FreeBSD Jails

~ Tom's IT Cafe

The classic system administration changed a lot in a decade.
Virtualization and container technology went through a remarkable improvement.

They have a stable place in the systems:

  • Virtual machines run almost isolated from the host system.
  • Containers sit on the top of the same kernel bringing a lightweight separation.

FreeBSD Jails don’t compete with containers.
They don’t substitute virtual machines.
Jails just fill a gap.

Configuration

You learn to set up lightweight “thin” jails here with:

  • ZFS shanpshots
  • VNET networking
  • Resource limits

Host System Networking

For a VNET configuration where every jail has it’s own network stack and IP,
bring up a bridge device on the host.

In this example the

  • host network device is called em0
  • bridge device becomes bridge0
  • host IP address is 192.168.1.5

Change them according to your system.

sysrc ifconfig_em0="up"
sysrc cloned_interfaces="bridge0"
sysrc ifconfig_bridge0="inet 192.168.1.5/24 addm em0 up"
sysrc defaultrouter="192.168.1.1"
sysrc gateway_enable="YES"

Enable loading the epairs in the /boot/loader.conf file.

if_epair_load="YES"
if_bridge_load="YES"

Restart the networking after the change.

service netif restart && service routing restart

Warning: you may lose your connection.

Bridge0 must come up live with the configured IP address.

Host System Jails Configuration

Enable running jails in the rc.conf.
You can do it with the sysrc command.

sysrc jail_enable="YES"
sysrc jail_parallel_start="YES"

Create and set up the jails ZFS dataset.

zfs create zroot/jails
zfs set mountpoint=/usr/local/jails compression=on zroot/jails

Create the ZFS dataset for the future jails.

zfs create zroot/jails/containers

Create the template dataset.

zfs create -p zroot/jails/templates/15.0-RELEASE

Download and extract a FreeBSD base system into it.

cd /usr/local/jails/templates/15.0-RELEASE/
fetch https://download.freebsd.org/ftp/releases/amd64/amd64/15.0-RELEASE/base.txz
tar -xf base.txz --unlink
cd

Set up the networking of the template, and make sure it’s updated.

cp /etc/resolv.conf /usr/local/jails/templates/15.0-RELEASE/etc/resolv.conf
cp /etc/localtime /usr/local/jails/templates/15.0-RELEASE/etc/localtime
freebsd-update -b /usr/local/jails/templates/15.0-RELEASE/ fetch install

Create a new snapshot of the template.

zfs snapshot zroot/jails/templates/15.0-RELEASE@base

Create A Jail

Clone the template snapshot with ZFS. I use the test-jail-name as a jail name.

zfs clone zroot/jails/templates/15.0-RELEASE@base zroot/jails/containers/test-jail-name

Define the jail’s configuration in /etc/jail.conf.d/test-jail-name.conf.

Warning: in this manual setup the first jail’s epair is epair0.
Additional jails must have unique epair numbers, like epair1, then epair2.

test-jail-name {
  host.hostname = "${name}";
  path = "/usr/local/jails/containers/${name}";
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_console_${name}.log";
  exec.clean;
  persist;
  mount.devfs;
  allow.raw_sockets; # Required for ping/icmp inside VNET
  vnet;
  # Define the epair pair
  # epair0a stays on host, epair0b goes to jail
  vnet.interface = "epair0b";
  # Hook for interface creation/destruction
  exec.prestart  = "ifconfig epair0 create up";
  exec.prestart += "ifconfig bridge0 addm epair0a";
  exec.poststop  = "ifconfig bridge0 deletem epair0a";
  exec.poststop += "ifconfig epair0a destroy";
}

epair0a is on the host side, epair0b is in the jail.

Set up the networking in the jail.

Edit the rc.conf inside the jail (vim /usr/local/jails/containers/test-jail-name /etc/rc.conf/):

ifconfig_epair0b="inet 192.168.1.6 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

Make sure you set the proper epair number.

Start The Jail

Start up the jail with the service command:

service jail start test-jail-name

If you want to start it automatically at host boot add the jail to the rc.conf

sysrc jail_list="test-jail-name"

Jail Resource Limits

In /boot/loader.conf enable to set the resource limits:

kern.racct.enable=1

Then update the rc.conf too:

sysrc racct_enable="YES"
sysrc rctl_enable="YES"

Reboot the machine.

Format rctl -a jail:<jailname>:resource:action=amount/percentage

rctl -a jail:test-jail-name:memoryuse:deny=2G

Final Thoughts

FreeBSD and the jails are not better or worse than Linux and containers.
It’s a different architecture.

Jails are fast and lightweight – still they behave like OS virtualization.

Operators can choose the best system for the task.

Discover more from Tom's IT Cafe

Subscribe to get the latest posts sent to your email.

Leave a comment