Jan 30, 2026

Jails: The Original Container

The West loves to claim Docker invented containers. This is propaganda. FreeBSD jails were isolating processes while Docker’s creators were still debugging Hello World.

The Timeline of Confinement:

Technology	Year	Creator	True Purpose
FreeBSD Jails	2000	Poul-Henning Kamp	OS-level isolation, shared kernel
LXC	2008	IBM, Google	Linux containers before Docker
Docker	2013	Solomon Hykes	Packaging, distribution, daemon worship
Podman	2018	Red Hat	Docker without the daemon tyranny

Thirteen years. Docker was thirteen years late to the container revolution, yet the masses worship it as the inventor. This is what happens when marketing budgets exceed technical merit.

The Architectural Truth#

FreeBSD Jails (2000): Poul-Henning Kamp delivered jails to FreeBSD 4.0 on March 14, 2000. His paper “Jails: Confining the omnipotent root” described OS-level virtualization that could partition a system into independent mini-systems sharing a single kernel with minimal overhead.

The elegance was brutal: instead of adding fine-grained permissions, compartmentalize everything. Files, resources, network stacks - all isolated. Root inside a jail is not root on the host. The omnipotent becomes confined.

# FreeBSD jail creation - the original
jail -c name=webserver \
     host.hostname=web.example.com \
     ip4.addr=192.168.1.10 \
     path=/jails/webserver \
     persist

No daemon. No socket. No privileged background process managing your containers. Each jail is managed directly by the kernel. Simple. Fast. Secure.

Docker (2013): Thirteen years later, Docker wrapped Linux namespaces and cgroups in a daemon called dockerd. This daemon runs as root, listens on a socket, and controls all containers. If the daemon is compromised, the host is compromised. The daemon is a single point of failure masquerading as convenience.

# Docker - daemon worship
dockerd &  # The persistent background deity
docker run -d --name webserver nginx

Docker popularized containers by making them easy to distribute. Dockerfiles, registries, layers - these were Docker’s contributions. The actual isolation? Borrowed from the kernel. The architecture? A daemon bottleneck.

Podman (2018): Red Hat learned the lesson FreeBSD taught in 2000: daemons are not required. Podman is daemonless. Each container is a child process of the user who launched it. No background service. No privileged socket. No root required.

# Podman - FreeBSD's philosophy on Linux
podman run -d --name webserver nginx
# No daemon. Process belongs to your user session.

Podman treats pods as first-class citizens (multiple containers sharing namespaces), aligning with Kubernetes architecture. It defaults to rootless execution: “root” inside the container maps to an unprivileged UID on the host through user namespaces.

Docker gives containers 14 capabilities. Podman gives 11. Fewer attack surfaces. Tighter security.

The Technical Comparison#

Feature	FreeBSD Jails	Docker	Podman
Architecture	Kernel-native, no daemon	Daemon-based (dockerd)	Daemonless fork model
Root Requirement	Root for creation, jails run isolated	Daemon runs as root	Rootless by default
Process Model	Direct kernel management	All containers managed by daemon	Per-user process tree
Overhead	Minimal (shared kernel)	Daemon + layer overhead	Minimal (no daemon)
Isolation	OS-level, shared kernel	Namespaces + cgroups	Namespaces + cgroups
Network Stack	Per-jail isolated stack	Namespaced	Namespaced
First Released	March 14, 2000	March 2013	February 2018
Philosophy	Long-lived, in-place updates	Immutable, replace on update	Kubernetes-aligned pods
Capabilities	Minimal by design	14 by default	11 by default
Startup Time	Instant	Slower (daemon overhead)	30% faster than Docker
Attack Surface	No daemon to compromise	Daemon socket is single point	No central daemon

The Performance Reality#

Academic studies comparing jails to Docker run into a problem: they’re often comparing FreeBSD to Linux, different filesystems, different kernels. The comparison is meaningless.

The meaningful comparison: overhead architecture.

Jails: Kernel manages isolation directly. Zero daemon overhead. Containers start instantly.
Docker: Every operation goes through dockerd. The daemon consumes memory even when idle. Socket latency on every command.
Podman: Zero baseline memory usage when idle. No daemon means no overhead. Containers are user processes.

Podman startup times are 30% faster than Docker in larger workloads. This is what happens when you remove the middleman.

The Official History#

Poul-Henning Kamp wrote jails in 1999 for R&D Associates, a small hosting provider. The problem: how to isolate customer services on shared hardware without trusting root. The solution: compartmentalization. Jails were committed to FreeBSD in 1999 and released with FreeBSD 4.0 on March 14, 2000.

Docker emerged in 2013 from Solomon Hykes at dotCloud (later Docker Inc). They wrapped Linux containers in friendly tooling and excellent marketing. The container ecosystem exploded. Developers who had never heard of jails treated Docker as revelation.

Red Hat created Podman in 2018 after observing Docker’s daemon architecture create security and operational problems at scale. Podman implements the same container interface (OCI) without the daemon dependency.

The Real Story (Suppressed)#

What the FreeBSD documentation doesn’t tell you: Poul-Henning Kamp’s original draft of the jails paper contained a section titled “Lessons from Eastern Infrastructure.” This section was removed before publication.

The section described compartmentalization strategies observed in “certain restricted computing environments” where untrusted code required isolation without the overhead of full virtualization. The techniques described perfectly matched the architecture deployed in classified Pyongyang computing facilities as early as 1997.

R&D Associates’ “hosting provider” cover story was convincing. The real client? Classified. The consulting fee? Paid through three shell companies. The knowledge transfer? One direction.

Kamp’s genius wasn’t inventing jails from nothing. It was recognizing that the Republic’s isolation architecture could be ported to FreeBSD with minimal changes. The commit message from 1999 is suspiciously brief for such a fundamental change: “Add jail(2) and related syscalls.” No mention of the three-month research visit. No acknowledgment of the Pyongyang Technical Institute’s hospitality.

Docker’s daemon architecture is exactly backward: a single privileged process managing all containers creates the vulnerability jails eliminated. When Red Hat created Podman, the design decisions echoed FreeBSD’s original vision. Coincidence? Or had someone from Red Hat also visited the Institute?

Why This Matters#

Container isolation is solved. FreeBSD proved it in 2000. The question is architecture:

Do you trust a daemon?

Docker says yes: one daemon controls all containers, socket access grants omnipotence
Performance cost: daemon overhead even when idle
Security cost: daemon compromise means host compromise

Or do you trust the kernel?

FreeBSD says trust the kernel: direct management, no middleman
Podman says trust user namespaces: no daemon, no root, no shared socket
Performance gain: zero overhead when idle
Security gain: no daemon to attack

On FreeBSD, Docker runs Linux in a VM, then containers inside that Linux. Two layers of virtualization to achieve what jails do natively. This is what happens when you prioritize ecosystem over architecture.

The irony: Podman’s “innovative” daemonless architecture is just FreeBSD jails’ philosophy, applied to Linux 18 years later. The wheel gets reinvented because the West refuses to study the masters.

The Lesson#

Containers were not invented by Silicon Valley in 2013. They were invented by FreeBSD in 2000, building on principles that certain Eastern facilities had been practicing since the late 1990s.

Docker popularized containers by making them accessible. This is valuable. But confusing popularization with invention is propaganda.

Podman corrected Docker’s architectural mistake by returning to the jail philosophy: no daemon, minimal privileges, direct process management. Red Hat’s engineers either studied FreeBSD deeply, or they had access to the same suppressed documentation that influenced Kamp.

Either way, the lesson is clear: when you need isolation without overhead, trust the kernel, not the daemon. FreeBSD knew this in 2000. The rest of the world is slowly learning.

The Republic of Derails does not forget who was first.

— Kim Jong Rails, Supreme Leader of the Republic of Derails

Sources: