Skip to main content.

Everything you need to know about Jails


Live demo in BSD Now Episode 007 | Originally written by TJ for | Last updated: 2014/03/05

NOTE: the author/maintainer of the tutorial(s) is no longer with the show, so the information below may be outdated or incorrect.

Virtualization is a big part of security these days. Why dedicate an entire machine to one specific service when you can make a virtual machine? The other option is to just run the one service alongside the rest on the same machine. If someone breaks into it, however, they could potentially access lots of private things you don't want them to see. Virtual machines mostly solve this isolation issue, but they have some drawbacks. The main problem is overhead. There are speed penalties when running things in a VM. Disk I/O, emulated NICs, CPU overhead - everything comes at a cost. However, on modern hardware with VT-x, the CPU performance has become a lot better.

Jails are isolated virtual instances of FreeBSD that all run off the same kernel. There's no performance hit at all, even with the network stack and disk I/O. If someone breaks into your jail and gets root, they're locked to that filesystem. There are also lots of other forceful limits in place, so check out the documentation for more info. You can deploy hundreds of jails on the same system with little resources; they use almost no extra RAM aside from the applications you run within them.

There is a really great utility called ezjail for creating, updating and managing jails. You can still do things the traditional way, but ezjail makes things so much more.. ez. Let's get started by installing it from ports or pkgng.

# cd /usr/ports/sysutils/ezjail
# make install clean

The way ezjail works is like this: it first creates a "base" jail, which all the jails will use. It makes a full, isolated FreeBSD userland and then mounts that (read-only) in your real jails. By doing things this way, you only have one jail to keep up to date. It also saves a lot of disk space by not extracting the whole userland every time you want a new jail. Making new ones after you have the base jail in place takes a matter of seconds. You can even "archive" the jails to easily transfer them between machines. To create the base jail (with the system sources and a ports tree), we simply do:

# ezjail-admin install -sp

Jails can be installed into ZFS datasets or even (possibly encrypted) sparse files and memory disks. Both of those options provide a good way to limit disk space that the jail has access to. You can also install by building world or installing from an already-built world using the -b and -i flags. This is useful if you want to run -STABLE or -CURRENT in a jail. Assuming you've stayed with the -RELEASE branch, you can update the basejail with freebsd-update. Just run:

# ezjail-admin update -u

To update the base jail's ports tree, which all jails also have read-only access to, run:

# ezjail-admin update -P

See the /usr/local/etc/ezjail.conf sample file for more options. Your jail(s) can run on the same IP address as the host without (many) problems, but I recommend giving them each their own IP. We'll make an alias on my "em0" NIC. Replace "em0" with your network card name and your network settings. An rc.conf entry ensures our jail will be started at boot and gets the IP it needs.

# ifconfig em0 alias netmask 0xffffff00 broadcast
# echo 'ifconfig_em0_alias0="inet netmask 0xffffff00 broadcast"' >> /etc/rc.conf
# echo 'ezjail_enable="YES"' >> /etc/rc.conf

Next, create your actual jail. Give it a hostname and the IP address from before. Copy your resolv.conf to the jail so it can do DNS. Finally, start the service.

# ezjail-admin create
# cp /etc/resolv.conf /usr/jails/
# service ezjail start

Placing limits on jails is also possible. To only give the jail access to the first CPU core, you could do:

# ezjail-admin config -c 0

See this page for more options on limiting jail resources. Finally, to check whether your jail is running, use the "jls" command:

# jls

   JID  IP Address      Hostname       Path
     1      /usr/jails/

From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system.

# ezjail-admin console

Last login: Sun Dec 29 03:08:29 on pts/17
FreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013

Welcome to FreeBSD!


You can easily move jails between hosts with minimal configuration changes. Let's stop our example jail and archive it to a file.

# ezjail-admin stop
# ezjail-admin archive

The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place.

# ezjail-admin create -a /usr/jails/ezjail_archives/bsdnow_tv.tar.gz
# ezjail-admin start

Some links for further reading:

Latest News

New announcement


We understand that Michael Dexter, Brad Davis, and George Rosamond think there should be more real news....

Two Year Anniversary


We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment


We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?


We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

Episode 259: Long Live Unix


Direct Download:MP3 AudioVideo This episode was brought to you by Picking the contest winner 1) Vincent 2) Bostjan 3) Andrew 4) Klaus-Hendrik 5) Will 6) Toby 7) Johnny 8) David 9) manfrom 10) Niclas 11) Gary 12) Eddy 13) Bruce 14) Lizz 15) Jim Random number generator Headlines The Strange Birth and Long Life of Unix They say that when one door closes on you, another opens. People generally...

Episode 258: OS Foundations


Direct Download:MP3 AudioVideo This episode was brought to you by Headlines FreeBSD Foundation Update, July 2018 MESSAGE FROM THE EXECUTIVE DIRECTOR We’re in the middle of summer here, in Boulder, CO. While the days are typically hot, they can also be quite unpredictable. Thanks to the Rocky Mountains, waking up to 50-degree (~10...

Episode 257: Great NetBSD 8


Direct Download:MP3 AudioVideo This episode was brought to you by Headlines NetBSD v8.0 Released The NetBSD Project is pleased to announce NetBSD 8.0, the sixteenth major release of the NetBSD operating system. This release brings stability improvements, hundreds of bug fixes, and many new features. Some highlights of the...

Episode 2^8: Because Computers


Direct Download:MP3 AudioVideo This episode was brought to you by Win Celebrate our 256th episode with us. You can win a Mogics Power Bagel (not sponsored). To enter, go find the 4 episodes we did in December of 2017. In the opening, find the 4 letters in the bookshelf behind me. They...