NetBSD Cells: Kernel-Enforced Jail-Like Isolation Without Containers or VMs

NetBSD has introduced "Cells" — a new kernel-enforced isolation mechanism that provides jail-like security boundaries without the complexity of containers or virtual machines.

What Are Cells?

Cells are a kernel-level isolation feature in NetBSD that:

• Enforce resource boundaries at the kernel level
• Isolate processes from each other
• Prevent privilege escalation between cells
• Run on the same kernel — no VM overhead

Cells vs Other Isolation Technologies

Key Differences from Containers

• No separate filesystem namespace required
• No separate network namespace required
• Simpler security model — Fewer moving parts
• Kernel-enforced — Can't be bypassed from userspace

Why NetBSD?

NetBSD has a long tradition of pioneering isolation technologies:

• Jails inspired FreeBSD's jail(8) concept
• RUMP kernels enable running NetBSD kernel components in userspace
• Veriexec provides verified executable support

Cells continue this tradition with a modern, streamlined approach to isolation.

Use Cases

• Multi-tenant hosting — Isolate customer workloads
• Security hardening — Contain potentially vulnerable services
• Development/testing — Isolated environments without VM overhead
• IoT/embedded — Resource-constrained isolation

Why It Matters

• Security simplicity — Fewer components = smaller attack surface
• Performance — Minimal overhead compared to containers or VMs
• BSD innovation — NetBSD continues to push systems research
• Alternative approaches — Not everything needs to be a container