FreeBSD 12 Jail Host - Part 4 - Jails (2021)

Estimated reading time: Seal yourself in a dark room for a day or two.

We finally get to start some jails up!

The Journey

All the parts in this series.

The Jails

We're finally here! Let's create a jail and start it up. I've assumed you've downloaded the 12.2-RELEASE release for the jail, so if you're using something else make sure to adjust.

# iocage create -r 12.2-RELEASE -n helloworld
	[...]
// Tell iocage to use a virtual interface
# iocage set vnet=on helloworld
// Use the host system as the default router
# iocage set defaultrouter=10.0.20.1 helloworld
// Set the IP address to use for this jail, make sure it's unique
# iocage set ip4_addr="vnet0|10.0.20.5/24" helloworld
// Start the jail!
# iocage start helloworld

Sometimes this will fail on first start for some reason with some vnet errors. (I think maybe it takes too long for the vnet interface to be created so iocage fails to configure it and bails?). If this fails with a vnet error, try again.

You should have a running jail now. We've got one more quick config step we need to perform with each jail we create, so let's do that now.

// Open a console in the jail
# iocage console helloworld
// Add some values to /etc/rc.conf
jail# cat >> /etc/rc.conf
firewall_enable="YES"
firewall_type="OPEN"
^D
jail# /etc/rc.d/ipfw restart

ipfw is already loaded and enabled in the kernel so is active in the jail, but not configured in the jail. This just configures an open firewall for the jail (you could also configure an actual firewall if you wanted).

At this point everything should be working. Test you can reach the host with something like ping 10.0.20.1, and test you can reach the internet ping 1.1.1.1.

Unfortunately, if there are issues here debugging this is beyond the scope of this document. Sorry.

The Conclusion

If everything's working at this point, then you're in good shape! In Part 5 we'll cover some handy commands and general architecture that may be useful.