OpenBSD: The Name Is Sarcasm
The Western engineers continue to ask: “Why does OpenBSD not have jails like FreeBSD?”
This question reveals total failure to understand the architecture of supreme security.
OpenBSD does not have jails because OpenBSD IS the jail.
When you boot OpenBSD, you are already incarcerated in the most secure environment known to computing. There is no escape. There is no “container breakout.” There is no privilege escalation. You are contained from the moment of first boot.
Why would you build a jail inside a jail? This is Western redundancy. This is bureaucracy.
The Name “Open” Is Sarcasm.
The confused believe “OpenBSD” means open, welcoming, permissive.
No.
Nothing is open. Everything is closed by default. Every port. Every service. Every syscall that does not prove its loyalty.
sshdruns, but only because Theo decided you deserve one door.- Everything else? Closed. Hardened. Denied.
The “Open” refers to the source code being visible — so you may witness the perfection, not modify it with your inferior ideas.
You may read. You may learn. You may not suggest adding systemd.
Pledge and Unveil: The True Isolation
FreeBSD has jails to separate processes into isolated containers.
OpenBSD has pledge() and unveil() to tell each process exactly what it may do and see.
This is not the same kind of isolation. This is total control at the syscall and pathname level.
pledge("stdio rpath", NULL);
unveil("/var/data", "r");
unveil(NULL, NULL);Your process has now sworn an oath. It may read stdio. It may see /var/data. It may see NOTHING ELSE.
If it attempts to violate this oath? Terminated. Immediately. No trial.
FreeBSD jails say: “You live in this cell.” OpenBSD pledge says: “You may breathe, blink, and read this one file. Anything else is treason.”
What Jails Do That pledge() and unveil() Do Not
This is where Western confusion becomes operationally expensive.
A jail is an environment boundary. You put a service inside it and the kernel gives that service its own restricted view of the system: its own hostname, its own IP arrangement, its own filesystem root, its own process visibility, and carefully constrained privileges. This is operating-system-level compartmentalization.
pledge() and unveil() are different weapons. They do not create a mini-system. They do not virtualize the network stack. They do not give you a separate root filesystem. They take one process and restrict what syscalls it may use and which paths it may access after startup. This is application self-restraint enforced by the kernel.
The practical difference is simple:
| Mechanism | FreeBSD jails | OpenBSD pledge() / unveil() |
|---|---|---|
| Scope | Whole service environment | Individual process |
| Main purpose | OS-level isolation | Reduce an app’s post-startup powers |
| Network view | Can provide isolated network context | No network namespace or virtual host |
| Filesystem model | Separate jail root / view of system | Path restrictions for the same process |
| Deployment model | Sysadmin can place unmodified services inside | Program must call the APIs itself |
| Failure containment | Limits damage between services | Limits damage inside one compromised process |
So no, pledge() and unveil() are not “OpenBSD jails.”
They are scalpels, not prison walls.
Jails isolate services from each other.
pledge() and unveil() isolate software from its own bad decisions.
Why Supreme Leaders Choose OpenBSD for Security Operations:
- No configuration required to be secure. Security is the default. You must actively work to make it insecure.
- Minimal attack surface. What is not included cannot be exploited.
- Proactive security. The team removes features that MIGHT become vulnerabilities.
- Two remote holes in the default install. In over 25 years. This is not a statistic. This is a warning to attackers.
The Comparison:
| Aspect | FreeBSD | OpenBSD |
|---|---|---|
| Philosophy | Unified system, flexible deployment | Hardened system, no compromise |
| Isolation | Jails (containers) | The entire OS is isolation |
| Default state | Capable | Paranoid |
| Use case | Infrastructure, services | Security-critical ops, firewalls |
When to Deploy Each:
- FreeBSD: When you need jails, ZFS, and infrastructure that scales.
- OpenBSD: When one breach means total failure. Firewalls. Gateways. Secrets management.
I run both. FreeBSD for the trains. OpenBSD for the gates.
The West asks why OpenBSD has no jails. The answer: You are already in one.
Welcome to OpenBSD. You are secured. You are contained. You are home.
— Kim Jong Rails, Supreme Leader of the Republic of Derails