The Problem
FreeBSD jails are arguably the most mature containerization technology in existence — predating Docker by over a decade. They offer VNET virtual networking, Capsicum capability-based security, and native ZFS integration. But they only run on FreeBSD.
Docker won the ecosystem war. It has the tooling, the images, the developer experience. But its security model is fundamentally weaker — containers share the host kernel with limited isolation, and breakouts are a real concern.
What if you could have both? BSD-grade jail security with Docker-like simplicity, running on the Linux infrastructure you already have?
The Approach
Rather than virtualization (too slow) or kernel modules (too fragile), we built BSDulator — a userspace FreeBSD binary compatibility layer that uses ptrace() to intercept and translate system calls at runtime.
When a FreeBSD binary makes a system call, BSDulator catches it before it reaches the kernel, translates the call number and arguments from FreeBSD's ABI to Linux's, and lets the Linux kernel execute it. The result is translated back and returned to the FreeBSD process.
This means unmodified FreeBSD binaries — including the jail management utilities themselves — run directly on Linux. No VMs, no emulation overhead, no kernel patches.
BSDulator is to FreeBSD what WINE is to Windows — a compatibility layer, not an emulator.
What We've Built
Lochs is the container platform built on top of BSDulator. It provides the Docker-like CLI, the Prisonfile build system, the prison.yml orchestration, and the networking stack that makes FreeBSD jails usable for real workloads on Linux.
The project has progressed through several phases:
- Phase 1 — Core syscall translation: 500+ FreeBSD syscalls mapped to Linux equivalents, ELF loading, TLS emulation, signal handling
- Phase 2 — Jail emulation: jail_set, jail_get, jail_attach, jail_remove syscalls implemented using Linux namespaces and cgroups
- Phase 3 — VNET networking: Virtual network stacks per jail via Linux network namespaces, bridge networking, IP assignment
- Phase 4 (current) — Container platform: Lochs CLI, Prisonfile builds, prison.yml compose, image management, port forwarding
Open Source
Lochs and BSDulator are open source. The core engine will always be free. We believe the best security tools should be accessible to everyone.
We offer managed services and enterprise features for teams that need private registries, distributed orchestration, and dedicated support.
The Name
A loch is a Scottish word for a lake or sea inlet — bodies of water contained by the landscape around them. It felt right for a tool that creates contained, isolated environments. The mountains and red river in the logo represent the rugged, powerful nature of the technology underneath.
Get Involved
We're looking for contributors, testers, and anyone interested in the intersection of FreeBSD and Linux containerization.