Jails Screens

14 minute read.

Last Modified 2024-03-15 13:24 EDT

As of TrueNAS CORE 13.3, this feature is untested and provided without support to the TrueNAS Community.

Users with a critical need to use containers or virtualization solutions in production should migrate to the tested and supported virtualization features available in TrueNAS SCALE. TrueNAS Enterprise customers can contact iXsystems to schedule a TrueNAS SCALE deployment. See CORE to SCALE Migrations for more information.

The Jails screen displays a list of jails installed on your system. Use to add, edit or delete jails.

JailsScreen

Use the blue Columns dropdown list to display options to change the information displayed in the list of tables. Options are Select All, JID, Boot, State, Release, IPv4, IPv6, Type, Template, Basejail or Reset to Defaults.

Use the settings icon to set the pool to use for jail storage.

Use ADD to display the first configuration Wizard screen and to access the ADVANCED JAIL CREATION button to display advanced jail configuration screens.

Individual Jail Screen

Click the chevron_right icon to display the individual jail screen, the primary settings and additional action options for that jail.

Click the expand_more icon to collapse the individual jail screen.

Jails Options

Name	Description
EDIT	Used to modify the settings described in Advanced Jail Creation below. You cannot edit a jail while it is running. You can only view read only settings until you stop the jail operation.
MOUNT POINTS	Select an existing mount point to edit. Either click EDIT or ACTIONS > Add Mount Point to create a mount point for the jail. A mount point gives a jail access to storage located elsewhere on the system. You must stop a jail before adding, editing, or deleting a mount point.
RESTART	Stops and immediately starts a jail that is running or up.
START	Starts a jail that has a current STATE of down.
STOP	Stops a jail in the current STATE of up.
UPDATE	Runs freebsd-update to update the jail to the latest patch level of the installed FreeBSD release.
SHELL	Displays the Shell screen with access to a root command prompt where you can interact with a jail directly from the command line. Type `exit` to leave the command prompt or click Jails on the breadcrumb at the top of the screen to return to the Jails screen.
DELETE	Deletes the selected jail. Caution: deleting the jail also deletes all of the jail contents and all associated snapshots. Back up the jail data, configuration, and programs first. There is no way to recover the contents of a jail after deleting it!

Action options change based on the jail state. For example, a stopped jail does not have a STOP or SHELL option.

Jail Creation Options

TrueNAS has two options to create a jail, the Wizard or the Advanced Jail Creation option at the bottom of the Wizard screen. The Jail Wizard makes it easy to create a jail. ADVANCED JAIL CREATION opens the advanced configuration screen with all possible jail configuration settings. We recommend that only advanced users with specific requirements for a jail use this form.

Jail Wizard

Use the jail-creation Wizard to add a new jail by following and completing required fields in a pre-determined order. The wizard is the simplest process to create and configure a new jail. Click ADD to display the first of three Wizard configuration screens.

Name Jail and Choose FreeBSD Release Screen

This screen includes the jail name, type, and release settings.

Name Jail and Choose FreeBSD Release Settings

Setting	Description
Name	Required. Enter a name using letters, numbers, or the period (.), dash (-), or underscore (_) special characters. You can rename a jail after creating and saving it.
Jail Type	Select an option from the dropdown list. Options are Default (Clone Jail) or Basejail. Use Default (Clone Jail) to clone jails that are clones of the value specified in Release. These are linked to that release, even if they are upgraded. Use Basejails to mount the specified release directories as nullfs mounts over the jail directories. Basejails are not linked to the original release when upgraded. Versions of FreeBSD are downloaded the first time they are used in a jail. Additional jails created with the same version of FreeBSD are created faster because the download is already complete.
Release	Select the FreeBSD release to use as the jail operating system option from the dropdown list. Options are 12.4-RELEASE or 13.2-RELEASE. Jails can run FreeBSD versions up to the same version as the host system. Newer releases are not shown.
Advanced Jail Creation	Opens the Advanced Jail Creation screens. This form is only recommended for advanced users with very specific requirements for a jail.

Configure Networking Screen

This screen includes DHCP, NAT or VNET, IPV4 IP or IPv6 interface, address, and netmask, and default router, and the IPv6 prefix.

Configure Networking Settings

Name	Description
DHCP Autoconfigure IPv4	Select to auto-configure jail networking with the Dynamic Host Configuration Protocol (DHCP). Select VNET and Berkeley Packet Filter with this option.
NAT	Network Address Translation (NAT) to transform local network IP addresses into a single IP address. Select when the jail shares a single connection to the Internet with other systems on the network.
VNET	Select to use VNET(9) to emulate network devices for the jail. A fully virtualized per-jail network stack is installed.
vnet_default_interface	Select the default VNET interface from options on the dropdown list. Options are none, auto, or specific interfaces on your system. Only takes effect when VNET is selected. Choose a specific interface or set to auto to use the interface that has the default route. Choose none to not set a default VNET interface.
IPv4 Interface	Select the IPv4 interface for the jail from the dropdown list.
IPv4 Address	Enter the IPv4 address for VNET(9) and shared IP jails.
IPv4 Netmask	Select the IPv4 netmask for the jail from the dropdown list.
IPv4 Default Router	Enter a valid IPv4 address to use as the default route. Enter none to configure the jail with no IPv4 default route. A jail without a default route is not be able to access any networks.
AutoConfigure IPv6	Select to use Stateless Address Auto Configuration (SLAAC) to auto-configure IPv6 in the jail.
IPv6 Interface	Select the IPv6 interface for the jail from the dropdown list.
IPv6 Address	Enter the IPv6 address for VNET(9) and shared IP jails.
IPv6 Prefix	Select the IPv6 prefix for the jail from the dropdown list.
IPv6 Default Router	Enter a valid IPv6 address to use as the default route. Enter none to configure the jail without an IPv6 default route. A jail without a default route is not able to access any networks.

Confirm Options Screen

This screen shows a summary of the jail settings entered or selected on the Wizard screens.

Next advances to the next screen.

Back returns to the previous screen.

SUBMIT saves all settings and creates the Jail.

Cancel closes the current screen and exits the configuration process without saving.

Advanced Jail Creation

The Advanced Jail Creation screen has four expandable configuration areas:

Basic Properties
Jail Properties
Network Properties
Custom Properties

Click the expand_more icon to collapse any area of configuration settings.

Use Next to advance to the next configuration settings section, or click the expand_less icon to expand a configuration settings area.

Basic Properties

The Basic Properties area includes the jail name, type, FreeBSD release, and network settings.

Jail Basic Properties Settings

Name	Description
Name	Required field. Enter a name that can include letters, numbers, periods (.), dashes (-), and underscores (_).
Jail Type	Select an option from the dropdown-list. Options are Default (Clone Jail) or Basejail. Use Default (Clone Jail) to clone jails that are clones of the specified value in Release. They are linked to that release, even if they are upgraded. Use Basejails to mount the specified release directories as nullfs mounts over the jail directories. Basejails are not linked to the original release when upgraded.
Release	Select an option from the dropdown list. Options are 12.2-RELEASE or 13.0-RELEASE. This is the FreeBSD release to use as the jail operating system. Jails can run FreeBSD versions up to the same version as the host system. Newer releases are not shown.
DHCP Autoconfigure IPv4	Select to auto-configure jail networking with the Dynamic Host Configuration Protocol (DHCP). Also select VNET and Berkeley Packet Filter with this selected option.
NAT	Network Address Translation (NAT) to transform local network IP addresses into a single IP address. Select when the jail shares a single connection to the Internet with other systems on the network.
VNET	Select to use VNET(9) to emulate network devices for the jail. A fully virtualized per-jail network stack is installed.
Berkeley Packet Filter	Select to use the Berkeley Packet Filter (BPF(4)) to data-link layers in a protocol independent fashion.
vnet_default_interface	Select the default VNET interface from options on the dropdown list. Options are none, auto, or specific interfaces on your system. Only takes effect when VNET is selected. Choose a specific interface or set to auto to use the interface that has the default route. Choose none to not set a default VNET interface.
IPv4 Interface	Select the IPv4 interface for the jail from the dropdown list.
IPv4 Address	Enter the IPv4 address for VNET(9) and shared IP jails.
IPv4 Netmask	Select the IPv4 netmask for the jail from the dropdown list.
IPv4 Default Router	Enter a valid IPv4 address to use as the default route. Enter none to configure the jail with no IPv4 default route. A jail without a default route is not be able to access any networks.
AutoConfigure IPv6	Select to use Stateless Address Auto Configuration (SLAAC) to autoconfigure IPv6 in the jail.
IPv6 Interface	Select the IPv6 interface for the jail from the dropdown list.
IPv6 Address	Enter the IPv6 address for VNET(9) and shared IP jails.
IPv6 Netmask	Select the IPv6 prefix for the jail from the dropdown list.
IPv6 Default Router	Enter a valid IPv6 address to use as the default route. Enter none to configure the jail without an IPv6 default route. A jail without a default route is not be able to access any networks.
Auto Start	Select to auto-start the jail at system boot time. Jails are started and stopped based on iocage priority. Set in the Custom Properties priority field.

Jail Properties

The Jail Properties area includes the jail ruleset to follow, commands to run in the system or jail environment, jail user, allow or deny SYSV IPC message, shared memory primitives, or semaphore primitives, VNET interfaces, and other jail settings.

Jail Properties Settings

Name	Description
devfs_ruleset	The devfs(8) ruleset number to enforce when mounting devfs in the jail. The default 0 means no ruleset is enforced. Mounting devfs inside a jail is only possible when the allow_mount and allow_mount_devfs permissions are enabled and enforce_statfs is set to a value lower than 2.
exec_start	Commands to run in the jail environment after the jail is created. Example: `sh /etc/rc`. The pseudo-parameters section of JAIL(8) describes exec.start usage.
exec_stop	Commands to run in the jail environment before the jail is removed and after exec.prestop commands complete. Example: sh /etc/rc.shutdown.
exec_prestart	Commands to run in the system environment before a jail is started.
exec_poststart	Commands to run in the system environment after a jail is started and after any exec_start commands are finished.
exec_prestop	Commands to run in the system environment before a jail is stopped.
exec_poststop	Commands to run in the system environment after a jail is stopped.
exec_jail_user	Enter either root or another valid username. Inside the jail, this user runs the commands.
exec_system_user	Run commands in the jail as this user. By default, the current user runs these commands.
securelevel	The value of the jail securelevel sysctl. A jail never has a lower securelevel setting than the host system. Setting this parameter allows a higher securelevel setting. If the host system securelevel* setting is changed, the jail secure level is at least as secure.
sysvmsg	Allows or denies access to SYSV IPC message primitives. Use the dropdown list to select from Inherit, New or Disable. Select Inherit to make all IPC objects on the system visible to the jail. Select *New to make only objects the jail creates using the private key namespace visible. The system and parent jails have access to the jail objects but not private keys. Select Disable when the jail cannot perform any sysvmsg related system calls.
sysvsem	Allows or denies access to SYSV IPC semaphore primitives. Use dropdown list to select from Inherit, New or Disable. Use Inherit to make all IPC objects on the system visible to the jail. Select New to make only objects the jail creates using the private key namespace visible. The system and parent jails have access to the jail objects but not private keys. Select Disable when the jail cannot perform any sysvmem related system calls.
sysvshm	Allows or denies access to SYSV IPC shared memory primitives. Use dropdown list to select from Inherit, New or Disable. Select Inherit to make all IPC objects on the system visible to the jail. Select New to make only objects the jail creates using the private key namespace visible. The system and parent jails have access to the jail objects but not private keys. Select Disable when the jail cannot perform any sysvshm related system calls.
vnet_interfaces	A space-delimited list of network interfaces attached to a VNET enabled jail after it is created. Interfaces are released when the jail is removed.
allow_set_hostname	Select to allow changing the jail host name with hostname(1) or sethostname(3).
allow_sysvipc	Select to choose whether a process in the jail has access to System V IPC primitives. Equivalent to setting sysvmsg, sysvsem, and sysvshm to Inherit. Deprecated in FreeBSD 11.0 and newer! Use sysvmsg, sysvsem, and sysvshm instead.
allow_raw_sockets	Select to allow raw sockets. Utilities like ping(8) and traceroute(8) require raw sockets. When selected, source IP addresses are enforced to comply with the IP addresses bound to the jail, ignoring the IP_HDRINCL flag on the socket.
allow_chflags	Select to treat jail users as privileged and allow the manipulation of system file flags. Secure level constraints are still enforced.
allow_mlock	Enables running services that require mlock(2) in a jail.
allow_vmm	Allows the jail to access the bhyve virtual machine monitor (VMM). The jail must have FreeBSD 12.0 or newer installed with the vmm(4) kernel module loaded.
allow_quotas	Select to allow the jail root to administer quotas on jail file systems. This includes file systems the jail shares with other jails or with non-jailed parts of the system.
allow_socket_af	Select to allow access to other protocol stacks beyond IPv4, IPv6, local (UNIX), and route. Warning, jail functionality does not exist for all protocol stacks.
allow_mount	Select to allow privileged users inside the jail to mount and unmount file system types marked as jail-friendly. Also use dropdown list to select from list of options allow_mount_devfs, allow_mount_fusefs, allow_mount_nullfs, allow_mount_procfs, allow_mount_tmpfs or allow_mount_zfs.

Network Properties

The Network Properties area includes the assigned interface(s), host name, domain name, resolver, rounding table to use, and IP address type (v4 or v6), mac prefix, and NAT interface and port forwarding settings.

Network Properties Settings

Name	Description
Interfaces	Use to enter up to four interface configurations in the format interface:bridge, separated by a comma (,), where the left value is the virtual VNET interface name and the right value is the bridge name where to attach the virtual interface.
host_domainname	Use to enter a NIS domain name for the jail.
host_hostname	Use to set the jail host name. Defaults to the jail UUID.
resolver	Use to add lines to the jail resolv.conf. For example, nameserver IP;search domain.local. Delimit fields with a semicolon (;), this translates as new lines in resolv.conf. Enter none to inherit resolv.conf from the host.
exec_fib	Enter the routing table (FIB) to use when running commands inside the jail.
ip4.saddrsel	Select to disable IPv4 source address selection for the jail in favor of the primary IPv4 address of the jail. Only available when the jail is not configured to use VNET.
ip6.saddrsel	Select to disable IPv6 source address selection for the jail in favor of the primary IPv6 address of the jail. Only available when the jail is not configured to use VNET.
ip4	Controls the availability of IPv4 addresses. Use the dropdown list to select from options inherit, New or Disable. Select Inherit to allow unrestricted access to all system addresses. Select New to restrict addresses with ip4_addr. Select Disable to stop the jail from using IPv4 entirely.
ip6	Controls the availability of IPv6 addresses. Use the dropdown list to select from options inherit, New or Disable. Select Inherit to allow unrestricted access to all system addresses. Select New to restrict addresses with ip6_addr. Select Disable to stop the jail from using IPv6 entirely.
mac_prefix	Enter a valid MAC address vendor prefix. For example, E4F4C6.
vnet0_mac	Use to assign a fixed MAC address. Leave this field empty to generate random MAC addresses for the host and jail. To assign fixed MAC addresses, enter the MAC address to assign to the host, a space, then the MAC address to assign to the jail.

Custom Properties

The Custom Properties area includes the priority for the jail at boot time, jail host ID, setting this jail as a template, system host time to synchronize time between the jail and host, enabling ZFS jailing inside the jail, defining the dataset to be jailed and to be fully handed over to a jail, entering a mount point for the jail_zfs_dataset, tun settings, and other local host, IP host name, and IPV6 autoconfigure settings.

Custom Properties Settings