FreeBSD Manual Pages
IOCAGE(8) FreeBSD System Manager's Manual IOCAGE(8) NAME iocage -- jail manager using ZFS and VNET SYNOPSIS iocage [--help | SUBCOMMAND --help] iocage [-v | --version] iocage activate ZPOOL iocage chroot UUID | TAG [COMMAND] iocage clean [-a | --all] [-b | -r | --base] [-f | --force] [-j | --jails] [-t | --template] iocage console [-f | --force] UUID | TAG iocage create [-b | --basejail] [-c | --count] TEXT [-e | --empty] [-p | --pkglist] TEXT [-r | --release] TEXT [-s | --short] [-t | --template] TEXT [-u | --uuid] TEXT [release=RELEASE] [pkglist=FILE] [property=VALUE] iocage destroy [-d | --download] [-f | --force] [-r | --release] UUID | TAG iocage df [-H | -h | --header] [-l | --long] iocage exec [-U | --jail_user] NAME [-u | --host_user] NAME ALL | TAG | UUID COMMAND [ARGS] iocage export UUID | TAG iocage fetch [--plugins] [-E | --eol] [-F | --files] TEXT [-NE | --noeol] [-NU | --noupdate] [-NV | --noverify] [-P | --plugin-file] TEXT [-U | --update] [-V | --verify] [-a | --auth] TEXT [-c | --count] TEXT [-d | --root-dir] TEXT [-f | --file] [-h | --http] [-p | --password] TEXT [-r | --release] TEXT [-s | --server] TEXT [-u | --user] TEXT [release=RELEASE] [ftphost=ftp.hostname.org] [ftpdir=/dir/] [ftpfiles=base.txz doc.txz lib32.txz src.txz] iocage fstab [-a | --add] [-e | --edit] [-r | --remove] JAIL [FSTAB_STRING] iocage get [-H | -h | --header] [-P | --plugin] [-a | --all] [-p | --pool] [-r | --recursive] PROPERTY [all | UUID | TAG] iocage import JAIL [Jail_value] iocage list [-H | -h | --header] [-P | --plugins] [-R | --remote] [-b | -r | --base | --release] [-h | --http] [-l | --long] [-t | --template] iocage migrate [-d | --delete] [-f | --force] iocage pkg JAIL COMMAND iocage restart [-s | --soft] [UUID | TAG] iocage rollback [-f | --force] [-n | --name] SNAPSHOT [UUID | TAG@snapshotname] iocage set [-P | --plugin] KEY property_value [UUID | TAG] iocage snaplist [-H | -h | --header] [UUID | TAG] iocage snapremove [-n | --name] [UUID | TAG@snapshotname | ALL] iocage snapshot [-n | --name] [UUID | TAG | TAG@snapshotname] iocage start [--rc] [UUID | TAG] iocage stop [--rc] [UUID | TAG] iocage update [UUID | TAG] iocage upgrade [-r | --release] RELEASE [UUID | TAG] DESCRIPTION iocage is a system administration tool designed to simplify jail manage- ment tasks. It abstracts out the management of ZFS-backed jails running VNET or shared IP networking. Both shared IP jails and VNET jails are supported. Each jail has a unique ID (UUID) which is automatically generated at cre- ation time. Using the UUID as a jail identifier makes it possible to replicate a jail in a distributed environment with greater flexibility. This also eliminates potential naming clashes on large scale deployments and helps reduce operator error. Partial UUID calling is supported with every operation. For example, adae47cb-01a8-11e4-aa78-3c970ea3222f can be used in the form of adae47cb or just adae. In addition to partial UUID calling, jail TAGs can be used interchangeably. To ease jail identification, a TAG field is included in list mode which can be set to any string (hostname, label, note, etc.). If unset, the TAG field contains the creation date and time stamp by default. Jails can be easily moved with ZFS send and receive, preserving all of their properties automatically. iocage relies on ZFS and at least one ZFS pool must be present on the host system. Bridge interfaces like bridge0 or bridge1 are required for VNET and can be enabled by adding this line to /etc/rc.conf: cloned_interfaces="bridge0 bridge1" To enable all the features iocage supports, consider building a kernel with these options: options VIMAGE options RACCT options RCTL SUBCOMMANDS --help Display iocage help text. Including --help after a specific subcommand displays help text for that command. --version Display the iocage version number. activate Intended for use by automation tools. The pool can be acti- vated for iocage jails without requiring user input. By default, all other pools are deactivated. chroot Chroot into a jail without actually starting the jail itself. Useful for initial setup like setting a root password or con- figuring networking. A command can be specified as with the normal system chroot(8). clean Destroy ZFS datasets. Options: [-a | --all] Destroys all created iocage data. [-b | -r | --base] Destroys all fetched RELEASE jails. [-f | --force] Runs the command without any further user interaction. [-j | --jails] Destroys all created jails. [-t | --template] Destroys all templates. console Execute login to have a shell inside the jail. Use the [-f | --force] option to run the command with no further user input. create Deploy a new jail based on the host operating system's release. The default can be overridden by specifying the release option. A fully independent jail set is created by default. Options: [-b | --basejail] Create a new "basejail" with a common shared base. [-c | --count] Clone the jail from the current host's release, as determined by the uname -r com- mand. [-e | --empty] Create an empty jail, which is used for unsupported or custom jails. [-p | --pkglist] [-r | --release] Specify which release to use for the new jail. [-s | --short] Use a short UUID of 8 characters instead of the default 36. [-t | --template] Create a template style jail. Use the [-u | --uuid] option to add a specific UUID to the new jail. Examples: iocage create tag=www01 pkglist=$HOME/my-pkgs.txt iocage create -b tag=mybasejail destroy Destroy the specified jail. This is not reversible, so use with caution. If the jail is running, the destroy action fails. Options: [-d | --download] Delete the download of the specified RELEASE as well. [-f | --force] Destroy the jail with no further warnings or user input. [-r | --release] Destroy a specified RELEASE dataset. df Show resource usage of all jails. Invoking df displays a table with several fields: UUID unique jail ID CRT compression ratio RES reserved space QTA disk quota USE used space AVA available space TAG jail name Options: [-H | -h | --header] Use when scripting, using tabs for sepa- rators. [-l | --long] Shows the full UUID. exec Execute a command inside the specified jail. This is an iocage UUID/tag wrapper for jexec(8). Options: [-U | --jail_user] Specifies which jail user runs the command. [-u | --host_user] Specify which host user runs the command. export Exports the specified jail. An archive file is created in /iocage/images with a SHA256 checksum The jail must be stopped before exporting. fetch Download and updates/patches releases. fetch must be executed as the first command on a pristine sys- tem. The host node's RELEASE is downloaded for deployment. If other releases are required, this can be changed by supplying the required release property or just selecting the appropriate RELEASE from the menu list. Options: [--plugins] List all available plugins for cre- ation. [-E | --eol] Enable End Of Life (EOL) checking upstream. [-F | --files] Specify the files to fetch from the mirror. [-NE | --noeol] Disable EOL checking upstream. [-NU | --noupdate] Disable updating the fetch item to the latest patch level. [-NV | --noverify] Disable verifying the SSL cert for HTTP fetching. [-P | --plugin-file] Specify which plugin file to use. [-U | --update] Update the fetch to the latest patch level. [-V | --verify] Enable verifying the SSL cert for HTTP fetching. [-a | --auth] Specifies the authentication method for HTTP fetching. Current values are basic and digest. [-c | --count] [-d | --root-dir] Specify the root directory contain- ing all RELEASE files. [-f | --file] Use a local file directory for the root directory instead of FTP or HTTP. [-h | --http] Change [-s | --server] to define an HTTP server instead of the default FTP. [-p | --password] Add a password, if required. [-r -|-release] Define the FreeBSD release to fetch. [-s | --server] Define which FTP server to log into. [-u | --user] Define the user. Examples: iocage fetch release=10.1-RELEASE fetch is also used to update already downloaded releases. To update a local release already present in iocage (iocage list -r), run: iocage fetch release=10.1-RELEASE This example applies the latest patches to 10.1-RELEASE base. Newly created jails or basejails will automatically have the latest updates applied. fstab Manipulates the fstab settings of a specific jail. Options: [-a | --add] Adds an entry to the specific jail fstab and mount it. [-e | --edit] Open the fstab file in the default editor. [-r | --remove] Remove an entry from a specific jail fstab and unmount it. get Display the specified property. Options: [-H | -h | --header] Used in scripting. Use tabs for separa- tors. [-P | --plugin] Get the specified key for a plugin jail. [-a | --all] Get all properties for the specified jail. If accessing a nested key, use "." as a separator. [-p | --pool] Get the currently activated zpool. [-r | --recursive] Get the specified property for all jails. import Import a specific jail image. Short UUIDs can be used, but do not specify the full filename, only the UUID. list List a specified dataset type. By default, all jails are listed. Options: [-H | -h | --header] Used in scripting. Use tabs for separa- tors. [-P | --plugins] Shows available plugins. [-R | --remote] Shows available RELEASE options for remote. [-b | -r | --base | --release] List all bases. [-h | --http] Changes [-R | --remote] to use HTTP. [-l | --long] Shows the full UUID and ip4 address. [-t | --template] Lists all templates. migrate Migrate from the development version of iocage-legacy to the current jail format. Options: [-d | --delete] Destroy the old dataset after migration. [-f | --force] Bypass any further warning or required user interaction. pkg Run desired pkg commands in the specified jail. restart Restart the specified jail. Use ALL to restart all jails. Options: [-s | --soft] Restart the jail, but do not tear down the net- work stack. rollback Roll back a jail to an existing snapshot. Any intermediate snapshots are destroyed in the process. For more information on this functionality, please see zfs(8). Options: [-f | --force] Run the command, skipping any warnings or fur- ther user interaction. [-n | --name] [Required] Used to specify the snapshot name. set Set the specified property in the desired jail. Options: [-P | --plugin] Set the specified key for a plugin jail. If accessing a nested key, use "." as a separa- tor. Example: iocage set -P foo.bar.baz=VALUE PLUGIN snaplist List snapshots of a jail. A number of different fields are displayed: NAME snapshot name CREATED creation time RSIZE referenced size USED used space Options: [-H | -h | --header] Used for scripting. Tabs are used as separators. snapremove Delete snapshots of the specified jail. If the keyword ALL is used, all snapshots the specified jail are deleted. Options: [-n | --name] [Required] The snapshot name. snapshot Create a ZFS snapshot of the specified jail. If a snapshot name is not specified, a name based on the current date and time is generated. Options: [-n | --name] The user created snapshot name. start Start a jail identified by UUID or TAG Options: [--rc] Start all jails with boot=on in a specific order. Jails with lower priority start first. stop Stop a jail identified by UUID or TAG Options: [--rc] Stop all jails with boot=on in a specific order. Jails with higher priority values stop first. update Run freebsd-update to update the specified jail to the latest patch level. A backup snapshot is automatically created to provide a rollback option. upgrade Run freebsd-update to upgrade a jail RELEASE to the specified RELEASE. iocage set release=10.1-RELEASE UUID|TAG For this, the release must be locally available. Options: [-r | --release] [Required] RELEASE the jail uses for upgrading. PROPERTIES The Source listed with each property shows whether it is a local iocage property or where more information can be located. pkglist=none | path-to-file A json file listing one package per entry. Packages are automatically installed when a jail is created. Works only in combination with the create subcommand. Default: none Source: local vnet=on | off Controls whether the jail is started with a VNET or a shared IP configuration. The default is to auto-guess from a sysctl. If a fully virtualized per-jail network stack is not needed, set this to off. Default: auto-guess Source: local ip4_addr="interface|ip-address/netmask" The IPv4 address for VNET and shared IP jails. Single interface format: interface|ip-address/netmask Multiple interface format: interface|ip-address/netmask,interface|ip-address/netmask On shared IP jails, an interface name given before the IP address adds an alias to that interface. If the DEFAULT keyword is given instead of an interface name, the inter- face is automatically assigned based on the system's default interface. A netmask in either dotted-quad or CIDR form given after the IP address is used when adding the IP alias. The IP address is automatically assigned at the first start of the jail. This requires that the ip4_autostart and ip4_autoend variables are set on the "default" property source. If used, the IP4 address is set to the first available based upon the given range and existing jails. Example: iocage set ip4_autostart="100" default iocage set ip4_autoend="150" default iocage set ip4_autosubnet="24" default This results in the automatic IPv4 address being assigned in the base range of the default network interface. That is, if the local default NIC is set to 192.168.0.XXX, then the new address will be 192.168.0.[100-150]/24. In VNET jails, the interface is configured with the IP addresses listed. Example: "vnet0|192.168.0.10/24,vnet1|10.1.1.10/24" Interfaces vnet0 and vnet1 are configured in a VNET jail. In this case, no network configuration is necessary in the jail's rc.conf file. Default: none Source: jail(8) ip4_saddrsel=1 | 0 Only applies when vnet=off. A boolean option to change the formerly mentioned behavior and disable IPv4 source address selection for the prison in favor of the primary IPv4 address of the jail. Source address selection is enabled by default for all jails and the ip4_nosaddrsel settting of a parent jail is not inherited for any child jails. Default: 1 Source: jail(8) ip4=new | disable | inherit Only applies when vnet=off. Control the availability of IPv4 addresses. Possible values are "inherit" to allow unrestricted access to all system addresses, "new" to restrict addresses via ip4.addr above, and "disable" to stop the jail from using IPv4 entirely. Setting the ip4.addr parameter implies a value of "new". Default: new Source: jail(8) defaultrouter=none | ipaddress Setting this property to anything other than none config- ures a default route inside a VNET jail. defaultrouter6=none | ip6address Setting this property to anything other than none config- ures a default IPv6 route inside a VNET jail. resolver=none | nameserver IP;nameserver IP;search domain.local Set the jail's resolver (resolv.conf). Fields must be delimited with a semicolon. Semicolons are translated to newlines in resolv.conf. If the resolver is set to none (default) the jail inherits the resolv.conf file from the host. ip6.addr, ip6.saddrsel, ip6 A set of IPv6 options for the prison, the counterparts to ip4.addr, ip4.saddrsel and ip4 above. interfaces=vnet0:bridge0,vnet1:bridge1 | vnet0:bridge0 By default, there are two interfaces specified with their bridge association. Up to four interfaces are supported. Interface configurations are separated by commas. The for- mat is interface:bridge, where the left value is the vir- tual VNET interface name and the right value is the bridge name where the virtual interface should be attached. Default: vnet0:bridge0,vnet1:bridge1 Source: local domainname= The NIS domainname of the jail. Default: none Source: jail(8) host_hostname=UUID The hostname of the jail. Default: UUID Source: jail(8) exec_fib=0 | 1 .. The FIB (routing table) to set when running commands inside the jail. Default: 0 Source: jail(8) devfs_ruleset=4 | 0 .. The number of the devfs ruleset that is enforced for mount- ing devfs in this jail. A value of zero (default) means no ruleset is enforced. Descendent jails inherit the parent jail's devfs ruleset enforcement. Mounting devfs inside a jail is possible only if the allow_mount and allow_mount_devfs permissions are effective and enforce_statfs is set to a value lower than 2. Devfs rules and rulesets cannot be viewed or modified from inside a jail. NOTE: It is important that only appropriate device nodes in devfs be exposed to a jail. Access to disk devices in the jail may permit processes in the jail to bypass the jail sandboxing by modifying files outside of the jail. See devfs(8) for information on how to use devfs rules to limit access to entries in the per-jail devfs. A simple devfs ruleset for jails is available as ruleset 4 in /etc/defaults/devfs.rules Default: 4 Source: jail(8) mount_devfs=1 | 0 Mount a devfs(5) filesystem on the chrooted /dev directory, and apply the ruleset in the devfs_ruleset parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the jail. Default: 1 Source: jail(8) exec_start="/bin/sh /etc/rc" Commands to run in the prison environment when a jail is created. A typical command to run is sh /etc/rc Default: /bin/sh /etc/rc Source: jail(8) exec_stop="/bin/sh /etc/rc.shutdown" Commands to run in the prison environment before a jail is removed and after any exec_prestop commands have completed. A typical command to run is sh /etc/rc.shutdown Default: /bin/sh /etc/rc.shutdown Source: jail(8) exec_prestart="/usr/bin/true" Commands to run in the system environment before a jail is started. Default: /usr/bin/true Source: jail(8) exec_prestop="/usr/bin/true" Commands to run in the system environment before a jail is stopped. Default: /usr/bin/true Source: jail(8) exec_poststop="/usr/bin/true" Commands to run in the system environment after a jail is stopped. Default: /usr/bin/true Source: jail(8) exec_poststart="/usr/bin/true" Commands to run in the system environment after a jail is started, and after any exec_start commands have completed. Default: /usr/bin/true Source: jail 8 exec_clean=1 | 0 Run commands in a clean environment. The environment is discarded except for HOME, SHELL, TERM and USER. HOME and SHELL are set to the target login's default values. USER is set to the target login. TERM is imported from the cur- rent environment. The environment variables from the login class capability database for the target login are also set. Default: 1 Source: jail(8) exec_timeout=60 | 30 .. The maximum amount of time to wait for a command to com- plete. If a command is still running after this many sec- onds have passed, the jail will be terminated. Default: 60 Source: jail(8) stop_timeout=30 | 60 .. The maximum amount of time to wait for a jail's processes to exit after sending them a SIGTERM signal. This happens after the exec_stop commands have completed. After this many seconds have passed, the jail is removed, killing any remaining processes. If this is set to zero, no SIGTERM is sent and the prison is immediately removed. Default: 30 Source: jail(8) exec_jail_user=root In the jail environment, commands are run as this user. Default: root Source: jail(8) exec_system_jail_user=0 | 1 This boolean option looks for the exec_jail_user in the system passwd(5) file rather than the jail's file. Default: 0 Source: jail(8) exec_system_user=root Run commands as this user in the system environment. The default is to run commands as the current user. Default: root Source: jail(8) mount_fdescfs=1 | 0 Mount a fdescfs(5) filesystem in the jail's /dev/fd direc- tory. Note: This is not supported on FreeBSD 9.3. Default: 1 Source: jail(8) mount_procfs=0 | 1 Mount a procfs(5) filesystem in the jail's /dev/proc direc- tory. Default: 0 Source: local enforce_statfs=2 | 1 | 0 Determine which information processes in a jail are able to obtain about mount points. The behavior of these syscalls is affected: statfs(2), fstatfs(2), getfsstat(2), and fhstatfs(2) as well as similar compatibility syscalls. When set to 0, all mount points are available without any restrictions. When set to 1, only mount points below the jail's chroot directory are visible. Additionaly, the path to the jail's chroot directory is removed from the front of their pathnames. When set to 2 (default), the syscalls above can operate only on a mountpoint where the jail's chroot directory is located. Default: 2 Source: jail(8) children_max=0 | .. The number of child jails allowed to be created by this jail (or by other jails under this jail). This limit is zero by default, indicating the jail is not allowed to cre- ate child jails. See the Hierarchical Jails section for more information in jail(8). Default: 0 Source: jail(8) login_flags="-f root" These flags are passed to login(1) when logging in to jails with the console function. Default: -f root Source: login(1) jail_zfs=on | off Enable automatic ZFS jailing inside the jail. The assigned ZFS dataset is fully controlled by the jail. NOTE: Setting this to on automatically enables allow_mount=1, enforce_statfs=1, and allow_mount_zfs=1! These are dependent options required for ZFS management inside a jail. Default: off Source: local jail_zfs_dataset=iocage/jails/UUID/root/data | zfs_filesystem The dataset to be jailed and fully handed over to a jail. Takes the ZFS filesystem name without pool name. NOTE: only valid if jail_zfs=on. By default, the mount- point is set to none. To mount this dataset, set its mountpoint inside the jail. For example, zfs set mountpoint=/data full-dataset-name mount -a Default: iocage/jails/UUID/root/data Source: local securelevel=3 | 2 | 1 | 0 | -1 The value of the jail's kern.securelevel sysctl. A jail never has a lower securelevel than the default system, but by setting this parameter it is allowed to have a higher one. If the system securelevel is changed, any jail securelevels will be at least as secure. Default: 2 Source: jail(8) allow_set_hostname=1 | 0 Allow the jail's hostname to be changed with hostname(1) or sethostname(3). Default: 1 Source: jail(8) allow_sysvipc=0 | 1 Set whether a process in the jail has access to System V IPC primitives. Prior to FreeBSD 11.0, System V primitives share a single namespace across the host and jail environ- ments, meaning that processes within a jail would be able to communicate with, and potentially interfere with, pro- cesses outside of the jail, or in other jails. In FreeBSD 11.0 and later, this setting is deprecated. Use sysvmsg, sysvsem, and sysvshm instead. Default: 0 Source: jail(8) sysvmsg=disable | inherit | new Allow access to SYSV IPC message primitives. When set to inherit, all IPC objects on the system are visible to this jail, whether they were created by the jail itself, the base system, or other jails. When set to new, the jail has its own key namespace, and can only see the objects that it has created. The system or parent jail has access to the jail's objects, but not to its keys. When set to disable, the jail cannot perform any sysvmsg-related system calls. Ignored in FreeBSD 10.3 and earlier. Default: disable Source: jail(8) sysvsem=disable | inherit | new Allow access to SYSV IPC semaphore primitives in the same manner as sysvmsg. Ignored in FreeBSD 10.3 and earlier. Default: disable Source: jail(8) sysvshm=disable | inherit | new Allow access to SYSV IPC shared memory primitives in the same manner as sysvmsg. Ignored in FreeBSD 10.3 and ear- lier. Default: disable Source: jail(8) allow_raw_sockets=0 | 1 The prison root is allowed to create raw sockets. Setting this parameter allows utilities like ping(8) and traceroute(8) to operate inside the prison. If set, the source IP addresses are enforced to comply with the IP address bound to the jail, regardless of whether the IP_HDRINCL flag has been set on the socket. Since raw sockets can be used to configure and interact with various network subsystems, extra caution should be used where privileged access to jails is given out to untrusted par- ties. Default: 0 Source: jail(8) allow_chflags=0 | 1 Normally, privileged users inside a jail are treated as unprivileged by chflags(2). When this parameter is set, such users are treated as privileged, and can manipulate system file flags subject to the usual constraints on kern.securelevel. Default: 0 Source: jail(8) allow_mount=0 | 1 Allow privileged users inside the jail to mount and unmount filesystem types marked as jail-friendly. The lsvfs(1) command can be used to find filesystem types available for mount from within a jail. This permission is effective only if enforce_statfs is set to a value lower than 2. Default: 0 Source: jail(8) allow_mount_devfs=0 | 1 Allow privileged users inside the jail to mount and unmount the devfs file system. This permission is effective only together with allow.mount and if enforce_statfs is set to a value lower than 2. Please consider restricting the devfs ruleset with the devfs_ruleset option. Default: 0 Source: jail(8) allow_mount_nullfs=0 | 1 Allow privileged users inside the jail to mount and unmount the nullfs file system. This permission is effective only together with allow_mount and if enforce_statfs is set to a value lower than 2. Default: 0 Source: jail(8) allow_mount_procfs=0 | 1 Allow privileged users inside the jail to mount and unmount the procfs file system. This permission is effective only together with allow.mount and if enforce_statfs is set to a value lower than 2. Default: 0 Source: jail(8) allow_mount_tmpfs=0 | 1 Allow privileged users inside the jail to mount and unmount the tmpfs file system. This permission is effective only together with allow.mount and if enforce_statfs is set to a value lower than 2. Note: This is not supported on FreeBSD 9.3. Default: 0 Source: jail(8) allow_mount_zfs=0 | 1 Allow privileged users inside the jail to mount and unmount the ZFS filesystem. This permission is effective only together with allow.mount and if enforce_statfs is set to a value lower than 2. See zfs(8) for information on how to configure the ZFS filesystem to operate from within a jail. Default: 0 Source: jail(8) allow_quotas=0 | 1 The jail root can administer quotas on the jail's filesys- tems. This includes filesystems that the jail might share with other jails or with non-jailed parts of the system. Default: 0 Source: jail(8) allow_socket_af=0 | 1 Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This setting allows access to other protocol stacks that have not had jail functional- ity added to them. Default: 0 Source: .Xr jail 8 host_hostuuid=UUID Default: UUID Source: jail(8) tag="any string" Custom string for aliasing jails. Default: date@time Source: local template=yes | no This property controls whether the jail is a template. Templates are not started by iocage. Set to yes if this jail will be converted into a template. See the EXAMPLES section below. Default: no Source: local boot=on | off If set to "on", the jail is auto-started at boot time with start --rc and stopped at shutdown time with stop --rc. Jails are started and stopped based on their priority value. Default: off Source: local notes="any string" Custom notes for miscellaneous tagging. Default: none Source: local owner=root The owner of the jail. Can be any string. Default: root Source: local priority=99 | 50 .. Start priority at boot time. Smaller values mean higher priority. For shutdown, the order is reversed. Default: 99. Source: local last_started Last successful start time. Automatically set every time the jail starts. Default: timestamp Source: local type=basejail,empty,normal Set the jail type to basejail, empty or normal. Default: normal Source: local release=10.0-RELEASE | 9.2-RELEASE The release used at creation time. Can be set to any string if needed. Default: the host's release Source: local compression=on | off | lzjb | gzip | gzip-N | zle | lz4 Controls the compression algorithm used for this dataset. The lzjb compression algorithm is optimized for performance while providing decent data compression. Setting compres- sion to on uses the lzjb compression algorithm. The gzip algorithm uses the same compression as the gzip(1) command. The compression level can be specified by using the value gzip-N, where N is an integer from 1 (fastest) to 9 (best compression ratio). Currently, gzip is equivalent to gzip-6, which is also the default for gzip(1). The zle algorithm compresses runs of zeros. The lz4 algorithm is a high-performance replacement for the lzjb algorithm. It features significantly faster compres- sion and decompression, as well as a moderately higher com- pression ratio than lzjb, but can only be used on pools with the lz4_compress feature enabled. See zpool-features(7) for details on ZFS feature flags and the lz4_compress feature. This property can also be referred to by its shortened col- umn name of "compress". Changing this property affects only newly-written data. Default: lz4 Source: zfs(8) origin This is only set for clones and is read-only. For cloned file systems or volumes, the snapshot from which the clone was created. See the clones property. Default: - Source: zfs(8) quota=15G | 50G | .. Quota for the jail. Limit the amount of space a dataset and its descendants can consume. This property enforces a hard limit on the amount of space used. This includes all space consumed by descendants, including file systems and snapshots. Setting a quota on a descendent of a dataset that already has a quota does not override the ancestor's quota, but rather imposes an additional limit. Default: none Source: zfs(8) mountpoint Path for the jail's root filesystem. Do not tweak this or the jail will not start! Default: set to jail's root Source: zfs(8) compressratio Compression ratio. Read-only. For non-snapshots, the com- pression ratio achieved for the used space of this dataset, expressed as a multiplier. The used property includes descendant datasets, and, for clones, does not include the space shared with the origin snapshot. Source: zfs(8) available Available space in the jail's dataset. The amount of space available to the dataset and all its children, assuming that there is no other activity in the pool. Because space is shared within a pool, availability can be limited by any number of factors, including physical pool size, quotas, reservations, or other datasets within the pool. Source: zfs(8) used Space used by jail. Read-only. Source: zfs(8) dedup=on | off | verify | sha256[,verify] Deduplication for jail. Default: off Source: zfs(8) reservation=size | none Reserved space for jail. Default: none Source: zfs(8) sync_target This is for future use, currently not supported. sync_tgt_zpool For future use, currently not supported. cpuset=1 | 1,2,3,4 | 1-2 | off Control the jail's CPU affinity. Default: off Source: cpuset(1) EXAMPLES Set up iocage from scratch: iocage fetch Create first jail: iocage create -r 11.0-RELEASE tag=myjail List jails: iocage list Start jail: iocage start UUID Convert jail into template: iocage set template=yes UUID List templates: iocage list -t Import package on another host iocage import UUID HINTS When using VNET, remember to add the node's physical NIC into one of the bridges if an outside connection is needed. Also see bridge(4) for how traffic is handled. In a nutshell: bridges behave like a network switch. The PF firewall is not supported inside VNET jails as of July 2014. PF can be enabled for the host. IPFW is fully supported inside a VNET jail. The actual jail name in the jls(8) output is set to ioc-UUID. This is a required workaround as jails refuse to start with jail(8) when the jail name starts with a "0". dmesg(8) information leakage inside jails can be prevented with this sysctl: security.bsd.unprivileged_read_msgbuf=0 When using VNET, consider applying these sysctls as well: net.inet.ip.forwarding=1 net.link.bridge.pfil_onlyip=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=0 For more information, please see https://github.com/iocage/iocage SEE ALSO cpuset(1), bridge(4), epair(4), freebsd-update(8), ifconfig(8), jail(8), jexec(8), rctl(8), sysctl(8), zfs(8), zpool(8) BUGS Please report bugs, issues, and feature requests at https://github.com/iocage/iocage/issues AUTHORS Peter Toth Brandon Schneider SPECIAL THANKS Sichendra Bista - for his ever willing attitude and ideas. FreeBSD Ports 11.2 April 20, 2017 FreeBSD Ports 11.2
NAME | SYNOPSIS | DESCRIPTION | SUBCOMMANDS | PROPERTIES | EXAMPLES | HINTS | SEE ALSO | BUGS | AUTHORS | SPECIAL THANKS
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=iocage&sektion=8&manpath=FreeBSD+12.0-RELEASE+and+Ports>