Jail newcomer - quick overview on some basics?

[Stilez]

I'm new to jails, having not used them on FreeBSD or FreeNAS. The guide looks fairly straightforward. I'd like to check my understanding and make sure I have some stuff right, though. I'm happy using UI or CLI to manage them, but will probably create using GUI.

*brain dump start *

1. We have warden (old), iocage (new) and transition (now). Should I create my jail using iocage or use warden + convert it when 11.2 comes out?
2. Do I need to create my jail using newUI or CLI if I want to use iocage as the doc suggests? If so, is iocage complete and "production ready" (the jail system that is, if not fully set up for GUI management yet)?
3. What happens when FreeNAS upgrades? Will my jails need to be set up freshly, or do they "just work"?
4. Suppose I reinstall on a new platform (importing existing config). I might import pool+config or just config, so the expected file paths and files might or might not all exist. What's the scope for confusion and how easy is it to put right (e.g., is it easy to get them running by just copying over the relevant directories it's expecting, or what else might be needed?)
5. I gather that to control a jail's permissions for external paths it's allowed to access (is that the right teminology?), I need to create users within the jail whose uids and/or gids match the expected uids/gids of permissions/ACLs it needs to access. Is that about right, and what's involved (to make it work and to make sure it stays secure). I'm assuming root wouldn't be mapped over but are all others or just some? Any suggested resources to understand how to control this aspect?
6. Is the basic install in a jail a pure FreeBSD install (not customised for FreeNAS), or is it customised/minimised some way? I assume you can always add packages but it would help to know anything that's not set up as standard, so I don't get confused if I assume it's identical to doing a clean install of a FreeBSD ISO and it's got config/changes to it by default.
7. If a bare jail has any changes from FreeBSD, what do I need to do, to run a full "unmodified" FreeBSD install? (Or a full install less anything that can be added using pkg, at most) - meaning no config changes or unexpected differences?

*brain dump end *

Thanks for quick replies - any other relevant comments very appreciated!

 

[Jailer]

Should I create my jail using iocage or use warden + convert it when 11.2 comes out?

Iocage via the CLI. The new GUI is not ready for use yet for jails.

What happens when FreeNAS upgrades? Will my jails need to be set up freshly, or do they "just work"?

Your jail should remain functional.

Suppose I reinstall on a new platform (importing existing config)

Install and go to the Web GUI and upload your config and reboot. That's it.

I gather that to control a jail's permissions for external paths it's allowed to access (is that the right teminology?), I need to create users within the jail whose uids and/or gids match the expected uids/gids of permissions/ACLs it needs to access. Is that about right, and what's involved (to make it work and to make sure it stays secure). I'm assuming root wouldn't be mapped over but are all others or just some? Any suggested resources to understand how to control this aspect?

Not even going to attempt to answer a permissions question.

Is the basic install in a jail a pure FreeBSD install

Not sure on this, they've always just worked for me so I've never bothered to check.

 

[Stilez]

@Jailer - That worked. It turns out that the main things I needed to know for iocage were (1) newUI or CLI, and (2) upgradability/ease of moving with new updates. The docs weren't comprehensive but your answers helped a lot. Both of these matters look fine, and the answer was reassuring. Thank you.

(Incidentally since "iocage create" requires a specific template such as "11.1-RELEASE", and the template files expand and install in the jail, it does seem like that kind of option does produces a pure FreeBSD release unmodified by FreeNAS setup. I could be wrong, but so far seems so.)

I have 2 followup questions. My other question is more involved so I opened a separate thread:

1. I created the jail outside the GUI, using iocage create.... Is it an issue that FreeNAS doesn't "know" about it, and doesn't have it stored in its internal data, via its GUI? I'm slightly apprehensive that when FreeNAS finally gets the iocage WebUI done, it won't know this jail exists and won't be able to manage it? Is that a problem? Will I be able to manage it via the GUI?
2. I didn't run iocage zpool activate. Honestly, none of the docs really explained this fully. I also figured that it might have been done already within the FreeNAS code, as the jails dataset has already been created by default and the docs which give iocage CLI code, don't say to do it. The test jail seemed to work - create, console, stop, and properties, all seemed fine. Was I correct that I didn't need this command? What would it do?

 

[danb35]

Is it an issue that FreeNAS doesn't "know" about it, and doesn't have it stored in its internal data, via its GUI?

FreeNAS should know about it if you use the new GUI--the old GUI doesn't do iocage at all.

 

[Stilez]

FreeNAS should know about it if you use the new GUI--the old GUI doesn't do iocage at all.

To be clear, you mean it'll pick it up from iocage's own data, and will create the definition in the new GUI accordingly without me needing to do anything?

I'm using legacy UI until newUI is able to fully replace it, which it isn't quite doing just yet (it's close!) so I'll probably be on legacy UI for another update or three. I'm guessing from what you say, that middleware will pick up the iocage jails created in CLI and handle them correctly even in 11.1-U4, the only issue will be that it'll be unable to expose it for info+control in the GUI until I change from legacy to newUI? Is that correct?

 

[danb35]

To be clear, you mean it'll pick it up from iocage's own data, and will create the definition in the new GUI accordingly without me needing to do anything?

Correct.

 

[Stilez]

Thanks - that's great reassurance!