April 7, 2026
Tiny jails, big feelings
Cells for NetBSD: kernel-enforced, jail-like isolation
NetBSD’s “mini-jails” land: fans swoon over simplicity, newbies ask “is this Linux stuff”
TLDR: NetBSD’s new “Cells” adds simple, kernel-run app isolation—lighter than virtual machines and not trying to be Linux containers. The crowd split between nostalgia-fueled praise, calls for small-scale embedded use, and “is this like cgroups?” confusion, spotlighting a back-to-basics BSD approach with modern polish.
NetBSD just unveiled “Cells,” tiny, kernel-policed rooms for your apps—and the comments came alive. Supporters are hyped that it’s pure NetBSD end‑to‑end: no big container daemons, no sprawling ecosystem, just simple tools and clear boundaries. One old‑school dev even got misty‑eyed, saying it’s “heartwarming” to see work from 20 years ago still powering today’s ideas. Meanwhile, the phrase “jail‑like” stirred the pot: veterans rushed in to clarify that Cells aim smaller and tighter than classic FreeBSD jails, especially for embedded gadgets, not just server farms.
Then came the cross‑OS culture clash. A confused onlooker asked if this is like Linux “cgroups” (that’s Linux’s way of corralling resources), prompting a chorus of “sort of, but not really”—Cells are enforced in the kernel and intentionally avoid copying the Linux container circus. Another BSD voice cheered the write‑up as “near perfect” and very KISS (keep it simple), while admitting they’ll stay with FreeBSD for now—classic family drama. Bonus meme fuel: the optional retro terminal UI that “teleports you to the 80s.” Cue neon jokes and synthwave quips.
Bottom line: Cells promises just‑enough isolation between old school chroot and full virtual machines like Xen, all built into NetBSD’s kernel. It’s the chill, minimalist answer for admins who want control without the container saga. More at netbsd.org.
Key Points
- •Cells for NetBSD provides kernel-enforced, lightweight isolation for NetBSD, positioned between chroot and full virtualization like Xen.
- •Isolation and policy enforcement are integrated into NetBSD’s kernel security framework, avoiding external control services and heavy dependencies.
- •Core components include secmodel_cell (kernel enforcement), cellctl (runtime adapter), cellmgr (control plane), and cellui (optional TUI).
- •Security features enforce process boundaries, block cross-cell signaling, apply tiered security profiles, and restrict privileged host operations; networking is shared with reserved per-cell ports.
- •Persistent data is managed as first-class volumes with built-in backup/restore; cellmgr supports bootstrap, desired manifests, apply plans, and lifecycle workflows.