How To Setup FreeBSD Jails With ezjail

How do I setup operating system-level virtualization that allows me to partition my FreeBSD-based Unix server system into several independent mini-systems called jails? I would like to set one jail for the mail server and web server via 2 public IP address. How can I setup FreeBSD jails?

Each jail under FreeBSD virtual environment runs on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system. The easiest way to set, create and modify jails is using a framework called ezjail.
WARNING! You need to modify host server daemons to listen to only or a single private or public IP such as At least you need to modify sshd, syslogd and other services before you configure jails.

My sample setup

  1. : FreeBSD host server running v11 with public IP address
  2. : Mail server jail with public IP address
  3. : Web server jail with public IP address

Step # 1: Update your FreeBSD host system

Make sure you are running updated kernel and base system. Use cvsup command to install the latest kernel and base system. See detailed tutorial about upgrading FreeBSD operating system.

Step # 2: Install ezjail

Type the following commands to install ezjail port which contains two scripts to easily create, manipulate and run FreeBSD jails.
# cd /usr/ports/sysutils/ezjail
# make install clean

Or use the binary package system:
# pkg install ezjail
Sample outputs:

Installing FreeBSD jail management utility ezjail

Enable ezjail at boot time and via service command

Type the following command:

echo 'ezjail_enable=YES' >>  /etc/rc.conf

ezjail default file locations

  1. /usr/jails/ : Default location to store base jail system template.
  2. /usr/jails/flavours/: Customization for each jail can be done via flavours. For e.g. adding default /etc/resolv.conf file or updating existing /etc/make.conf can be done here.
  3. /usr/jails/basejail/ : Base jail will be exported and mounted as read only for each jail. This will save disk space.
  4. /usr/local/etc/rc.d/ : Stop / Start / Restart jails script.
  5. /usr/local/etc/ezjail.conf : Configuration file for ezjail script. contains settings that control the operation of the ezjail rc script. It is also read by the ezjail-admin utility to figure out where it should perform its actions.
  6. /usr/local/etc/ezjail/ : All your jail configuration files are stored here.

Step # 2: Create base jail template

The ezjail-admin utility is used to manage the ezjail environment and all the jails inside the ezjail scope. Type the following command to creates or updates ezjail’s environment (i.e. basejail) from source, enter:
# ezjail-admin install
OR specify mirror location with the -h option as follows:
# ezjail-admin install -h
You can set mirror location by editing /usr/local/etc/ezjail.conf file as follows:

# Set mirror closet to you #

The above command will populate the jail with FreeBSD-RELEASE. To populate the jail with installworld, run:
# ezjail-admin update -p -i

  • -p : Provide ports for jail.
  • -i : Do not run make world. This will save time and it will use existing buildworld done in step # 1.

Create clone interface

Type the following two commands to create lo1 interface to keep jail loopback traffic off the host’s loopback network interface:

echo 'cloned_interfaces="lo1"' >> /etc/rc.conf
## Restart netif ##
service netif cloneup
## Verify it ##

Sample outputs:

Created clone interfaces: lo1. 

Step # 3: Create SMTPD Mail Server Jail

Type the following command to create smtpd jail with as a public IP address at /usr/jails/smtpd directory:
# ezjail-admin create smtpd 'lo1|,vtnet0|'
In this example create httpd with IP address:
# ezjail-admin create httpd 'lo1|,vtnet0|'
To list jails, enter:
# ezjail-admin list
Sample outputs:

STA JID  IP              Hostname                       Root Directory
--- ---- --------------- ------------------------------ ------------------------
DS  N/A       httpd                          /usr/jails/httpd
    N/A  vtnet0|

To start httpd jail, run:
# ezjail-admin start httpd
Sample outputs:

Starting jails: httpd.

To login, enter:
# ezjail-admin console httpd
Sample outputs:

root@httpd:~ #

Set root password:
# passwd

How do I start all Jails?

# /usr/local/etc/rc.d/ezjail start

How do I stop all Jails?

# /usr/local/etc/rc.d/ezjail stop

How do I restart all Jails?

# /usr/local/etc/rc.d/ezjail restart
You can also start / stop / restart particular jail using the following syntax:
# /usr/local/etc/rc.d/ezjail {start/stop/restart} jail-name
# /usr/local/etc/rc.d/ezjail start httpd
# /usr/local/etc/rc.d/ezjail stop

How do I list all jails?

Use jls command to lists all jails:
# jls
# ezjail-admin list
To display more verbose information including cpusets, jail state, multi-IP, etc. enter:
# jls -v

How do I login to my jail from the host itself?

Use jexec command as follows to attach a console to jail:
# jexec jid csh
# ezjail-admin console httpd
jid can be obtained using jls command. Connect to jail called httpd with jid # 2:
# jexec 2 csh
Now, you can install any software and do work with the jail. Update your /etc/resolv.conf file:
# vi /etc/resolv.conf
Install bash shell, enter:
# pkg install bash
Install Apache 2.2 server:
# cd /usr/ports/www/apache22
# make install clean

How do I login to my jail remotely using ssh?

First, login using jexec command from the host itself. Add the following line to jail /etc/rc.conf:
# echo 'sshd_enable="YES"' >> /etc/rc.conf
Open sshd_config file and update listen parameter to bind to jail IP only. Start OpenSSH server inside the jail:
# /etc/rc.d/sshd start
# sockstat -4

How do I upgrade FreeBSD jail?

Simply run the following command to update the basejail to the latest patched release of the version of FreeBSD host:
# ezjail-admin update -u

How do I upgrade only ports tree?

No need to stop jails, just run the following to update ports tree for all jails:
# ezjail-admin update -P

Jail log files

The default jail console file is located at /var/log directory. For e.g. view log file for httpd jail, enter:
# tail -f /var/log/jail_httpd_console.log
# grep 'error' var/log/jail_httpd_console.log

How do i add additional jails?

Create db1 jail, enter:
# ezjail-admin create db1 'lo1|,vtnet0|'
# ezjail-admin list
# ezjail-admin start db1
# ezjail-admin console db1

How do I backup jails?

Use tar, rsync or dump command to backup jail to another server or tape device. For e.g. tar command to backup httpd to tape:
# tar -zcvf /dev/sa0 /usr/jails/httpd
You can also use dump command to backup all jails stored on /jails partition:
# /sbin/dump -0uLf /dev/sa0 /jails/
Later just dump incremental updates:
# /sbin/dump -1uLf /dev/sa0 /jails/

Recommend Readings:

  • FreeBSD Jail chapter from the official FreeBSD handbook.
  • man pages jexec, jls, jail, dump, restore
This entry is 1 of 6 in the FreeBSD Jail Operating System-level Virtualization Tutorial series. Keep reading the rest of the series:
  1. Setup FreeBSD Jail With ezjail
  2. FreeBSD Jail Allow Ping / tracerouter Commands
  3. FreeBSD Jail Add Multiple IPv4 / IPv6 Address
  4. FreeBSD Jail Access Private Network Via NAT and PF
  5. How To Upgrade FreeBSD Jail ( OS Level Virtualization )
  6. FreeBSD Jail Allow Sound And Flash Access

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 12 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
12 comments… add one
  • Valqk Jun 12, 2009 @ 11:56

    Just to share, I’ve written a command called
    jlog jailname. It makes jexec JID tcsh and logs you into the jail.
    There it is: Link

    p.s. I didn’t find my posts in mailing lists so I’ve posted in my blog. pls. feel free to delete this comment if you consider this as spam or something.

  • Shoaibi Jun 17, 2009 @ 13:41

    Good going…

    thanks, I was thinking to create one after reading the article…

  • Dhenin Jean-Jacques Mar 22, 2010 @ 19:09

    Appréciable. Merci beaucoup. Très utile.

  • cleroy61 Sep 6, 2010 @ 18:41

    When I create a jail with ezjai, I can not access usr/ports from my jail to install nginx;

    jexec 2 cd /usr/ports/www/nginx && make install clean
    No such file or directory

    It does not exist in fact, how can I link to my jail?
    I’m out of my jail and I am a portsnap extract command
    and then an portsnap fetch update command, thinking I did not open the softwares worn.
    it is present but with the letter ‘l’ in front, preventing me from going there as a directory:

    lrwxr-xr-x 1 root wheel 19 Sep 5 11:12 ports -> /basejail/usr/ports

    Thanking you Sincerely Christophe

  • cleroy61 Sep 7, 2010 @ 19:17

    I found answer through freeBSD forum ; the command is not enough

    portsnap fetch extract

    I tried this one after building the jail with ezjail-admin create

    portsnap -p /usr/jails/basejail/usr/ports/ fetch extract

    it’s OK now !

  • Broy Jan 22, 2011 @ 7:08

    I set up Ezjail in my FreeBSD 8.1 amd64 release-version. After successful installation,
    i did the ” ezjail-admin update -p -i ” command but unfortunately it shows some errors:
    cd /usr/src; make -f Makefile.inc1 hierarchy
    cd /usr/src/etc; make distrib-dirs
    cd: can’t cd to /usr/src/etc
    *** Error code 2

    Stop in /usr/src.
    Error: The command ‘make installworld’ failed.
    Refer to the error report(s) above.

    BTW, i recompiled and build my own kernel first before i install Ezjail. I’m suspecting why does error occurred its because of the new kernel configuration but that was only my presumption.

    Any help bout this?

    Thanks much!

  • Karl Blessing Feb 22, 2011 @ 22:56

    Would it be possible to install a jail on a binary distribution. If I don’t have a source tree and I don’t wish to re-build the base system from cvsup but rather keep it easy with freebsd-update?

    • Karl Blessing Feb 23, 2011 @ 0:58

      I just went with pulling down the source tree, doing buildworld (But not installworld). Was just hoping there’d be a way to update the jails without having to rely on sources.

  • Namotco Jun 8, 2012 @ 21:41


    is now:


  • Michael Jul 11, 2012 @ 6:11

    Thanks Vivek for this.

    My question is how do I assign a set amount of disk space and RAM to each jail…. just like we do it on openvz for each virtual machine.

    For example I want jail 1 to have 20GB disk and say 256 MB RAM assigned. jail2 should have 100 GB disk and 1 GB RAM etc. How does one do this?

    • jpd Aug 4, 2012 @ 13:59

      You need to kompile kernel with quota enabled and then use quota to specify disk limitations. Dunno if RAM limitations have been implemented yet (doubt it).

  • Pingu Dec 10, 2020 @ 8:30

    why my vtnet0 does not exist? its happen when i want to start the httpd..
    help me

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum