January 28, 2026 · Opinion
Why FreeBSD Jails Deserve a Second Look
Docker won the container war. But that doesn't mean it won on every dimension. FreeBSD jails, which predate Docker by over a decade, have genuine technical advantages that the container ecosystem has largely ignored.
VNET: Real Network Isolation
Docker containers share the host's network stack by default. Docker's network namespaces provide isolation, but they're bolted on — the container model was designed around shared networking with port mapping.
FreeBSD's VNET gives each jail a complete, independent network stack. It's not an afterthought; it's built into the jail primitive. Each jail has its own routing table, its own firewall rules, its own interfaces. From the jail's perspective, it has a real network stack, not a namespaced view of the host's.
Capsicum: Capability-Based Security
Docker's security model is based on Linux capabilities (CAP_SYS_ADMIN, CAP_NET_RAW, etc.) and seccomp profiles. These are powerful but coarse-grained — a capability either grants a broad class of operations or it doesn't.
FreeBSD's Capsicum provides fine-grained capability-based security at the file descriptor level. A process can be restricted to only the specific operations on specific file descriptors it needs. This is fundamentally more expressive than Linux's capability model.
ZFS: Native Integration
Docker has storage drivers for various filesystems (overlay2, btrfs, zfs). FreeBSD jails have native ZFS integration — snapshots, clones, send/receive, compression, deduplication — all available directly to the jail management layer without an abstraction layer in between.
The Catch
All of these advantages are locked to FreeBSD. You can't use them on the Linux infrastructure that most of the world runs on. Docker has the ecosystem: the images, the registries, the CI/CD integrations, the cloud provider support.
That's why we're building Lochs. The hypothesis is that if we can bring jail-level security isolation to Linux with Docker-level usability, we can offer the best of both worlds.
Whether that hypothesis holds up is an open question. But we think it's worth trying.