Are there any notable differences between LXC (Linux containers) and FreeBSD's jails in terms of security, stability & performance?
On first look, both approaches look very similar.
freebsdjailslinuxlxcvirtualization
Are there any notable differences between LXC (Linux containers) and FreeBSD's jails in terms of security, stability & performance?
On first look, both approaches look very similar.
Best Answer
No matter the fancy name used here, both are solutions to a specific problem: A better segregation solution than classic Unix chroot. Operating system-level virtualization, containers, zones, or even "chroot with steroids" are names or commercial titles that define the same concept of userspace separation, but with different features.
Chroot was introduced on 18 March 1982, months before the release of 4.2 BSD, as a tool to test its installation and build system, but today it still has its flaws. Since the first objective of chroot was only to provide a newroot path, other aspects of system that needed to be isolated or controlled got uncovered (network, process view, I/O throughput). This is where the first containers (User-level virtualization) appeared.
Both technologies (FreeBSD Jails and LXC) make use of userspace isolation to provide another layer of security. This compartmentalization will ensure that a determined process will communicate only with other processes in the same container on the same host, and if using any network resource to achieve "outside world" communication, all will be forwarded to the assigned interface/channel that this container has.
Features
FreeBSD Jails:
allow.mount.zfs
to achieve more power, and other variables likechildren.max
do define max children jails.vnet
, allowing each jail to have its own network stack, interfaces, addressing and routing tables;nullfs
to help linking folders to ones that are located on the real server to inside a jail;sysctl
).security.jail.allow.*
parameters will limit the actions of the root user of that jail.Linux Containers (LXC):
Live migration functionality being developed. It’s really hard to say when it will be ready for production use, since docker/lxc will have to deal with userspace process pause, snapshot, migrate and consolidate - ref1, ref2.Live migration is working with basic containers(no device passthrough neither complex network services or special storage configurations).Docker no longer uses lxc. They now have a specific lib called runc that handles the integration with low-level Kernel namespace and cgroups features directly.
Neither technology is a security panacea, but both are pretty good ways to isolate an environment that doesn’t require Full Virtualization due to mixed operating systems infrastructure. Security will come after a lot of documentation reading and implementation of kernel tunables, MAC and isolations that those OS-Level virt offer to you.
See Also: