iocage jail type: base jail vs clone. Which to choose?

Joined
Jul 10, 2016
Messages
521
My understanding is that for the first case, the template will be read-only and can not be deleted unless the 6 basejails first deleted. But the 6 basejails can be update with one `iocage update`

For the second case, the 6 clones are copies of the basejail's snapshot (thus relying on the existence of the basejail). Nevertheless, the basejail is still writable. Moreover, here also, one `iocage update` will update all jails.

For the first case, once a jail is converted to a template, it becomes read only. That is correct.
You can then create other jails from that template, using all the same options that creating jails from a release offer.

These options determine the type of the resulting jails, not the template. As part of playing with this, I discovered that creating a template of a basejail had issues, the jails created from such template did not start. In the example below, I use a thick jail as a template, as this makes the template the most portable.

Code:
sudo iocage create -n templ -t -r 11.3-RELEASE
sudo iocage set template=1 templ

sudo iocage create -n jailfromtempl -t templ
sudo iocage create -n bjailfromtempl -b -t templ
sudo iocage create -n tjailfromtempl -T -t templ

sudo iocage list -l                
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+
| JID |      NAME       | BOOT | STATE |   TYPE   |     RELEASE     |         IP4         | IP6 | TEMPLATE  | BASEJAIL |
+=====+=================+======+=======+==========+=================+=====================+=====+===========+==========+
| -   | bjailfromtempl  | off  | down  | jail     | 11.3-RELEASE-p7 | -                   | -   | -         | yes      |
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+
| -   | jailfromtempl   | off  | down  | jail     | 11.3-RELEASE-p7 | -                   | -   | templ     | no       |
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+
| -   | tjailfromtempl  | off  | down  | jail     | 11.3-RELEASE-p7 | -                   | -   | -         | no       |
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+

Only when you create the jails with the -b option, it will be a base jail. The default case jailfromtempl is a clone jail and relies on the templ to exist, the others do not.

For the second case, iocage also provides flexibility on how to create the clone.
Code:
 sudo iocage create -n baseclone -b -r 11.3-RELEASE
 sudo iocage clone -n clonedjail baseclone
 sudo iocage clone -T -n thickclonedjail baseclone

In this example, both clonedjail and thickclonedjail are base jails of 11.3-RELEASE, and updating one will indeed update all base jails. The thickclonedjail (created with the -T option) is a "thick jail". It has no longer a dependency on baseclone, the base jail it was cloned from, at the cost of some extra disc space. The clonedjail jail is a pure clone, relying on the existence of the basejail, and initially very small in size.

I would recommend to try some of the examples in this thread out and see how the resulting jails fit your specific use case. It will be a great learning experience. :smile:
 

sankayop

Cadet
Joined
Sep 12, 2020
Messages
3
For the first case, once a jail is converted to a template, it becomes read only. That is correct.
You can then create other jails from that template, using all the same options that creating jails from a release offer.

These options determine the type of the resulting jails, not the template. As part of playing with this, I discovered that creating a template of a basejail had issues, the jails created from such template did not start. In the example below, I use a thick jail as a template, as this makes the template the most portable.

Code:
sudo iocage create -n templ -t -r 11.3-RELEASE
sudo iocage set template=1 templ

sudo iocage create -n jailfromtempl -t templ
sudo iocage create -n bjailfromtempl -b -t templ
sudo iocage create -n tjailfromtempl -T -t templ

sudo iocage list -l               
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+
| JID |      NAME       | BOOT | STATE |   TYPE   |     RELEASE     |         IP4         | IP6 | TEMPLATE  | BASEJAIL |
+=====+=================+======+=======+==========+=================+=====================+=====+===========+==========+
| -   | bjailfromtempl  | off  | down  | jail     | 11.3-RELEASE-p7 | -                   | -   | -         | yes      |
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+
| -   | jailfromtempl   | off  | down  | jail     | 11.3-RELEASE-p7 | -                   | -   | templ     | no       |
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+
| -   | tjailfromtempl  | off  | down  | jail     | 11.3-RELEASE-p7 | -                   | -   | -         | no       |
+-----+-----------------+------+-------+----------+-----------------+---------------------+-----+-----------+----------+

Only when you create the jails with the -b option, it will be a base jail. The default case jailfromtempl is a clone jail and relies on the templ to exist, the others do not.

For the second case, iocage also provides flexibility on how to create the clone.
Code:
 sudo iocage create -n baseclone -b -r 11.3-RELEASE
sudo iocage clone -n clonedjail baseclone
sudo iocage clone -T -n thickclonedjail baseclone

In this example, both clonedjail and thickclonedjail are base jails of 11.3-RELEASE, and updating one will indeed update all base jails. The thickclonedjail (created with the -T option) is a "thick jail". It has no longer a dependency on baseclone, the base jail it was cloned from, at the cost of some extra disc space. The clonedjail jail is a pure clone, relying on the existence of the basejail, and initially very small in size.

I would recommend to try some of the examples in this thread out and see how the resulting jails fit your specific use case. It will be a great learning experience. :smile:
Thanks a lot @Jurgen Segaert , I'm impressed by the expertise you have and also the way you explain it!

After having done some tests and with the info in your answer, I finally decided to do the same as what you advised to @rudds since my case is quite similar.
For one of the clones I created, I had to `portsnap fetch && portsnap extract`, because I had to built an old version of node but even after this, the clone was still smaller than the basejail so I'm still happy with this :)

Thanks once more for your fast, kind and clear explanation.
 

Bernhard

Cadet
Joined
Nov 17, 2012
Messages
5
Hello Jurgen

The most comprehensive and best summary for comparing jail types I have seen; many thanks for spending required time to perform the post.
I have upgraded my FreeNAS now to TrueNAS Core and would like to pull my Jails up to actually available Release 12.2 as well.
But if I understood your post correct, upgrading from Release 11.3 to now available 12.2-Release (in TrueNAS Core) is only possible if base jail type has been used previously; otherwise the jail will remain in old release 11.3 or must be setup newly.
Am I correct?
Thanks for your help.
 
Joined
Jul 10, 2016
Messages
521
The iocage upgrade command works on any of the jail types. Some points to note:
  • You have to upgrade each jail individually with e.g. iocage upgrade -r 12.2-RELEASE jailname.
  • Clone jails (the default jail type) will keep the dependency on whatever zfs-dataset they were cloned from, typically the release. For such cases. you can't simply iocage destroy -r 11.3-RELEASE afterwards, as that will also destroy the jails cloned from that release. I can't find the link now, but there's a post in this forum where somebody posted instructions on how to promote the jail dataset to work around that dependency.
  • Base jails are very fast to upgrade as they just mount the userland from the release. They also have the smallest footprint after upgrade.
 

Bernhard

Cadet
Joined
Nov 17, 2012
Messages
5
I have realized that iocage upgrade was working on my FreeNAS jails based on 11.3. I was able to upgrade to finally 11.3-RELEASE-p14.

When I was performing iocage upgrade -r 12.2-RELEASE jailname after change to TrueNAS Core there was no sub folder 12.2-RELEASE in the folder download nor in folder releases.

I seams no download has taken place.

So I executed iocage fetch and got the download sub folder.

I can add now a new Jail via GUI of TrueNAS with release 12.2; but neither I am able to upgrade an existing jail to 12.2-RELEASE via TrueNAS shell or by connecting to TrueNAS via SSH.

It ends up in nowhere.

Any idea about this?
 

Alecmascot

Guru
Joined
Mar 18, 2014
Messages
1,175
Any idea about this?
I saw your post so I fired up my test server to see if it works for me :
Code:
FreeBSD 12.2-RC3 7c4ec6ff02c(HEAD) TRUENAS

---
root@freenas3:~ # iocage list
+-----+--------+-------+--------------+------------+
| JID |  NAME  | STATE |   RELEASE    |    IP4     |
+=====+========+=======+==============+============+
| 1   | medusa | up    | 12.1-RELEASE | 10.10.0.37 |
+-----+--------+-------+--------------+------------+
root@freenas3:~ # iocage fetch
[0] 11.2-RELEASE (EOL)
[1] 11.3-RELEASE (EOL)
[2] 11.4-RELEASE
[3] 12.0-RELEASE (EOL)
[4] 12.1-RELEASE
[5] 12.2-RELEASE

Type the number of the desired RELEASE
Press [Enter] to fetch the default selection: (Not a RELEASE)
Type EXIT to quit: 5
Fetching: 12.2-RELEASE

Downloading: MANIFEST [####################] 100%
Downloading: base.txz [####################] 100%
Downloading: lib32.txz [####################] 100%
Downloading: src.txz [####################] 100%
Extracting: base.txz...
Extracting: lib32.txz...
Extracting: src.txz...

* Updating 12.2-RELEASE to the latest patch level...
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 12.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.2-RELEASE-p0.
No updates are available to install.
Run '/tmp/tmp2h2qwlp3 fetch' first.

root@freenas3:~ # iocage upgrade medusa -r 12.2-RELEASE
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata files... done.
Inspecting system... done.

The following components of FreeBSD seem to be installed:
world/base world/doc world/lib32

The following components of FreeBSD do not seem to be installed:
world/base-dbg world/lib32-dbg

Does this look reasonable (y/n)? y

Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... failed.
Fetching metadata signature for 12.2-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Fetching files from 12.1-RELEASE for merging... done.
Preparing to download files... done.
Fetching 8686 patches.....10....20....30....40....50....60....70....80....90....100....110....120....130....140....150...

-edit-

...8560....8570....8580....8590....8600....8610....8620....8630....8640....8650....8660....8670....8680... done.
Applying patches... done.
Fetching 504 files... ....10....20....30....40....50....60....70....80....90....100....110....120....130....140....150....160....

-edit-

...480....490....500.. done.
Attempting to automatically merge changes in files... done.

The following changes, which occurred between FreeBSD 12.1-RELEASE and
FreeBSD 12.2-RELEASE have been merged into /etc/group:
--- current version
+++ new version

-edit-

Does this look reasonable (y/n)? y

The following changes, which occurred between FreeBSD 12.1-RELEASE and
FreeBSD 12.2-RELEASE have been merged into /etc/master.passwd:
--- current version
+++ new version

-edit-

Does this look reasonable (y/n)? y

The following changes, which occurred between FreeBSD 12.1-RELEASE and
FreeBSD 12.2-RELEASE have been merged into /etc/passwd:
--- current version
+++ new version

-edit-

Does this look reasonable (y/n)? y
The following files will be removed as part of updating to
12.2-RELEASE-p0:
/etc/rc.d/abi

-edit-

/etc/ssl/certs/080911ac.0
The following files will be updated as part of updating to
12.2-RELEASE-p0:
/.cshrc

-edit-

/bin/kenv
To install the downloaded upgrades, run "/tmp/tmpc45jlnbm install".
qsrc component not installed, skipped
Installing updates...

Kernel updates have been installed.  Please reboot and run
"/tmp/tmpc45jlnbm install" again to finish installing updates.
src component not installed, skipped
Installing updates...Scanning /mnt/vol1/iocage/jails/medusa/root/usr/share/certs/blacklisted for certificates...
Scanning /mnt/vol1/iocage/jails/medusa/root/usr/share/certs/trusted for certificates...
Scanning /mnt/vol1/iocage/jails/medusa/root/usr/local/share/certs for certificates...
done.

medusa successfully upgraded from 12.1-RELEASE-p10 to 12.2-RELEASE!
root@freenas3:~ #

+-----+--------+-------+--------------+------------+
| JID |  NAME  | STATE |   RELEASE    |    IP4     |
+=====+========+=======+==============+============+
| 1   | medusa | up    | 12.2-RELEASE | 10.10.0.37 |
+-----+--------+-------+--------------+------------+
root@freenas3:~ #


Where does it fail for you ?
 
Joined
Jul 10, 2016
Messages
521
I can add now a new Jail via GUI of TrueNAS with release 12.2; but neither I am able to upgrade an existing jail to 12.2-RELEASE via TrueNAS shell or by connecting to TrueNAS via SSH.

It ends up in nowhere.

I recommend you start a new post explaining your issue in some more detail, i.e. list the exact commands you are executing and the output (error messages?) from the system.
 

Bernhard

Cadet
Joined
Nov 17, 2012
Messages
5
Dear All
Thanks for trying to support me.
The jail I tried to upgrade is now destroyed (no problem it was a test jail anyway).
So I will stop upgrading and spend my time to do newly installation of the required jails and will change to base jail type with 12.2-release via GUI of TrueNAS.
 

Phil1295

Explorer
Joined
Sep 20, 2020
Messages
79
For the second case, iocage also provides flexibility on how to create the clone.
Code:
 sudo iocage create -n baseclone -b -r 11.3-RELEASE
sudo iocage clone -n clonedjail baseclone
sudo iocage clone -T -n thickclonedjail baseclone

In this example, both clonedjail and thickclonedjail are base jails of 11.3-RELEASE, and updating one will indeed update all base jails. The thickclonedjail (created with the -T option) is a "thick jail". It has no longer a dependency on baseclone, the base jail it was cloned from, at the cost of some extra disc space. The clonedjail jail is a pure clone, relying on the existence of the basejail, and initially very small in size.

I found two such posts here arguing this for thick jails, but it is wrong

These two commands will not convert/export a thick jail from a base/clone jail
Code:
sudo iocage clone -T -t template
sudo iocage clone -T -n new_thick_jail current_base_jail


Both commands will "Create a ‘thick’ jail from the template, so that it will be independent from the template" but still a base jail
The 2nd command will consider current_base_jail as a template and the resulting jail will be independent from it, but still a base jail

Proof:
Code:
# create a base jail named "test"
root@freenas:~ # iocage create -n test -b -r 11.4-RELEASE
test successfully created!

# clone the new base jail with -T
root@freenas:~ # iocage clone test -T -n thick_from_test
thick_from_test successfully cloned!

# thick_from_test is not a thick jail !!!
root@freenas:~ # iocage list -l
+-----+-----------------+------+-------+------+-----------------+--------------------+--------------------+----------+----------+
| JID |      NAME       | BOOT | STATE | TYPE |     RELEASE     |        IP4         |        IP6         | TEMPLATE | BASEJAIL |
+=====+=================+======+=======+======+=================+====================+====================+==========+==========+
| -   | test            | off  | down  | jail | 11.4-RELEASE-p4 | -                  | -                  | -        | yes      |
+-----+-----------------+------+-------+------+-----------------+--------------------+--------------------+----------+----------+
| -   | thick_from_test | off  | down  | jail | 11.4-RELEASE-p4 | -                  | -                  | -        | yes      |
+-----+-----------------+------+-------+------+-----------------+--------------------+--------------------+----------+----------+


Code:
# size is same and not of a thick jail

root@freenas:~ # iocage df
+-----------------+-------+------+------+-------+-------+
|      NAME       |  CRT  | RES  | QTA  |  USE  |  AVA  |
+=================+=======+======+======+=======+=======+
| test            | 1.05x | none | none | 156M  | 1.60T |
+-----------------+-------+------+------+-------+-------+
| thick_from_test | 1.05x | none | none | 156M  | 1.60T |
+-----------------+-------+------+------+-------+-------+


To create a thick jail from a base jail, you still must create a thick jail from scratch and then copy and create all the data links from the base jail you want to "clone". This is done using some custom scripting like rsync
 
Last edited:
Top