technical details so much as it is about a "standard" people agree on.

Not speaking for the FreeNAS people at all, and neither for the FightAware folks, but that's kind of what I get in somewhat different words with a bit of "how to make things better" added in.

EDIT: See also Tredly.
 

drhowarddrfine

Son of Beastie

Reaction score: 2,356
Messages: 4,313

Maybe unrelated but I've read that one concern about Docker is that, in FreeBSD jails, it's more difficult to get inside a jail while, with Docker, all kinds of things are granted access which kind of defeats the purpose a bit and concerns people quite a bit.

I don't know what I'm talking about. It's what I read. But if I'm going to be using FreeBSD, I'm going to use FreeBSD stuff.
 

tobiam

Member

Reaction score: 28
Messages: 87

That's surprising to me. BSD less structured? I tend to hear it the other way round. I think your statement then is also true. Well.. or not, depending on how you see it. I think that the fact it's more structured makes things rely on good and well thought out configuration.

In the Linux world that makes people use a lot of self-contained approaches to avoid having to deal with things that is pretty much random and not structured at all. I mean look at how jails work and how containers on Linux work, there are random interfaces that get used. Also speaking about interfaces. They are rather random and all just named eth, thrown into pretty much random order.

I don't even think that this is bad (or good), because self-contained on the one hand means less utilization of what's there, which is bad, cause it's NIH, things not working together well, reinventing the wheel, but on the other hand it means that those things tend to work in really weird configurations as well, and means that you can just hack together random things.

You can see that also with everything, every lib and exe being in the same and expected place on FreeBSD while on Linux every distribution seems to have their own opinion on whether to place an exe in /bin, /sbin, /usr/bin or /usr/sbin. Also every distro has their opinion on how to manage packages and how to build them, etc.

Again that might be a good thing, and that's where I agree with you, but in the reverse, because this on Linux might lead to more creativity.

But that again has to do with what you want and since a lot of people use FreeBSD in more of an enterprise environment rather than in a startup one you end up with tending to more care about solid working things, rather than something fancy. I think this enterprise style thinking is also what makes the BSDs get along better with the Solaris people. Might be. But that's just a guess.

Anyway, I think that the "standard" you are looking for is actually jail.conf(5) and jail(8), which provide an interface that just gets used a lot.

It's to a degree what the Linux world currently tries to do with rkt, OCI, etc. to get that common interface.

The standard that Docker created (the Dockerfile) wasn't made as such, which is why the above created. To make certain things actual standards. That's not uncommon and a lot of standards come up that way, but it still is more the fact that Docker became famous due to that Dockerfile. Everything else (to the pain of people who use it) is less of standardized and there are no common ways, but - and I know that all too well - people realize a lot of not thought through stuff a bit late. This results in a lot of "But how do you do...?" questions that usually followed with hand wavy reposes or simply the statement that this is currently being worked on.

In general I think FreeBSD and Linux approach similar problems from opposite sides, which is good, cause one can learn from one another. Certain things are solved here, others there. Maybe a bit more NIH would occasionally be good, but people also realize that. In the end most developers just wanna solve problems and just have different ideas on how to do so.
 

Purkuapas

Member

Reaction score: 23
Messages: 58

EDIT: See also Tredly.

Looks like Tredly is discontinued. Official site ( http://www.tredly.com/ ) unavailable for a long time and no any commit since 2016. Yet another dead FreeBSD project?. ezjail - dead, tredly - dead, petitecloud - dead, iocage in rewrites, jetpack is an experimental and incomplete and also without recent commits, freebsd-docker is broken and unmaintained. CBSD maintained and developed but too fat - that's what happens if you do not drop the project on time, lol. There is no choice for FreeBSD people.
 

Purkuapas

Member

Reaction score: 23
Messages: 58

Purkuapas Sounds like Windows or Linux should suit you just fine and you should rush there.

Why did you draw such conclusions? I use FreeBSD since 3.8 from the beginning of 2000 and FreeBSD just right for me. But that does not mean that I'm happy to see how fast projects die without support.
 

tobiam

Member

Reaction score: 28
Messages: 87

Purkuapas That's exactly why I think it would be a great thing if people sat down on IRC or in a conference and talked about this. They all seem to try to achieve a lot of common things at the core, and just started things maybe a bit too isolated, which is something that does make projects stall. You either wanna have interested parties or you wanna have people that keep crunching on it for a salary, which is why Docker exists.

I used the provider (dotCloud) that created Docker before they did and I know it now looks like it wanted to create what it is now from the beginning, but it so wasn't. I think the release of docker might as well have been out of despair, kind of a "live free or die" thing. I really wished I still had the original mail, but anyways, Docker at least until a while ago wasn't exactly following one clearly defined idea and if you ask me they still don't seem to.

Which again has positive and negative effects, but it certainly leads to competitors coming up and as with a lot of new concepts it will probably take years until it becomes clear what the right way is over there. But that's the thing: There is developers in the BSD community that know Docker and know it well so its not like things have to be reinvented. There both is a really nice API surrounding jails now, there is a lot of stuff that already went into stuff like VIMAGE and other things and there is certainly people who, even, if sometimes a bit like lone warriors do amazing stuff. So I am not saying that those projects should merge, but I am really sure that they should[1] get or stay in touch with each other, cause those things drive innovation.

It just happens too often that really cool things emerge simply by combining what's already there. Sometimes this seems too obvious and not ambitious enough cause it's "basically a script that runs this and then that" and this is why things don't progress.

This might even be why there is not that much going on in the field. Many don't see the need for something along the lines of Docker, exactly because there is jails which are not the same, but cover a lot of the use case. So it's more of a "good enough" and having developments, such as iocage and cbsd going on anyway.

So what I mean is not that it's no effort, but that it can be a bit hard to see the reward of certain efforts as clearly when the foundation is there, compared to when there is nothing.

[1]That "should" btw. isn't meant to be telling to, but more like a "Hey did you look at their stuff? They seem to do something similar, don't they? Did you ever talk to them?" :)
 
Top