Minecraft Server in FreeBSD Jails Container
31 comments
·April 5, 2025AceJohnny2
vermaden
Sure - lets have a discussion about differences between security of FreeBSD Jails and Linux Podman containers.
Isolation: With rootless Podman it seems to be on the same level as Jails - but only if You run Podman with SELinux or AppArmor enabled. Without SELinux/AppArmor the Jails offer better isolation. When you run Podman with SELinux/AppArmor and then you add MAC Framework (like mac_sebsd/mac_jail/mac_bsdextended/mac_portacl) the Jails are more isolated again.
Kernel Syscalls Surface: Even rootless Podman has 'full' syscall access unless blocked by seccomp (SELinux). Jails have restricted use of syscalls without any additional tools - and that can be also narrowed with MAC Framework on FreeBSD.
Firewall: You can not run firewall inside rootless Podman container. You can run entire network stack and any firewall like PF or IPFW independently from the host inside VNET Jail - which means more security.
TL;DR: FreeBSD Jails are generally more secure out-of-the-box compared to Podman containers and even more secure if you take the time to add additional layers of security.
> How battle-tested are FreeBSD Jails?
Jails are in production since 1999/2000 when they were introduced - so 25 years strong - very well battle tested.
Docker is with us since 2014 so that means about 10 years less - but we must compare to Podman ...
Rootless support for Podman first appeared late 2019 (1.6) so only less then 6 years to test.
That means Jails are the most battle tested of all of them.
Hope that helps.
Regards, vermaden
sneak
Linux containers are also fairly secure, even though that isn’t their explicit purpose. Container escape bugs are CVEs and are fixed immediately.
The line is just tribalism shade.
nithssh
Running containers inside VMs in multitenant scenarios is so common that Google though of inventing gVisor which you can think of as a highly paravirtualized guest OS that is lighter than a full VM but still based on similar virtualization principles for isolation.
elwebmaster
It probably has its advantages but until the UX reaches what we get with “docker run” this technology will never achieve its potential. When developing we need to think not only about what is possible but also how people do things currently and how does that compare to what we are proposing in terms of ergonomics. How many commands to get from 0 to hero with incumbent solution? How many with proposed solution? You get the point.
benatkin
docker run is broken as of April 1, 2025
https://docs.docker.com/docker-hub/usage/
100 pulls per 6 hours. I think each base layer counts. Also may have troubles with ip4 reuse. It was bad enough they delayed it a month: https://www.theregister.com/2025/02/22/docker_hub_pull_limit... https://github.com/search?q=%22docker+pull%22+limit&type=iss...
Better to use podman and build your own containers from Containerfile/Dockerfile (your own or open source ones, there are a ton on GitHub/GitLab/Codeberg that you can build yourself) and base layers.
arcanemachiner
That's not "broken". Docker Inc. is just rate-limiting access to their service. A service which, for what it's worth, has been used to bootstrap the technology required to sustain a pile of money for a lot of people.
There are other container repositories, and as you said, you can build your own containers and run those.
benatkin
It's a dependency bottleneck that requires a pretty hefty amount of money ($9/mo) to get around
null
homebrewer
One can use Google as a proxy, it isn't rate limited afaik
https://cloud.google.com/artifact-registry/docs/pull-cached-...
bolognafairy
Can you please stop with the dramatic hyperbole first paragraph? What are you, a clickbait article headline writer?
Kimitri
I personally really like Bastille for jail management. It's way more ergonomic than creating jails by hand and allows you to focus on the stuff running in the jails rather than the jails themselves.
yjftsjthsd-h
I believe FreeBSD has podman running on top of jails now, so that should... exist? I mean, you can still run jails directly like this, but the days of `podman run` are either here or imminent.
gbraad
> Minecraft Server
Worthy to note here: Minecraft JAVA server. Not the Minecraft Bedrock server, which can run natively on Linux.
> but secure instead
Can you provide proof? It feels like an empty statement.
vermaden
Since there is not native (or source code) for Minecraft Bedrock for FreeBSD you can run Bedrock Minecraft server on FreeBSD using Linux Jail - with Linux Binary Compatibility FreeBSD feature.
Details here:
- https://forums.freebsd.org/threads/minecraft-bedrock-edition...
> Can you provide proof? It feels like an empty statement.
Here:
areyourllySorry
? why can't the java server run natively on linux?
Its_Padar
I would presume they are talking about how Java is executed by the Java language's Java VM while Bedrock is compiled C++ code?
Thaxll
Jail are not more secure than Linux containers.
UI_at_80x24
You will need to back that claim up with a long list of facts.
homebrewer
The article backed that claim with zero facts, the GP responded in kind. This seems to be pretty fair.
ggm-at-algebras
Not to be picky, but they could be on a par. There doesn't have to be a massive difference in this regard. Jails are well established, and well understood. I prefer BSD solutions and I run jails and Linux kvm.
beardedwizard
Jails have been around longer, but I'm not sure how much it really matters. Jails and containers both share the kernel across workloads. A kernel exploit is generally accepted as the barrier to break out (and of course implementation bugs). VMs don't share kernels across workloads, but do share a hypervisor which can also have breakout bugs. Both jails and containers depend on the kernel to be bug free.
VMs (depending on hypervisor) are easier to secure by default, you can't easily forget an overlay fs, or make other mistakes that expose some part of the host to containers.
vermaden
Here is my take on that topic:
DaSHacka
Wow, you sure convinced me
null
TaurenHunter
[flagged]
> This is kinda like Docker/Podman thing on Linux – but secure instead.
How true is this? I know jails have been around longer than Linux containers, which are explicitly not designed as "secure" isolation (which is why people like fly.io use VMs instead).
How battle-tested are FreeBSD jails?
In particular, I note we're talking FreeBSD, not OpenBSD, which is the one that's all about security.