A Quick Intro to Jails

Status
Not open for further replies.

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
Disclaimer: I'm going to oversimplify some complicated things, and I'm going to use small lies in order to make this more understandable. For the people that really understand this stuff, try very hard to resist your compulsion to correct the purposeful imprecision and white lies. This is intended for people that have never heard of jails before.

A lot of the people coming into FreeNAS are completely new to BSD, and may not have so much familiarity with what, exactly, a jail is, and what it's for. I know I was like that for at least 3 months after I got into FreeNAS.

The concept of a "FreeBSD jail" has been around since about 2000. It was one of the first types of quasivitualizations done at the operating system level. It is not correct, however, to think of it as a virtual machine. It is not too incorrect to think of it as more hard core than a "chroot" (assuming you know what is), and less hard core than a proper virtual machine.

On FreeBSD itself (not FreeNAS, now), the concept of a "jail" is primarily useful because it offers a mechanism by which the system can be compartmentalized with satisfactory granularity; i.e., it keeps root's business strictly outside of anything that can be accessed from within a "jail". Accordingly, it offers that degree of "security" where an untrusted user can still have something that looks and acts mostly like a complete operating system, but is actually separated from the root operating system. So the usefulness, really, to Joe Blow FreeBSD user, is that it offers this isolation of various tasks in strongly walled gardens.

On FreeNAS, the main advantage of jails (these are the same FreeBSD jails, of course) is quite different than this. FreeNAS is an appliance, meaning that its operating system is not intended to be modified, tweaked, expanded, jacked, bummed, experimented with, or anything else. If you want to install some bit of software into FreeNAS, you really "can't", because that's just not how "appliances" work. But what you *CAN* do is create a "jail", and you can install software INTO THAT JAIL.

The nice thing about jails is you can experiment with them with no threat to your system. When you are done with your jail? Just delete it. By the nature of the jail, you can't screw up your FreeNAS appliance (unless you try really, really, really hard), so it safe to experiment.

We have two types of jail on FreeNAS: The plugin jails, which I will not be discussing, and are primarily conveniences to users who don't want to get their hands dirty, and, "regular" jails, that come more or less in a virginal state, ready for you to "do something" with them. We will be discussing those.

When you create a new jail on FreeNAS, do so in the GUI. The first thing you will need to do is designate a location (which can be on any data zpool in your system that you like) that serves as the jail "root", meaning, the place under which all jails you create will exist. Once you've done that, you simply create a jail. The very first time you create a jail, the "template" for it will be downloaded from the FreeNAS servers. The template includes the default layout of the jail and whatever software is preloaded in the jails these days for FreeNAS. Subsequent jails will spawn from the template you've already downloaded (in most cases). Your jail will have its own IP address, and its networking will either be a subset of the appliance's networking (if you did not check VIMAGE), or it will be its own thing (if you did). Usually, if you're just screwing around and installing a few pieces of software, you will not want/need the VIMAGE, so I recommend you uncheck the box.

Once your jail is there, you can highlight it in the "jails" list, and click the shell/CLI button that now appears. You will see that cannot "escape" from the jail. If you "cd /", then you only get as high in the directory tree as the top of that jail subtree. For all intents and purposes, what you see, even though it's a jail, looks, smells, and acts like it were its own FreeBSD system that you can do whatever you want to. It's got its own users (sort of), it's got its own cron, it's got its own /var/log, its own copies of system programs, and so on. Of course, these things cost disk space (usually a basic jail gobbles up about 1GB out of the box), and the extra daemons and services that are running multiple times (the base system, plus in the jails) all cost some memory and CPU. You have to factor that in.

Go ahead and screw around. System commands like "top", when issued from the jail, will only report on those processes in the jail. When you issue "top" from the FreeNAS appliance CLI itself, you will get *EVERY* process on the box, **INCLUDING** what's in the jails.

Try installing some software with "pkg install" or using the so-called ports tree. (Google these). You can install as many things as you want in the jail.

Some things you can install in a jail if you wanted to:

  • Mumble
  • Ventrilo
  • Teamspeak
  • Git
  • Mosh (Mosh is pretty god damned sweet---look it up)
  • DNS servers
  • Web servers
  • Owncloud
  • anything you see in the "plugins" list, if you didn't want to use the plugin
  • PHP
  • speedtest-mini
  • mail servers/IMAP listeners
  • irc server
  • irc bouncer
  • various programming languages
  • various distributed computing projects like Prime95 or whatever---this would be dumb to do in a FreeNAS, but you COULD)
  • databases
  • your own personal mirror of wikipedia
There are some things that are more of a pain in the ass to put in a jail than in an actual FreeBSD system. For example, things that involve complex network voodoo (OpenVPN, e.g.,) will give you a hell of a run for your money. Mail servers can be difficult to set up in a jail.

But all in all, a jail will very much resemble its own little FreeBSD operating system (even though it's running on the same kernel as the base system is), and you can freely experiment in there, and more or less operate 95% of the way you would if it were a straight bare metal FreeBSD system.

You can also turn your jails on and off in the FreeNAS GUI, as if they were VM's.

It is very often the case that some files that reside *outside* of your jails (e.g., your movies) will be needed to be accessed INSIDE the jails. The jail will not allow any such thing, UNLESS YOU SPECIFICALLY ADD THAT MOUNT via "add storage". But do be careful with that. If you do need to copy just a few files into your jail (or out of it), the "right way" to do that is to simply not be in the jail. Go to your main FreeNAS command line, and since you're outside of the jail now, you can reach in to the jail without restriction, simply by navigating to the proper directory (whatever that may be---you should be able to figure it out). From the jail command line, you cannot bring anything in, or push anything out, of the jail's directory tree (unless you add storage).

Anyway: jails are a very useful feature of FreeNAS; it allows you to customize your FreeNAS appliance almost any way you want to, and for many of us, the FreeNAS jail is the first time we are literally sitting there on a "real" FreeBSD system, and that often leads to more general interest in FreeBSD itself.

I have two jails. My first jail runs: mumble, DNS server, web server, ZNC (irc bouncer), and has a few programming languages in it for me to play with. My second jail is a mail fetcher that goes and gets my various email from various hosts, and lets me pick it up in one central location.


I have tried to outline above exactly what I would have liked to have been told back in my first month of FreeNAS, regarding jails. This, together with the FreeNAS documentation, and copious Googling, should be all you need to begin the journey into jails, and wherever else that might lead.

@cyberjock maybe move this to an appropriate place?
 

Bidule0hm

Server Electronics Sorcerer
Joined
Aug 5, 2013
Messages
3,710
or the people that really understand this stuff, try very hard to resist your compulsion to correct the purposeful imprecision and white lies.

Ok, I'll correct the font then... :P it's too small to be easily readable, why did not you kept the default font?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Ok, I'll correct the font then... :p it's too small to be easily readable, why did not you kept the default font?
I think DrKK was trying to avoid comments from the peanut gallery. I recommend changing the font to comic sans.

As far as the topic goes, @DrKK, can you explain why can't I install a Linux into a jail?
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
can you explain why can't I install a Linux into a jail?

I've got 6-7 Linux distos running in a FreeNAS jail, albeit a VirtualBox one. I think DrKK forgot about that one ;)
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
lol
 

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
For the people that really understand this stuff, try very hard to resist your compulsion to correct
I was looking forward to straining against the compulsion to correct, but it seems I'm not among "the people that really understand this stuff".
:rolleyes:

Nice write-up.
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630

FritVetBE

Explorer
Joined
Dec 28, 2013
Messages
87
For me personally the Jails availability in FreeNAS seems a nice extra besides ZFS :smile: Thanks for taking your time to write down this introduction to Jails, it is very useful to me!
 

alexg

Contributor
Joined
Nov 29, 2013
Messages
197
Great write up. Perhaps you should note how copy, rsynch, and zfs copy/replication of jails directory from main server will drag along your mounted filesystem from main server. This is something that is not clearly understood. At least by me until I tried it.
 
Last edited:

ovizii

Patron
Joined
Jun 30, 2014
Messages
435
nice writeup!

Maybe you could add an advanced section?

i.e. I'm struggling with sending emails from within the jail (not a full blown mail server just sending out i.e. system warning emails or cron job results). that might be an extra chapter ;-)
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
nice writeup!

Maybe you could add an advanced section?

i.e. I'm struggling with sending emails from within the jail (not a full blown mail server just sending out i.e. system warning emails or cron job results). that might be an extra chapter ;-)
Highly non-trivial sir. It's not like mail servers out there in the universe will just accept your outbound mail. It's a bit more complicated.
 

ovizii

Patron
Joined
Jun 30, 2014
Messages
435
well, ok, any other solution to get notifications from "the inside" of a jail without manually checking then?
 

ovizii

Patron
Joined
Jun 30, 2014
Messages
435
There are some "hints" inside /etc/rc.conf but not sure what exactly these parameter do:

Code:
sshd_enable="NO"                                                               
sendmail_enable="NO"                                                           
sendmail_submit_enable="NO"                                                    
sendmail_outbound_enable="NO"                                                  
sendmail_msp_queue_enable="NO"    


And I'm not asking about mail servers in the universe accepting my emails, maybe I'm wanting to send them to my freeNAS server itself who's got ways of sending them to me... just asking how one can get info out of a jail. i.e. about failed cron jobs.
 
Status
Not open for further replies.
Top