1. 15
  1. 2

    It’s great to see a modern example of someone configuring jails (with the new jail.conf format).

    I was fiddling with a jail host yesterday and getting frustrated with Bastille because its docs are quite unclear.

    My hunch is most of the jail admin tools were created before the jail.conf format existed and jail creation relied on rc.conf knobs etc. Now I suppose they exist to template jail.conf files, set up networking, and many of them also manage ZFS datasets. Maybe using a configuration management tool would be better, although sadly FreeBSD isn’t a well-supported platform by most.

      1. 1

        Thank you! It’s been a while since I tried to understand the vnet bits with jails, and had I found this guide then it would have been really helpful.

      2. 3

        Most of the jail admin tools are about doing things like keeping the base system up to date, managing packages, and so on. They’re probably overkill if you just want a VPS. I’d love to see decent tooling in the base system for:

        • Installing a minimal jail
        • Keeping it up to date
        • Installing packages without needing all of the pkg infrastructure inside the jail (pkg -J currently just jexecs pkg in the jail, I’d like it to run outside the jail and just jexec any post-install scripts if necessary).
        • Automatically configuring firewalls / NAT (IPv4 and IPv6).

        You can’t boot a FreeBSD base system with /etc in a separate filesystem to the root, because it needs to be able to read /etc to be able to mount other filesystems, but to be really useful for container / jail deployments to have all of the defaults moved out of /etc and so /etc would not be part of the base system image at all. /etc, /usr/home, /usr/local and /var would be separate read-write ZFS datasets and all jails could share a read-only mount of a ZFS filesystem as a base image. This is something that’s been discussed a lot over the last decade but never implemented.