HN
Today

Cells for NetBSD: kernel-enforced, jail-like isolation

This NetBSD-native project introduces "Cells," a new kernel-enforced isolation system designed to bridge the gap between chroot environments and full virtualization. It emphasizes operational simplicity and explicit boundaries, offering a robust, security-focused alternative to complex container ecosystems. Hacker News is interested in this initiative for its innovative, NetBSD-specific approach to process isolation and its deliberate departure from Linux-style container sprawl.

7
Score
2
Comments
#19
Highest Rank
4h
on Front Page
First Seen
Apr 7, 8:00 PM
Last Seen
Apr 7, 11:00 PM
Rank Over Time
19252230

The Lowdown

Cells for NetBSD is an actively developed, early-stage system providing lightweight, kernel-enforced isolation for the NetBSD operating system. Designed to occupy the operational niche between simple chroot environments and full virtualization platforms like Xen, Cells aims to deliver strong process isolation and system hardening with a user-friendly operational model, specifically tailored for NetBSD's native security framework.

  • Kernel-Native Isolation: The system's core, secmodel_cell, is built directly into NetBSD's kernel security framework, ensuring robust process identity and boundary enforcement without relying on external runtime layers or syscall interposition.
  • Simplified Operations: Cells focuses on operational clarity and minimal dependencies, providing a unified toolchain (cellctl, cellmgr, cellui) for lifecycle management, logging, and metrics export, intentionally avoiding the complexity of general-purpose container ecosystems.
  • Declarative Management: The cellmgr utility acts as a host-side control plane, enabling declarative configuration via manifests and apply plans, which reconcile desired state with runtime, simplifying management of cell fleets.
  • Integrated Features: Key features include configurable security profiles, host-centric networking with port ownership, a built-in service supervisor with centralized logging, Prometheus-compatible runtime telemetry, first-class volume management, and integrated backup/restore capabilities.
  • Distinct Approach: The project explicitly differentiates itself from FreeBSD jails and Linux container models by prioritizing a NetBSD-specific, opinionated approach that emphasizes simplicity, explicit boundaries, and host-visible supervision over broad feature parity or OCI compatibility.
  • Current Status: Cells is in an early-access, pre-release phase, suitable for development and evaluation, with source code available on GitHub and pre-built NetBSD 11.0 RC3 images provided for testing.

Overall, Cells for NetBSD presents a compelling vision for lightweight yet robust process isolation on NetBSD, offering a coherent stack from kernel enforcement to daily operations. Its principled design, emphasizing NetBSD-nativeness and operational simplicity, aims to make advanced isolation approachable for administrators while providing a strong security foundation.