Written by Michael Cole - July 16th 2015

So jails. Previous to having this FreeBSD, I had FreeBSD running on my laptop (I still do, and maybe I'll post about that some time), and I had a KVM virtual server setup with FreeBSD. I played with ezjail, which was pretty easy to use, but the messages about jail.conf annoyed me. I had a few people tell me to use Warden, as that is what they used on their FreeNAS, and it should work on FreeBSD. But I didn't like that I had to install the whole PC-BSD package, I just wanted Warden. I tried it anyways, though. I then tried CBSD jail manager. It seemed pretty cool, but documentation in English was a little lacking.

Now that I have a full blown server, I tried iocage. And I must say I'm very impressed at how easy it is to use. It also works very well with ZFS. So the first thing you do is fetch a release. You can just run:

iocage fetch

It will ask you which release you want (you can also specify the release option on the command line). Select which one you want, and it downloads it.

Now when that finishes, you can create a jail. I recommend setting some defaults, then making a template. So before you can set a default, you need to see them. Run:

iocage get all default

Once you do that, you can run:

iocage set parameter=value default

Of course filling in the parameter name and value you want. Now we can create our template. It will use our default settings. To do this create a normal jail:

iocage create tag=mytemplate

Set a few base parameters, some of these can be done on the create line, but to show you how to set them by hand. This covers some of the parameters from above as well :

iocage set hostname=mytemplate mytemplate
iocage set notes="Jail Template" mytemplate

Now I found it was easier not to setup a network for the template, or even power it on. And now you are saying, "But that's weird how do I customize it?". Good question, and I have an awesome answer. iocage has a chroot function. To access it type:

iocage chroot mytemplate

Currently (I don't know if this is a bug, feature or intended), it shows your current hostname on the prompt, but it switches to the / directory. If you run the pkg command it will allow you to install packages to the jail through the hosts network connection. It also lets you edit any files on the system. It should also be noted you can specify packages in a text file, one on each line and include the pkglist= in your create line. But I'm trying to keep it simple. Basically tweak everything that will be repeated in all your jails. One you are done, type exit to leave the chroot environment and return to the real host.

It's isn't a template yet, to convert it just type:

iocage set template=yes mytemplate

To list templates you type:

iocage list -t

You should now see your template in that list. This means it's ready to go. To use the template, we use iocage's clone function. Since it uses ZFS very heavily this is a very quick operation. Simply type:

iocage clone mytemplate tag=realjail1

Now type:

iocage list

You should see your jail ready to be used. First I recommend setting a few parameters. For example:

iocage set hostname=realjail1 realjail1
iocage set notes="My Really Imporant Jail" realjail1
iocage set ip4_addr="em0|" realjail1
iocage set boot=on realjail1
iocage set priority=20 realjail1

Some important notes here. If you don't set a hostname, it uses the UUID of the jail, which is a long string of randomness that I think looks horrible as a prompt, etc. The notes of course can be whatever you like. I quote them due to all the spaces, etc. I setup an IP, this will need to match your interface and ip range on your system. The boot=on sets it up to auto boot at start up, that also requires the following to be added to your /etc/rc.conf:


And finally the priority is basically the boot order. The lower the number the sooner the jail will be brought online. The default (as of writing this) is 99. And of course there are a ton of other things you can tweak, I'm just giving you the ones I think would frequently change.

You can also limit CPU, RAM, turn VNET on or off, or even create a few different types of jails (thin for example), but I am not covering that here. You can look at their detailed documentation for those things.

Anyways, now you have your jail. You can start it. Simply type:

iocage start realjail1

Now you can access the console. You don't need to SSH to it, or even enable SSHD. Simply type:

iocage console realjail1

Now you are at a root prompt. Note that if you want to access the root account with su, or do something like vlock the screen you will have to setup the root password. It does not copy users or passwords from the host machine. Now you can do some customization for this machine, like edit /etc/hosts, setup packages for the specific purpose of this particular jail, etc.

And guess what, you are on your way to rolling out as many jails as you need quickly and easily. Another cool note is that all of the parameters as stored in the ZFS dataset, so it's very easy to clone a jail, snapshot a jail, or even send it to another machine. I have to say I really enjoy iocage so far. Hopefully if you are looking for jail management this helps you. I still recommend trying various solutions to see what you like best.