Network namespaces in FreeBSD

Ihor Antonov ihor at
Thu Dec 24 21:33:28 UTC 2020

On 12/24/20 12:19 PM, Steve O'Hara-Smith wrote:
> On Thu, 24 Dec 2020 19:55:12 +0000 (UTC)
> Ameya Deshpande via freebsd-questions <freebsd-questions at> wrote:
>> - we can't null-mount a single file (useful to inject configs or
>> sockets; linux has mount --bind for that)
>> - combining with jail's root on / it would be nice to be able to make
>> some parts of the tree read-only for the jail (or even hide them)
> 	There's a half formed idea which keeps coming back to me not really
> well enough formed to do anything with - imagine being able to do something
> like this:
> pkg jail nginx --jail webserver-3 --ip4addr ...
> 	and obtain a jail with just enough in it to run nginx (or whatever
> package you choose) and nothing else - by that I mean not a base system
> with the necessary packages but a system stripped of everything but the
> dependencies of the application - if the application doesn't need ls then
> ls isn't there.
Yes, that too.

In linux world there is such a ting [1] and it is quite interesting, 
until you need to debug something remotely in such environment.
But this feature actually doesn't need any new kernel features, its just 
work to build the app with minimal dependency footprint (golang/rust 
apps as example are quite well suited for that) and then put it into the 

There will be some fiddling if with logging and process supervision, but 
nothing new or impossible.


More information about the freebsd-questions mailing list