FreeBSD Jail Management Tools

To design “FreeBSD Mastery: Jails” I need to look at the existing jail management tools. Jails have been around about fifteen years now, and FreeBSD has accumulated a whole bunch of wrappers and supporting tools. Many of these have wound up in the ports collection.

Jails have evolved over the years. Some of these add-on tools are not useful for FreeBSD 9.1 and later.

Here’s a few things I discovered in my research. I’m hoping that you lot will offer your own comments and help me decide which tools to cover in the book.

It seems we have five major jail management toolkits.

  • ezjail – perhaps the best known jail management tool. Written entirely in shell.
  • qjail – Designed for managing lots of jails at the command line, based on templates. The examples use ipfilter, which is my third choice of FreeBSD firewall. Does not need ZFS.
  • iocage – supports resource limiting, thin provisioning, cloning, and either vimage or NAT from the host’s main IP.
  • jadm – Python-based jail command shell, uses a bridge interface. Can migrate jails between hosts. ZFS integration. Lets you set global settings for all jails, per-jail settings, jail groups, and so on.
  • cbsd – web-based management of jails. Supports HAST, migration, CARP, etc.

    The question for me is: which should I cover in the jails book? I’ll mention that all of them exist, but I can only give attention to one or two.

    CBSD seems an obvious choice. It integrates CARP and HAST and vimage and just about everything. Plus, people like web GUIs. It seems to be the giant ape of jail management tools.

    But I want to cover a command-line toolkit. Between ezjail, qjail, iocage, and jadm, I find myself leaning towards iocage.

    There’s some other jail-related software in the ports collection. Here’s those I plan to investigate and possibly include. I might find that their functionality is now included in mainline FreeBSD, however.

  • jps and jtop – external wrappers that add jail info to ps and top.
  • jkill – shuts down a running jail and all its processes from outside the jail. I don’t know that this is still needed, but the functionality is important.
  • bsnmp-jails – feed jail info into snmpd.

    Here are some jail-related ports I don’t plan to include, and why.

  • py-ploy_ezjail, bsdploy – ploy for jails. I don’t ploy.
  • py-ezjailremote – a python wrapper around ezjail. I don’t Python.
  • p5-BSD-Jail-Object – a Perl interface for jail management. I do Perl, but… no.
  • pkg_jail – build packages inside a jail. This looks like an old poudriere.
  • jailrc – improved startup/shutdown scripts for pre-9.1 jails. The key words here are “pre 9.1.”
  • pam_jail – drops the user into a jail upon successful login
  • jailme – a modified version of jexec with more sanity checking. Is setuid, lets normal users run jails.
  • jaildaemon – lets the jail talk to the host? I’m sure this solved a problem for someone, but not me.
  • jailctl – for FreeBSD 4.x and 5.x
  • jailaudit – portaudit for inside jails. I’d say this is superceded by pkg audit.
  • jail2 – advanced jail script. Uses /etc/jail.conf. I’m kinda, sorta sure that this or its descendant is the default FreeBSD 9.1 and later.
    Stalk me on social media
  • 9 Replies to “FreeBSD Jail Management Tools”

    1. First of all, thank you. Jail comparison tools is a very interesting topic.

      CBSD is really interesting project. This is command-line tools where GUI ( text user interface, bsdinstall-style menus and WEB ) as additional bonus. Also ezjail for many years is jail management de facto and it is well known in BSD world ( Thanks to handbook ).

      P.S: there is still Warden from PC-BSD

    2. Pick something that won’t be dead when the book is published. 😉 Since ezjails has been around for years, that’s what I’d like to read about.

    3. All these jail control systems have reached the same point and do not develop simply because they no longer jail(8) develops. Therefore, all these frameworks so alike – are able to create, delete, start and stop. Some of them with ZFS support but it all ;-(

    4. I look forward to the book and then hopefully some data on bhyve. The only issue I have with Jails is the initial setup. From there it’s ok but still not the greatest.

    5. Hi Michael,

      I came across your blog while searching for documentation about BSDploy. Unfortunately I haven’t read any of your books yet, but that might change with the release of a jails book. I’ve always enjoyed the interviews with you on BSDNow, by the way. With regards to your question I would like to express a strong vote for ezjails, which I’ve been using for years. Never heard about the other solutions, but ezjails has been stable and full-featured enough for me not to look elsewhere. Looking forward to the book!

      Best wishes,
      Claus

    6. Hi Michael,

      The CBSD is really interesting project (it can handle bhyve as well). And some time ago I start looking at `iocage`, primary because ezjail/qjail mostly restricting access to modern ‘jail.conf` features. So I am voting for CBSD and iocage.

      Andriy

    Comments are closed.