Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IOCAGE(8)		FreeBSD	System Manager's Manual		     IOCAGE(8)

NAME
     iocage -- jail manager using ZFS and VNET

SYNOPSIS
     iocage [--help | SUBCOMMAND --help]
     iocage [-v	| --version]

     iocage activate ZPOOL
     iocage chroot UUID	| TAG [COMMAND]
     iocage clean [-a |	--all] [-b | -r	| --base] [-f |	--force]
	    [-j	| --jails] [-t | --template]
     iocage console [-f	| --force] UUID	| TAG
     iocage create [-b | --basejail] [-c | --count] TEXT [-e | --empty]
	    [-p	| --pkglist] TEXT [-r |	--release] TEXT	[-s | --short]
	    [-t	| --template] TEXT [-u | --uuid] TEXT [release=RELEASE]
	    [pkglist=FILE] [property=VALUE]
     iocage destroy [-d	| --download] [-f | --force] [-r | --release] UUID |
	    TAG
     iocage df [-H | -h	| --header] [-l	| --long]
     iocage exec [-U | --jail_user] NAME [-u | --host_user] NAME ALL | TAG |
	    UUID COMMAND [ARGS]
     iocage export UUID	| TAG
     iocage fetch [--plugins] [-E | --eol] [-F | --files] TEXT [-NE | --noeol]
	    [-NU | --noupdate] [-NV | --noverify] [-P |	--plugin-file] TEXT
	    [-U	| --update] [-V	| --verify] [-a	| --auth] TEXT [-c | --count]
	    TEXT [-d | --root-dir] TEXT	[-f | --file] [-h | --http]
	    [-p	| --password] TEXT [-r | --release] TEXT [-s | --server] TEXT
	    [-u	| --user] TEXT [release=RELEASE] [ftphost=ftp.hostname.org]
	    [ftpdir=/dir/] [ftpfiles=base.txz doc.txz lib32.txz	src.txz]
     iocage fstab [-a |	--add] [-e | --edit] [-r | --remove] JAIL
	    [FSTAB_STRING]
     iocage get	[-H | -h | --header] [-P | --plugin] [-a | --all]
	    [-p	| --pool] [-r |	--recursive] PROPERTY [all | UUID | TAG]
     iocage import JAIL	[Jail_value]
     iocage list [-H | -h | --header] [-P | --plugins] [-R | --remote]
	    [-b	| -r | --base |	--release] [-h | --http] [-l | --long]
	    [-t	| --template]
     iocage migrate [-d	| --delete] [-f	| --force]
     iocage pkg	JAIL COMMAND
     iocage restart [-s	| --soft] [UUID	| TAG]
     iocage rollback [-f | --force] [-n	| --name] SNAPSHOT
	    [UUID | TAG@snapshotname]
     iocage set	[-P | --plugin]	KEY property_value [UUID | TAG]
     iocage snaplist [-H | -h |	--header] [UUID	| TAG]
     iocage snapremove [-n | --name] [UUID | TAG@snapshotname |	ALL]
     iocage snapshot [-n | --name] [UUID | TAG | TAG@snapshotname]
     iocage start [--rc] [UUID | TAG]
     iocage stop [--rc]	[UUID |	TAG]
     iocage update [UUID | TAG]
     iocage upgrade [-r	| --release] RELEASE [UUID | TAG]

DESCRIPTION
     iocage is a system	administration tool designed to	simplify jail manage-
     ment tasks.  It abstracts out the management of ZFS-backed	jails running
     VNET or shared IP networking.

     Both shared IP jails and VNET jails are supported.

     Each jail has a unique ID (UUID) which is automatically generated at cre-
     ation time.  Using	the UUID as a jail identifier makes it possible	to
     replicate a jail in a distributed environment with	greater	flexibility.
     This also eliminates potential naming clashes on large scale deployments
     and helps reduce operator error.

     Partial UUID calling is supported with every operation.  For example,
     adae47cb-01a8-11e4-aa78-3c970ea3222f can be used in the form of adae47cb
     or	just adae.  In addition	to partial UUID	calling, jail TAGs can be used
     interchangeably.

     To	ease jail identification, a TAG	field is included in list mode which
     can be set	to any string (hostname, label,	note, etc.).  If unset,	the
     TAG field contains	the creation date and time stamp by default.

     Jails can be easily moved with ZFS	send and receive, preserving all of
     their properties automatically.

     iocage relies on ZFS and at least one ZFS pool must be present on the
     host system.  Bridge interfaces like bridge0 or bridge1 are required for
     VNET and can be enabled by	adding this line to /etc/rc.conf:

	   cloned_interfaces="bridge0 bridge1"

     To	enable all the features	iocage supports, consider building a kernel
     with these	options:

	   options	   VIMAGE
	   options	   RACCT
	   options	   RCTL

SUBCOMMANDS
     --help    Display iocage help text.  Including --help after a specific
	       subcommand displays help	text for that command.

     --version
	       Display the iocage version number.

     activate  Intended	for use	by automation tools.  The pool can be acti-
	       vated for iocage	jails without requiring	user input.  By
	       default,	all other pools	are deactivated.

     chroot    Chroot into a jail without actually starting the	jail itself.
	       Useful for initial setup	like setting a root password or	con-
	       figuring	networking.  A command can be specified	as with	the
	       normal system chroot(8).

     clean     Destroy ZFS datasets.

	       Options:

	       [-a | --all]	   Destroys all	created	iocage data.

	       [-b | -r	| --base]  Destroys all	fetched	RELEASE	jails.

	       [-f | --force]	   Runs	the command without any	further	user
				   interaction.

	       [-j | --jails]	   Destroys all	created	jails.

	       [-t | --template]   Destroys all	templates.

     console   Execute login to	have a shell inside the	jail.  Use the [-f |
	       --force]	option to run the command with no further user input.

     create    Deploy a	new jail based on the host operating system's release.
	       The default can be overridden by	specifying the release option.
	       A fully independent jail	set is created by default.

	       Options:

	       [-b | --basejail]  Create a new "basejail" with a common	shared
				  base.

	       [-c | --count]	  Clone	the jail from the current host's
				  release, as determined by the	uname -r com-
				  mand.

	       [-e | --empty]	  Create an empty jail,	which is used for
				  unsupported or custom	jails.

	       [-p | --pkglist]

	       [-r | --release]	  Specify which	release	to use for the new
				  jail.

	       [-s | --short]	  Use a	short UUID of 8	characters instead of
				  the default 36.

	       [-t | --template]  Create a template style jail.	 Use the

	       [-u | --uuid]	  option to add	a specific UUID	to the new
				  jail.

	       Examples:

	       iocage create tag=www01 pkglist=$HOME/my-pkgs.txt

	       iocage create -b	tag=mybasejail

     destroy   Destroy the specified jail.  This is not	reversible, so use
	       with caution.  If the jail is running, the destroy action
	       fails.

	       Options:

	       [-d | --download]  Delete the download of the specified RELEASE
				  as well.

	       [-f | --force]	  Destroy the jail with	no further warnings or
				  user input.

	       [-r | --release]	  Destroy a specified RELEASE dataset.

     df	       Show resource usage of all jails.  Invoking df displays a table
	       with several fields:

		     UUID  unique jail ID
		     CRT   compression ratio
		     RES   reserved space
		     QTA   disk	quota
		     USE   used	space
		     AVA   available space
		     TAG   jail	name

	       Options:

	       [-H | -h	| --header]  Use when scripting, using tabs for	sepa-
				     rators.

	       [-l | --long]	     Shows the full UUID.

     exec      Execute a command inside	the specified jail.  This is an	iocage
	       UUID/tag	wrapper	for jexec(8).

	       Options:

	       [-U | --jail_user]  Specifies which jail	user runs the command.

	       [-u | --host_user]  Specify which host user runs	the command.

     export    Exports the specified jail.  An archive file is created in
	       /iocage/images with a SHA256 checksum The jail must be stopped
	       before exporting.

     fetch     Download	and updates/patches releases.

	       fetch must be executed as the first command on a	pristine sys-
	       tem.  The host node's RELEASE is	downloaded for deployment.  If
	       other releases are required, this can be	changed	by supplying
	       the required release property or	just selecting the appropriate
	       RELEASE from the	menu list.

	       Options:

	       [--plugins]		  List all available plugins for cre-
					  ation.

	       [-E | --eol]		  Enable End Of	Life (EOL) checking
					  upstream.

	       [-F | --files]		  Specify the files to fetch from the
					  mirror.

	       [-NE | --noeol]		  Disable EOL checking upstream.

	       [-NU | --noupdate]	  Disable updating the fetch item to
					  the latest patch level.

	       [-NV | --noverify]	  Disable verifying the	SSL cert for
					  HTTP fetching.

	       [-P | --plugin-file]	  Specify which	plugin file to use.

	       [-U | --update]		  Update the fetch to the latest patch
					  level.

	       [-V | --verify]		  Enable verifying the SSL cert	for
					  HTTP fetching.

	       [-a | --auth]		  Specifies the	authentication method
					  for HTTP fetching.  Current values
					  are basic and	digest.

	       [-c | --count]

	       [-d | --root-dir]	  Specify the root directory contain-
					  ing all RELEASE files.

	       [-f | --file]		  Use a	local file directory for the
					  root directory instead of FTP	or
					  HTTP.

	       [-h | --http]		  Change [-s | --server] to define an
					  HTTP server instead of the default
					  FTP.

	       [-p | --password]	  Add a	password, if required.

	       [-r -|-release]		  Define the FreeBSD release to	fetch.

	       [-s | --server]		  Define which FTP server to log into.

	       [-u | --user]		  Define the user.

	       Examples:

	       iocage fetch release=10.1-RELEASE

	       fetch is	also used to update already downloaded releases.  To
	       update a	local release already present in iocage	(iocage	list
	       -r), run:

	       iocage fetch release=10.1-RELEASE

	       This example applies the	latest patches to 10.1-RELEASE base.
	       Newly created jails or basejails	will automatically have	the
	       latest updates applied.

     fstab     Manipulates the fstab settings of a specific jail.

	       Options:

	       [-a | --add]	Adds an	entry to the specific jail fstab and
				mount it.

	       [-e | --edit]	Open the fstab file in the default editor.

	       [-r | --remove]	Remove an entry	from a specific	jail fstab and
				unmount	it.

     get       Display the specified property.

	       Options:

	       [-H | -h	| --header]  Used in scripting.	 Use tabs for separa-
				     tors.

	       [-P | --plugin]	     Get the specified key for a plugin	jail.

	       [-a | --all]	     Get all properties	for the	specified
				     jail.  If accessing a nested key, use "."
				     as	a separator.

	       [-p | --pool]	     Get the currently activated zpool.

	       [-r | --recursive]    Get the specified property	for all	jails.

     import    Import a	specific jail image.  Short UUIDs can be used, but do
	       not specify the full filename, only the UUID.

     list      List a specified	dataset	type.  By default, all jails are
	       listed.

	       Options:

	       [-H | -h	| --header]  Used in scripting.	 Use tabs for separa-
				     tors.

	       [-P | --plugins]	     Shows available plugins.

	       [-R | --remote]	     Shows available RELEASE options for
				     remote.

	       [-b | -r	| --base | --release]
				     List all bases.

	       [-h | --http]	     Changes [-R | --remote] to	use HTTP.

	       [-l | --long]	     Shows the full UUID and ip4 address.

	       [-t | --template]     Lists all templates.

     migrate   Migrate from the	development version of iocage-legacy to	the
	       current jail format.

	       Options:

	       [-d | --delete]	Destroy	the old	dataset	after migration.

	       [-f | --force]	Bypass any further warning or required user
				interaction.

     pkg       Run desired pkg commands	in the specified jail.

     restart   Restart the specified jail.  Use	ALL to restart all jails.

	       Options:

	       [-s | --soft]  Restart the jail,	but do not tear	down the net-
			      work stack.

     rollback  Roll back a jail	to an existing snapshot.  Any intermediate
	       snapshots are destroyed in the process.	For more information
	       on this functionality, please see zfs(8).

	       Options:

	       [-f | --force]  Run the command,	skipping any warnings or fur-
			       ther user interaction.

	       [-n | --name]   [Required] Used to specify the snapshot name.

     set       Set the specified property in the desired jail.

	       Options:

	       [-P | --plugin]	Set the	specified key for a plugin jail.  If
				accessing a nested key,	use "."	as a separa-
				tor.

	       Example:

	       iocage set -P foo.bar.baz=VALUE PLUGIN

     snaplist  List snapshots of a jail.  A number of different	fields are
	       displayed:

		     NAME     snapshot name
		     CREATED  creation time
		     RSIZE    referenced size
		     USED     used space

	       Options:

	       [-H | -h	| --header]  Used for scripting.  Tabs are used	as
				     separators.

     snapremove
	       Delete snapshots	of the specified jail.	If the keyword ALL is
	       used, all snapshots the specified jail are deleted.

	       Options:

	       [-n | --name]  [Required] The snapshot name.

     snapshot  Create a	ZFS snapshot of	the specified jail.  If	a snapshot
	       name is not specified, a	name based on the current date and
	       time is generated.

	       Options:

	       [-n | --name]  The user created snapshot	name.

     start     Start a jail identified by UUID or TAG

	       Options:

	       [--rc]  Start all jails with boot=on in a specific order.
		       Jails with lower	priority start first.

     stop      Stop a jail identified by UUID or TAG

	       Options:

	       [--rc]  Stop all	jails with boot=on in a	specific order.	 Jails
		       with higher priority values stop	first.

     update    Run freebsd-update to update the	specified jail to the latest
	       patch level.  A backup snapshot is automatically	created	to
	       provide a rollback option.

     upgrade   Run freebsd-update to upgrade a jail RELEASE to the specified
	       RELEASE.

	       iocage set release=10.1-RELEASE UUID|TAG

	       For this, the release must be locally available.

	       Options:

	       [-r | --release]	      [Required] RELEASE the jail uses for
				      upgrading.

PROPERTIES
     The Source	listed with each property shows	whether	it is a	local iocage
     property or where more information	can be located.

     pkglist=none | path-to-file
		   A json file listing one package per entry.  Packages	are
		   automatically installed when	a jail is created.  Works only
		   in combination with the create subcommand.

		   Default: none

		   Source: local

     vnet=on | off
		   Controls whether the	jail is	started	with a VNET or a
		   shared IP configuration.  The default is to auto-guess from
		   a sysctl.  If a fully virtualized per-jail network stack is
		   not needed, set this	to off.

		   Default: auto-guess

		   Source: local

     ip4_addr="interface|ip-address/netmask"
		   The IPv4 address for	VNET and shared	IP jails.

		   Single interface format:

		   interface|ip-address/netmask

		   Multiple interface format:

		   interface|ip-address/netmask,interface|ip-address/netmask

		   On shared IP	jails, an interface name given before the IP
		   address adds	an alias to that interface.  If	the DEFAULT
		   keyword is given instead of an interface name, the inter-
		   face	is automatically assigned based	on the system's
		   default interface.

		   A netmask in	either dotted-quad or CIDR form	given after
		   the IP address is used when adding the IP alias.

		   The IP address is automatically assigned at the first start
		   of the jail.	 This requires that the	ip4_autostart and
		   ip4_autoend variables are set on the	"default" property
		   source.  If used, the IP4 address is	set to the first
		   available based upon	the given range	and existing jails.

		   Example:

			 iocage
			 set ip4_autostart="100" default

			 iocage
			 set ip4_autoend="150" default

			 iocage
			 set ip4_autosubnet="24" default

		   This	results	in the automatic IPv4 address being assigned
		   in the base range of	the default network interface.	That
		   is, if the local default NIC	is set to 192.168.0.XXX, then
		   the new address will	be 192.168.0.[100-150]/24.

		   In VNET jails, the interface	is configured with the IP
		   addresses listed.

		   Example:

			 "vnet0|192.168.0.10/24,vnet1|10.1.1.10/24"

		   Interfaces vnet0 and	vnet1 are configured in	a VNET jail.
		   In this case, no network configuration is necessary in the
		   jail's rc.conf file.

		   Default: none

		   Source: jail(8)

     ip4_saddrsel=1 | 0
		   Only	applies	when vnet=off.	A boolean option to change the
		   formerly mentioned behavior and disable IPv4	source address
		   selection for the prison in favor of	the primary IPv4
		   address of the jail.	 Source	address	selection is enabled
		   by default for all jails and	the ip4_nosaddrsel settting of
		   a parent jail is not	inherited for any child	jails.

		   Default: 1

		   Source: jail(8)

     ip4=new | disable | inherit
		   Only	applies	when vnet=off.	Control	the availability of
		   IPv4	addresses.  Possible values are	"inherit" to allow
		   unrestricted	access to all system addresses,	"new" to
		   restrict addresses via ip4.addr above, and "disable"	to
		   stop	the jail from using IPv4 entirely.  Setting the
		   ip4.addr parameter implies a	value of "new".

		   Default: new

		   Source: jail(8)

     defaultrouter=none	| ipaddress
		   Setting this	property to anything other than	none config-
		   ures	a default route	inside a VNET jail.

     defaultrouter6=none | ip6address
		   Setting this	property to anything other than	none config-
		   ures	a default IPv6 route inside a VNET jail.

     resolver=none | nameserver	IP;nameserver IP;search	domain.local
		   Set the jail's resolver (resolv.conf).  Fields must be
		   delimited with a semicolon.	Semicolons are translated to
		   newlines in resolv.conf.

		   If the resolver is set to none (default) the	jail inherits
		   the resolv.conf file	from the host.

     ip6.addr, ip6.saddrsel, ip6
		   A set of IPv6 options for the prison, the counterparts to
		   ip4.addr, ip4.saddrsel and ip4 above.

     interfaces=vnet0:bridge0,vnet1:bridge1 | vnet0:bridge0
		   By default, there are two interfaces	specified with their
		   bridge association.	Up to four interfaces are supported.
		   Interface configurations are	separated by commas.  The for-
		   mat is interface:bridge, where the left value is the	vir-
		   tual	VNET interface name and	the right value	is the bridge
		   name	where the virtual interface should be attached.

		   Default: vnet0:bridge0,vnet1:bridge1

		   Source: local

     domainname=   The NIS domainname of the jail.

		   Default: none

		   Source: jail(8)

     host_hostname=UUID
		   The hostname	of the jail.

		   Default: UUID

		   Source: jail(8)

     exec_fib=0	| 1 ..
		   The FIB (routing table) to set when running commands	inside
		   the jail.

		   Default: 0

		   Source: jail(8)

     devfs_ruleset=4 | 0 ..
		   The number of the devfs ruleset that	is enforced for	mount-
		   ing devfs in	this jail.  A value of zero (default) means no
		   ruleset is enforced.	 Descendent jails inherit the parent
		   jail's devfs	ruleset	enforcement.  Mounting devfs inside a
		   jail	is possible only if the	allow_mount and
		   allow_mount_devfs permissions are effective and
		   enforce_statfs is set to a value lower than 2.  Devfs rules
		   and rulesets	cannot be viewed or modified from inside a
		   jail.

		   NOTE: It is important that only appropriate device nodes in
		   devfs be exposed to a jail.	Access to disk devices in the
		   jail	may permit processes in	the jail to bypass the jail
		   sandboxing by modifying files outside of the	jail.  See
		   devfs(8) for	information on how to use devfs	rules to limit
		   access to entries in	the per-jail devfs.  A simple devfs
		   ruleset for jails is	available as ruleset 4 in
		   /etc/defaults/devfs.rules

		   Default: 4

		   Source: jail(8)

     mount_devfs=1 | 0
		   Mount a devfs(5) filesystem on the chrooted /dev directory,
		   and apply the ruleset in the	devfs_ruleset parameter	(or a
		   default of ruleset 4: devfsrules_jail) to restrict the
		   devices visible inside the jail.

		   Default: 1

		   Source: jail(8)

     exec_start="/bin/sh /etc/rc"
		   Commands to run in the prison environment when a jail is
		   created.  A typical command to run is sh /etc/rc

		   Default: /bin/sh /etc/rc

		   Source: jail(8)

     exec_stop="/bin/sh	/etc/rc.shutdown"
		   Commands to run in the prison environment before a jail is
		   removed and after any exec_prestop commands have completed.
		   A typical command to	run is sh /etc/rc.shutdown

		   Default: /bin/sh /etc/rc.shutdown

		   Source: jail(8)

     exec_prestart="/usr/bin/true"
		   Commands to run in the system environment before a jail is
		   started.

		   Default: /usr/bin/true

		   Source: jail(8)

     exec_prestop="/usr/bin/true"
		   Commands to run in the system environment before a jail is
		   stopped.

		   Default: /usr/bin/true

		   Source: jail(8)

     exec_poststop="/usr/bin/true"
		   Commands to run in the system environment after a jail is
		   stopped.

		   Default: /usr/bin/true

		   Source: jail(8)

     exec_poststart="/usr/bin/true"
		   Commands to run in the system environment after a jail is
		   started, and	after any exec_start commands have completed.

		   Default: /usr/bin/true

		   Source: jail	8

     exec_clean=1 | 0
		   Run commands	in a clean environment.	 The environment is
		   discarded except for	HOME, SHELL, TERM and USER.  HOME and
		   SHELL are set to the	target login's default values.	USER
		   is set to the target	login.	TERM is	imported from the cur-
		   rent	environment.  The environment variables	from the login
		   class capability database for the target login are also
		   set.

		   Default: 1

		   Source: jail(8)

     exec_timeout=60 | 30 ..
		   The maximum amount of time to wait for a command to com-
		   plete.  If a	command	is still running after this many sec-
		   onds	have passed, the jail will be terminated.

		   Default: 60

		   Source: jail(8)

     stop_timeout=30 | 60 ..
		   The maximum amount of time to wait for a jail's processes
		   to exit after sending them a	SIGTERM	signal.	 This happens
		   after the exec_stop commands	have completed.	 After this
		   many	seconds	have passed, the jail is removed, killing any
		   remaining processes.	 If this is set	to zero, no SIGTERM is
		   sent	and the	prison is immediately removed.

		   Default: 30

		   Source: jail(8)

     exec_jail_user=root
		   In the jail environment, commands are run as	this user.

		   Default: root

		   Source: jail(8)

     exec_system_jail_user=0 | 1
		   This	boolean	option looks for the exec_jail_user in the
		   system passwd(5) file rather	than the jail's	file.

		   Default: 0

		   Source: jail(8)

     exec_system_user=root
		   Run commands	as this	user in	the system environment.	 The
		   default is to run commands as the current user.

		   Default: root

		   Source: jail(8)

     mount_fdescfs=1 | 0
		   Mount a fdescfs(5) filesystem in the	jail's /dev/fd direc-
		   tory.  Note:	This is	not supported on FreeBSD 9.3.

		   Default: 1

		   Source: jail(8)

     mount_procfs=0 | 1
		   Mount a procfs(5) filesystem	in the jail's /dev/proc	direc-
		   tory.

		   Default: 0

		   Source: local

     enforce_statfs=2 |	1 | 0
		   Determine which information processes in a jail are able to
		   obtain about	mount points.  The behavior of these syscalls
		   is affected:	statfs(2), fstatfs(2), getfsstat(2), and
		   fhstatfs(2) as well as similar compatibility	syscalls.
		   When	set to 0, all mount points are available without any
		   restrictions.  When set to 1, only mount points below the
		   jail's chroot directory are visible.	 Additionaly, the path
		   to the jail's chroot	directory is removed from the front of
		   their pathnames.  When set to 2 (default), the syscalls
		   above can operate only on a mountpoint where	the jail's
		   chroot directory is located.

		   Default: 2 Source: jail(8)

     children_max=0 | ..
		   The number of child jails allowed to	be created by this
		   jail	(or by other jails under this jail).  This limit is
		   zero	by default, indicating the jail	is not allowed to cre-
		   ate child jails.  See the Hierarchical Jails	section	for
		   more	information in jail(8).

		   Default: 0

		   Source: jail(8)

     login_flags="-f root"
		   These flags are passed to login(1) when logging in to jails
		   with	the console function.

		   Default: -f root

		   Source: login(1)

     jail_zfs=on | off
		   Enable automatic ZFS	jailing	inside the jail.  The assigned
		   ZFS dataset is fully	controlled by the jail.

		   NOTE: Setting this to on automatically enables
		   allow_mount=1, enforce_statfs=1, and	allow_mount_zfs=1!
		   These are dependent options required	for ZFS	management
		   inside a jail.

		   Default: off

		   Source: local

     jail_zfs_dataset=iocage/jails/UUID/root/data | zfs_filesystem
		   The dataset to be jailed and	fully handed over to a jail.
		   Takes the ZFS filesystem name without pool name.

		   NOTE: only valid if jail_zfs=on.  By	default, the mount-
		   point is set	to none.  To mount this	dataset, set its
		   mountpoint inside the jail.	For example,

			 zfs set mountpoint=/data full-dataset-name
			 mount -a

		   Default: iocage/jails/UUID/root/data

		   Source: local

     securelevel=3 | 2 | 1 | 0 | -1
		   The value of	the jail's kern.securelevel sysctl.  A jail
		   never has a lower securelevel than the default system, but
		   by setting this parameter it	is allowed to have a higher
		   one.	 If the	system securelevel is changed, any jail
		   securelevels	will be	at least as secure.

		   Default: 2

		   Source: jail(8)

     allow_set_hostname=1 | 0
		   Allow the jail's hostname to	be changed with	hostname(1) or
		   sethostname(3).

		   Default: 1

		   Source: jail(8)

     allow_sysvipc=0 | 1
		   Set whether a process in the	jail has access	to System V
		   IPC primitives.  Prior to FreeBSD 11.0, System V primitives
		   share a single namespace across the host and	jail environ-
		   ments, meaning that processes within	a jail would be	able
		   to communicate with,	and potentially	interfere with,	pro-
		   cesses outside of the jail, or in other jails.  In
		   FreeBSD 11.0	and later, this	setting	is deprecated.	Use
		   sysvmsg, sysvsem, and sysvshm instead.

		   Default: 0

		   Source: jail(8)

     sysvmsg=disable | inherit | new
		   Allow access	to SYSV	IPC message primitives.	 When set to
		   inherit, all	IPC objects on the system are visible to this
		   jail, whether they were created by the jail itself, the
		   base	system,	or other jails.	 When set to new, the jail has
		   its own key namespace, and can only see the objects that it
		   has created.	 The system or parent jail has access to the
		   jail's objects, but not to its keys.	 When set to disable,
		   the jail cannot perform any sysvmsg-related system calls.
		   Ignored in FreeBSD 10.3 and earlier.

		   Default: disable

		   Source: jail(8)

     sysvsem=disable | inherit | new
		   Allow access	to SYSV	IPC semaphore primitives in the	same
		   manner as sysvmsg.  Ignored in FreeBSD 10.3 and earlier.

		   Default: disable

		   Source: jail(8)

     sysvshm=disable | inherit | new
		   Allow access	to SYSV	IPC shared memory primitives in	the
		   same	manner as sysvmsg.  Ignored in FreeBSD 10.3 and	ear-
		   lier.

		   Default: disable Source: jail(8)

     allow_raw_sockets=0 | 1
		   The prison root is allowed to create	raw sockets.  Setting
		   this	parameter allows utilities like	ping(8)	and
		   traceroute(8) to operate inside the prison.	If set,	the
		   source IP addresses are enforced to comply with the IP
		   address bound to the	jail, regardless of whether the
		   IP_HDRINCL flag has been set	on the socket.	Since raw
		   sockets can be used to configure and	interact with various
		   network subsystems, extra caution should be used where
		   privileged access to	jails is given out to untrusted	par-
		   ties.

		   Default: 0

		   Source: jail(8)

     allow_chflags=0 | 1
		   Normally, privileged	users inside a jail are	treated	as
		   unprivileged	by chflags(2).	When this parameter is set,
		   such	users are treated as privileged, and can manipulate
		   system file flags subject to	the usual constraints on
		   kern.securelevel.

		   Default: 0

		   Source: jail(8)

     allow_mount=0 | 1
		   Allow privileged users inside the jail to mount and unmount
		   filesystem types marked as jail-friendly.  The lsvfs(1)
		   command can be used to find filesystem types	available for
		   mount from within a jail.  This permission is effective
		   only	if enforce_statfs is set to a value lower than 2.

		   Default: 0

		   Source: jail(8)

     allow_mount_devfs=0 | 1
		   Allow privileged users inside the jail to mount and unmount
		   the devfs file system.  This	permission is effective	only
		   together with allow.mount and if enforce_statfs is set to a
		   value lower than 2.	Please consider	restricting the	devfs
		   ruleset with	the
		    devfs_ruleset option.

		   Default: 0

		   Source: jail(8)

     allow_mount_nullfs=0 | 1
		   Allow privileged users inside the jail to mount and unmount
		   the nullfs file system.  This permission is effective only
		   together with allow_mount and if enforce_statfs is set to a
		   value lower than 2.

		   Default: 0

		   Source: jail(8)

     allow_mount_procfs=0 | 1
		   Allow privileged users inside the jail to mount and unmount
		   the procfs file system.  This permission is effective only
		   together with allow.mount and if enforce_statfs is set to a
		   value lower than 2.

		   Default: 0

		   Source: jail(8)

     allow_mount_tmpfs=0 | 1
		   Allow privileged users inside the jail to mount and unmount
		   the tmpfs file system.  This	permission is effective	only
		   together with allow.mount and if enforce_statfs is set to a
		   value lower than 2.

		   Note: This is not supported on FreeBSD 9.3.

		   Default: 0

		   Source: jail(8)

     allow_mount_zfs=0 | 1
		   Allow privileged users inside the jail to mount and unmount
		   the ZFS filesystem.	This permission	is effective only
		   together with allow.mount and if enforce_statfs is set to a
		   value lower than 2.	See zfs(8) for information on how to
		   configure the ZFS filesystem	to operate from	within a jail.

		   Default: 0

		   Source: jail(8)

     allow_quotas=0 | 1
		   The jail root can administer	quotas on the jail's filesys-
		   tems.  This includes	filesystems that the jail might	share
		   with	other jails or with non-jailed parts of	the system.

		   Default: 0

		   Source: jail(8)

     allow_socket_af=0 | 1
		   Sockets within a jail are normally restricted to IPv4,
		   IPv6, local (UNIX), and route.  This	setting	allows access
		   to other protocol stacks that have not had jail functional-
		   ity added to	them.

		   Default: 0

		   Source: .Xr jail 8

     host_hostuuid=UUID

		   Default: UUID

		   Source: jail(8)

     tag="any string"
		   Custom string for aliasing jails.

		   Default: date@time

		   Source: local

     template=yes | no
		   This	property controls whether the jail is a	template.
		   Templates are not started by	iocage.	 Set to	yes if this
		   jail	will be	converted into a template.  See	the EXAMPLES
		   section below.

		   Default: no

		   Source: local

     boot=on | off
		   If set to "on", the jail is auto-started at boot time with
		   start --rc and stopped at shutdown time with	stop --rc.
		   Jails are started and stopped based on their	priority
		   value.

		   Default: off

		   Source: local

     notes="any	string"
		   Custom notes	for miscellaneous tagging.

		   Default: none

		   Source: local

     owner=root	   The owner of	the jail.  Can be any string.

		   Default: root

		   Source: local

     priority=99 | 50 ..
		   Start priority at boot time.	 Smaller values	mean higher
		   priority.  For shutdown, the	order is reversed.

		   Default: 99.

		   Source: local

     last_started  Last	successful start time.	Automatically set every	time
		   the jail starts.

		   Default: timestamp

		   Source: local

     type=basejail,empty,normal
		   Set the jail	type to	basejail, empty	or normal.

		   Default: normal

		   Source: local

     release=10.0-RELEASE | 9.2-RELEASE
		   The release used at creation	time.  Can be set to any
		   string if needed.

		   Default: the	host's release

		   Source: local

     compression=on | off | lzjb | gzip	| gzip-N | zle | lz4
		   Controls the	compression algorithm used for this dataset.
		   The lzjb compression	algorithm is optimized for performance
		   while providing decent data compression.  Setting compres-
		   sion	to on uses the lzjb compression	algorithm.  The	gzip
		   algorithm uses the same compression as the gzip(1) command.
		   The compression level can be	specified by using the value
		   gzip-N, where N is an integer from 1	(fastest) to 9 (best
		   compression ratio).	Currently, gzip	is equivalent to
		   gzip-6, which is also the default for gzip(1).

		   The zle algorithm compresses	runs of	zeros.

		   The lz4 algorithm is	a high-performance replacement for the
		   lzjb	algorithm.  It features	significantly faster compres-
		   sion	and decompression, as well as a	moderately higher com-
		   pression ratio than lzjb, but can only be used on pools
		   with	the lz4_compress feature enabled.  See
		   zpool-features(7) for details on ZFS	feature	flags and the
		   lz4_compress	feature.

		   This	property can also be referred to by its	shortened col-
		   umn name of "compress".

		   Changing this property affects only newly-written data.

		   Default: lz4

		   Source: zfs(8)

     origin	   This	is only	set for	clones and is read-only.  For cloned
		   file	systems	or volumes, the	snapshot from which the	clone
		   was created.	 See the clones	property.

		   Default: -

		   Source: zfs(8)

     quota=15G | 50G | ..
		   Quota for the jail.	Limit the amount of space a dataset
		   and its descendants can consume.  This property enforces a
		   hard	limit on the amount of space used.  This includes all
		   space consumed by descendants, including file systems and
		   snapshots.  Setting a quota on a descendent of a dataset
		   that	already	has a quota does not override the ancestor's
		   quota, but rather imposes an	additional limit.

		   Default: none

		   Source: zfs(8)

     mountpoint	   Path	for the	jail's root filesystem.	 Do not	tweak this or
		   the jail will not start!

		   Default: set	to jail's root

		   Source: zfs(8)

     compressratio
		   Compression ratio.  Read-only.  For non-snapshots, the com-
		   pression ratio achieved for the used	space of this dataset,
		   expressed as	a multiplier.  The used	property includes
		   descendant datasets,	and, for clones, does not include the
		   space shared	with the origin	snapshot.

		   Source: zfs(8)

     available	   Available space in the jail's dataset.  The amount of space
		   available to	the dataset and	all its	children, assuming
		   that	there is no other activity in the pool.	 Because space
		   is shared within a pool, availability can be	limited	by any
		   number of factors, including	physical pool size, quotas,
		   reservations, or other datasets within the pool.

		   Source: zfs(8)

     used	   Space used by jail.	Read-only.

		   Source: zfs(8)

     dedup=on |	off | verify | sha256[,verify]
		   Deduplication for jail.

		   Default: off

		   Source: zfs(8)

     reservation=size |	none
		   Reserved space for jail.

		   Default: none

		   Source: zfs(8)

     sync_target   This	is for future use, currently not supported.

     sync_tgt_zpool
		   For future use, currently not supported.

     cpuset=1 |	1,2,3,4	| 1-2 |	off

		   Control the jail's CPU affinity.

		   Default: off

		   Source: cpuset(1)

EXAMPLES
     Set up iocage from	scratch:

	   iocage fetch

     Create first jail:

	   iocage create -r 11.0-RELEASE tag=myjail

     List jails:

	   iocage list

     Start jail:

	   iocage start	UUID

     Convert jail into template:

	   iocage set template=yes UUID

     List templates:

	   iocage list -t

     Import package on another host

	   iocage import UUID

HINTS
     When using	VNET, remember to add the node's physical NIC into one of the
     bridges if	an outside connection is needed.  Also see bridge(4) for how
     traffic is	handled.  In a nutshell: bridges behave	like a network switch.

     The PF firewall is	not supported inside VNET jails	as of July 2014.  PF
     can be enabled for	the host.  IPFW	is fully supported inside a VNET jail.

     The actual	jail name in the jls(8)	output is set to ioc-UUID.  This is a
     required workaround as jails refuse to start with jail(8) when the	jail
     name starts with a	"0".

     dmesg(8) information leakage inside jails can be prevented	with this
     sysctl:

	   security.bsd.unprivileged_read_msgbuf=0

     When using	VNET, consider applying	these sysctls as well:

	   net.inet.ip.forwarding=1
	   net.link.bridge.pfil_onlyip=0
	   net.link.bridge.pfil_bridge=0
	   net.link.bridge.pfil_member=0

     For more information, please see
	   https://github.com/iocage/iocage

SEE ALSO
     cpuset(1),	bridge(4), epair(4), freebsd-update(8),	ifconfig(8), jail(8),
     jexec(8), rctl(8),	sysctl(8), zfs(8), zpool(8)

BUGS
     Please report bugs, issues, and feature requests at
	   https://github.com/iocage/iocage/issues

AUTHORS
     Peter Toth
     Brandon Schneider

SPECIAL	THANKS
     Sichendra Bista - for his ever willing attitude and ideas.

FreeBSD	11.1			April 20, 2017			  FreeBSD 11.1

NAME | SYNOPSIS | DESCRIPTION | SUBCOMMANDS | PROPERTIES | EXAMPLES | HINTS | SEE ALSO | BUGS | AUTHORS | SPECIAL THANKS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=iocage&sektion=8&manpath=FreeBSD+11.1-RELEASE+and+Ports>

home | help