This page is currently work in progress. Content can be discussed in freebsd-jail@freebsd.org mailinglist.

General

Jails were introduced in FreeBSD 4.X by Poul-Henning Kamp

You can read more about Jails in the FreeBSD handbook and man pages:

Existing Patches

Feature

Status

Author

Description

CPU + RAM limits

Not fully working / stalled

ChrisJones

Jails can now have the amount of memory available to their processes' resident sets (RSS)
CPU limiting is implemented by giving each jail a number of CPU shares and tracking the estimated CPU usage of the tasks that run in that jail (SoC 2006 JailResourceLimits)
fix: jtune not showing resource usage patch
fix: jtune not showing resource usage + page faults patch
based on FreeBSD 6.x
Memory Limits for 7.0 by Christopher Thunes patch
Memory Limits for 7.1 by Tom Judge patch
Resource limit for Jails (CPU, memory, filedesc, process) patch by Menshikov Konstantin, mailinglist announcement
based on FreeBSD 8.x
Hierarchical Resource Limits SoC 2009 by Edward Tomasz Napierala
based on FreeBSD 9.x

Multi-IPv4/v6/no-IP jails

done / commited

Bjoern A. Zeeb

As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce status overview SVN 188281
HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD
HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE
This update gives you: zero, one or multi-IP jails; IPv4 and IPv6 support; cpuset support for jails; jail names and states to ease administration; 32bit compat on 64bit, jail v1 compat;...
based on FreeBSD 7.1/8.x

Wildcard IP (INADDR_ANY) should not bind inside a jail

done / stalled

Frank Behrens

If there is a jail, the assigned IP address should not considered as valid address for INADDR_ANY in host. With this change an easy jail setup is possible without further modifications of hosts base configuration! PR 84215 patch
based on FreeBSD 6.x
Is covered by Bjoern A. Zeebs work on Multi-IPv4/v6/no-IP jails

jexec - selection by jail name

done / commited

Frank Behrens

jexec(8) needs the numeric id of jail. This id is not constant and changes on jail restarts. Therefore it is desirable to select a jail by it's name. The attached patch is a sample implementation. PR 119305 patch
Extend jexec to accept hostname or ip-number besides jail-id
2008-05-26 commited to 8-CURRENT
MFC after: 2 weeks
based on FreeBSD 7.x

Set priority in rc.d

done / not commited

Jan Srzednicki

A simple rc.d jail patch to enable priority patch
Added documentation PR 124248 patch
based on FreeBSD 7.x

Do not keep JID incrementing forever

done / commited / reverted

Ed Schouten

Jail numbers are incrementing forever, this makes jls/ps output a lot easier. No more 4-5 digit numbers in your test setup, where you only have 10-20 jails. PR 122270
2008-04-11 commited to 8-CURRENT
2008-05-12 MFC commited to RELENG_7
based on FreeBSD 8.x

Per prison process count limit

done / stalled

Alex Lyashkov

Done as part of FreeVPS
based on FreeBSD 6.x

Separated UID hash

done / stalled

Alex Lyashkov

Done as part of FreeVPS
based on FreeBSD 6.x

Separated SysV IPC

done / stalled

Alex Lyashkov

Done as part of FreeVPS
based on FreeBSD 6.x

File handles usage limit

done / stalled

Alex Lyashkov

Done as part of FreeVPS
based on FreeBSD 6.x

Hierarchical jails

work in progress

Jamie Gritton

Hierarchical jails under the new framework (jails inside jail)
jh.diff in mailinglist
jhu.diff in mailinglist (user side)
questions and example use
based on FreeBSD 8.x

Future plans in FreeBSD Jails / virtualization

If you have any ideas / request, please use freebsd-jail@ mailinglist to discuss it.

This is list of well known / often discussed requests, some of them will never be done in Jail, some is/will be covered by other ways

Known problems and bugs

Tips

leak of system message buffer from host system to jails

By default jails can read the system message buffer (ie: the console buffer). In many cases this isn't desired. Add the following line to /etc/sysctl.conf to turn it off: security.bsd.unprivileged_read_msgbuf=0

allow ping inside jail

If you need to use ping inside jail, you must set sysctl security.jail.allow_raw_sockets=1 (add security.jail.allow_raw_sockets=1 in hosts sysctl.conf).

installing 32-bit jail in to 64-bit host

Cross compiling FreeBSD and 32-bit jails on a 64-bit system

Running CentOS 5.5 in a Jail

FreeBSD Wiki Centos 5.5 jail running on a host running FreeBSD 8-STABLE

Running Debian 6.0 (Squeeze) in a FreeBSD jail

Tutorial: Debian GNU/kFreeBSD in a FreeBSD jail
Can I run Debian GNU/kFreeBSD in a chroot under FreeBSD?

Useful utilities

Some of them can be used only on older versions of FreeBSD (4.x / 5.x)
Let me know if you know / wrote some others.

ezjail

A framework to easily create, manipulate and run FreeBSD jails
sysutils/ezjail

qjail

Utility to deploy large number of jails quickly
http://www.freebsd.org/cgi/query-pr.cgi?pr=148777 , http://sourceforge.net/projects/qjail/

jailadmin

A system for managing a set of named jails
sysutils/jailadmin

jailaudit

Script for generating portaudit reports for jails
ports-mgmt/jailaudit

jailctl

Jail management tool
sysutils/jailctl

jailer

Manage FreeBSD jail startup, shutdown and console
sysutils/jailer

jailme

A setuid version of jexec to allow normal users access to jails
sysutils/jailme

jailutils

Several utilities for managing jails
sysutils/jailutils

jkill

Shutdowns a running jail and all its processes
sysutils/jkill

jps

Wrapper to ps(1) that maps pids to jails
sysutils/jps

jtop

Wrapper to top(1) that maps pids to jails
sysutils/jtop

p5-BSD-Jail-Object

An object oriented perl interface to jail(2)
sysutils/p5-BSD-Jail-Object

mod_jail

Apache 1.3.x/2.0.xx module to enable an easy alternative to mod_chroot
www/mod_jail

Jails (last edited 2011-11-10 13:58:16 by MiroslavLachman)