(no title)

You've been able to setup separate firewalls, network interfaces, IP addresses, etc. for probably 20 years using network namespaces. How do you think container networking is implemented? But you can also use it through other tools; for example, I use firejail to isolate a couple of proprietary desktop applications such that they cannot contact anything on my desktop (or network in general) except the internet gateway.

> If you don't want to use the base system (which docker is NOT the base system on Linux)

There are many ways to manage "containers" on linux. I might agree with the fact that docker is not the base system (although it really depends on what distro you're using).

But I might also use something like systemd-nspawn or systemd-machined (see https://wiki.archlinux.org/title/Systemd-nspawn or https://en.opensuse.org/Systemd-machined) to handle those.

> I can delegate a ZFS dataset to a jail to let the jail manage it.

I could probably do the same.

> Do Linux containers have an equivalent to VNET jails yet? With VNET jails I can give the jail its own whole networking stack, so they can run their own firewall and dhcp their own address and everything.

I'm not sure, but most likely yes. Maybe not through docker. Docker isn't the only way to run containers in GNU/Linux though.

Is there a docker-compose analogue in Bastille? I like being able to spin up an isolated local copy of my infrastructure, run integration tests, and then tear it all down automatically. I'd like to be able to do a similar thing with jails. I wonder if there's a straightforward way to achieve something similar with VNET jails?

  https://freebsdfoundation.org/blog/oci-containers-on-freebsd/
  https://www.freshports.org/sysutils/podman-compose/