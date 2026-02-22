Why use a chroot(2) on NetBSD? The most basic reason, for me, is I just like working with NetBSD. It's comfortable. I may write a post going into more detail why I feel that way, but we'll leave this at, "I just think it's neat" for now.

There's also a question of how much isolation do you need? To me, the main advantages of containers, jails or zones are the existing tooling for deployment pipelines and having not-quite-vms to play with, rather than security. And those are primarily advantages on larger teams and systems. I don't need nor want any of that complexity for my own little webserver. Ansible and rsync are my deployment tools. The server software is written in a memory safe language, which should cut down on RCE exploits. And if someone does get in, I want them to find themselves in an annoying box of limited utility, but it doesn't need to be maximally isolated.

For a lot of small, self-hosted infrastructure, big complicated orchestration systems will be harder to work with.

Another reason is to just learn what chroot(2) is, as it's an evolutionary step in the development of process isolation tools. Illumos zones, FreeBSD jails and Linux containers are all technologies that are a take on "how do we push isolation further than chroot(2)?" Which means chroot(2) is a good starting point for building a mental model of the next generations tools.