this post was submitted on 12 Feb 2024
47 points (96.1% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
54539 readers
210 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Oh I am sure the kernel support is great. I am more having issues working with chroots directly. I am much more at home managing docker and lxc which are more isolated. I just broke something trying to remove a couple chroots while stuff was still mounted - I think I nuked /home. You don't really have that issue with docker containers or lxc, it's a simple command to remove.
More isolated in which way? You should probably read up on how all this stuff is actually implemented, it will clarify your understanding of what is going on rather than just throwing commands at the wall and seeing what sticks.
I mean docker and especially lxc do a lot more than just chroot. They use cgroups, namespaces, and other stuff that's beyond my paygrade. LXC remaps user IDs for example. That's without getting into tech like gvisor and runsc that further isolates them by restricting system calls and re implementing some of them to increase security. Obviously there are things like privileged containers which have fewer restrictions, but those are the exception not the rule. From what I understand of chroot it only really restricts what files it can see; there is a reason why android supports chroots + termux but not a full docker install. Chroots to me are mainly used for bootstrapping systems and recovering systems. They aren't meant for real virtualization or server work by themselves if you catch my drift.
I know how docker and lxc work and the difference between them and chroots. But you're talking about persistence of changes breaking things. You are right that chroot only operates on the VFS namespace. Jails are the kind of isolation you are after, and in fact were in FreeBSD before containerization was even a word.
Things like remapping user IDs start to pervert the line between userspace and what the kernel gives a shit about. Linux containerization technologies are many things, but elegant they are not.
You can run a Linux Jail/Container in FreeNAS, right?
I am aware jails exist, I had bastille installed before I bricked my system to play with.
The same as you can in regular FreeBSD, under a bhyve VM running Linux. You can also use the linux ABI in a jail.