How do I install and use a FreeBSD jail manage called iocage on FreeNAS server from the command line? How do I create FreeNAS jail with iocage command?

iocage is a jail or container manager tool for FreeBSD. It is also available on FreeNAS based NAS system. It comes with some of best features and technologies the FreeBSD operating system has to offer. The iocage tool provides ease of use with a simple and easy to understand command syntax for managing jails. This page shows how to manage FreeNAS Jails with iocage command line option.

ADVERTISEMENTS

Step 1 – Login to FreeNAS server

Use the ssh command:
ssh user@freenas-box-name
ssh vivek@nas04
Become a root user using sudo command:
$ sudo -i
Find our your FreeNAS server IP address and interface name, enter:
# ifconfig

Please note down your real network interface. You must activate i.e. set a zpool active for iocage usage. My zpool name is nixcraft (use zpool list to get a list of zpool), so I run:
# iocage activate nixcraft

Step 2 – Fetch a version of FreeBSD for jail usage

Type the following command (this need to be done once only):
# iocage fetch

Use the following zpool/zfs command to verify:
# zpool list
# zfs list

Step 3 – Create FreeNAS Jails with iocage command

Create a jail named backup with 192.168.2.30/24 IP address for jail interface named igb1:
# iocage create -n backupjail ip4_addr="igb1|192.168.2.30/24" -r 11.1-RELEASE
Sample outputs:

backup successfully created!

List the jails

To list newly created jail run:
# iocage list
Sample outputs:

+-----+------------+-------+--------------+--------------+
| JID |    NAME    | STATE |   RELEASE    |     IP4      |
+=====+============+=======+==============+==============+
| -   | backupjail | down  | 11.1-RELEASE | 192.168.2.30 |
+-----+------------+-------+--------------+--------------+

Start the jail named backup

# iocage start {jailNameHere}
# iocage start backupjail
Sample outputs:

* Starting backupjail
  + Started OK
  + Starting services OK

How to automatically start jail when FreeNAS reboots

# iocage set boot=on backupjail
Sample outputs:
Property: boot has been updated to on
Verify it:
# iocage get all backupjail | less
# iocage get all backupjail | grep boot
# iocage get boot backupjail

How to login to my jails

The syntax is:
# iocage console {yourJailNameHere}
# iocage console backupjail
Once logged in install the pkg command on backupjail:
# pkg

Step 4 – Useful jail management commands

Let us see some useful iocage commands.

Show resource usage of all jails

# iocage df

Run a command inside a specified jail

# iocage exec {jailNameHere} {FreeBSDCOmmandHERE}
# iocage exec backupjail ifconfig

How to stop the specified jails or ALL

# iocage stop ALL
# iocage stop backupjail

Restart the specified jails or ALL

# iocage restart ALL
# iocage restart backupjail

Destroy/delete/remove specified jail(s)

This will destroyte all data, so be careful:
# iocage destroy backupjail

Run freebsd-update to update a specified jail to the latest patch level

# iocage update backupjail
Here is my sample jail:

Summary of commands to create a new jail on FreeNAS

Create a jail named rsyncjail:
# iocage create --release 11.1-RELEASE --name rsyncjail \
boot="on" \
allow_raw_sockets="1" \
ip4_addr="igb1|192.168.2.31/24" \
resolver="nameserver 192.168.2.254;nameserver 8.8.8.8"
In the jail, update all packages, enable SSHD, add a new user and install rsnapshot package:
# iocage console rsyncjail
# pkg update && pkg upgrade
# echo 'sshd_enable="YES"' >> /etc/rc.conf
# service sshd start
# pw useradd -n vivek -G wheel -s /bin/tcsh -m -d /home/vivek
# passwd vivek
# pkg install rsnapshot

Creating jail that can run OpenVPN server or client

In this following example, I am going to enable vnet, allow ping via raw sockets, for openvpn client jail to connect to my Ubuntu OpenVPN server:
# iocage create --release 11.1-RELEASE --name openvpnjail \
vnet="on" boot="on" allow_raw_sockets="1" \
ip4_addr="vnet0|192.168.2.30/24" \
defaultrouter="192.168.2.254" \
resolver="nameserver 192.168.2.254;nameserver 8.8.8.8"
Run the following command to allow creation of tap device for the FreeBSD/FreeNAS jail:
/sbin/devfs rule -s 4 add path 'tun*' unhide
Please note that you must add the following pre init tasks in FreeNAS UI so that OpenVPN can create tap device

I usually install jail per service. For example, I create a jail for each FreeBSD service such as Nginx/PHP/Perl/Python web service, MariaDB database server, Deluge, Duplicity/Rsnapshot backup service and more.

Conclusion

And there you have it. You just created a jail that automatically starts for the FreeNAS system. For more info see the official FreeNAS docs here and iocage command docs here.