iocage Documentation

iocage Documentation
Release 1.4.2
Peter Toth
January 31, 2015
Contents
1
Documentation:
1.1 FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Pre-flight checklist . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4 Using UUIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 How to turn on auto boot . . . . . . . . . . . . . . . . . . . . . . . .
1.6 Automatic package installation . . . . . . . . . . . . . . . . . . . .
1.7 Configuring Network Interfaces . . . . . . . . . . . . . . . . . . . .
1.8 Non VNET jails (shared IP) . . . . . . . . . . . . . . . . . . . . . .
1.9 Help! My jail has no Internet connectivity! . . . . . . . . . . . . . .
1.10 Create a jail package! . . . . . . . . . . . . . . . . . . . . . . . . .
1.11 Dealing with clones . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12 Destroying jails . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13 How to use templates . . . . . . . . . . . . . . . . . . . . . . . . . .
1.14 Resource limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15 Snapshot management . . . . . . . . . . . . . . . . . . . . . . . . .
1.16 Thin provision or thick provision? . . . . . . . . . . . . . . . . . . .
1.17 Updating jails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.18 Real world example with VNET, NAT, PF, IPFW and port forwarding
1.19 Create a Debian squeeze jail (gnu kFreeBSD) . . . . . . . . . . . . .
1.20 Indices and tables . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
3
3
4
5
5
6
6
6
7
8
9
9
9
10
11
11
11
12
14
14
i
ii
iocage Documentation, Release 1.4.2
iocage is a zero dependency drop in jail/container manager amalgamating some of the best features and technologies
FreeBSD operating system has to offer. It is geared for ease of use with a simple and easy to understand command
syntax.
FEATURES:
• rapid thin provisioning (within seconds!)
• templating
• automatic package installation
• ease of use (also supports shortened UUIDs)
• zero configuration files
• virtual networking stacks (vnet)
• shared IP based jails (non vnet)
• fully writable clones
• resource limits (CPU, MEMORY, etc.)
• filesystem quotas and reservations
• ZFS jailing inside jails
• transparent snapshot management
• binary updates
• differential jail packaging
• export and import
• and many more!
Contents
1
iocage Documentation, Release 1.4.2
2
Contents
CHAPTER 1
Documentation:
1.1 FAQ
What is iocage? iocage is jail management script aiming to simplify jail administration tasks as much as possible.
What is a jail? Jail is a FreeBSD OS virtualization technology enabling to run multiple copies of the operating
system. Some operating systems use the term Zones or Containers for OS virtualization.
What is VNET? VNET is an independent per jail virtual networking stack.
How do I configure network interfaces in a VNET or shared IPjail? You configure both the same way: iocage
set ip4_add="interface|IP/netmask" UUID. For more info please refer to the documentation.
Do I need to set my default gateway? Only if VNET is enabled. You need to assign an IP address to the bridge
where the jail interface is attached to. This IP essentially becomes your default gateway for your jail.
Can I run a firewall inside a jail? Yes in a VNET jail IPFW is supported. PF is not supported inside the jail though you can still enable PF for the host itself. If you plan on using IPFW inside a jail make sure securelevel
is set to 2
Can I enable both IPFW and PF at the same time? Yes, make sure you allow traffic on both in/out for your jails.
Can I create custom jail templates? Yes, and thin provision them too! Starting with version 1.3 there is also a
package option for jail packaging.
What is a jail clone? Clones are ZFS clones, these are fully writable copies of the source jail.
Can I limit the CPU and Memory use? Yes. (refer to manual page)
Is there a way to display resource consumption? Yes, iocage inuse UUID
Is i386 supported? It is 2014 - All recent servers are 64bit capable for years now!
Is NAT supported for the jails? Yes. This is built into FreeBSD. Treat your server as a core router/firewall. Check
documentation section on NAT.
Will iocage work on a generic system with no ZFS pools? No. ZFS is a must, if you run a FreeBSD server you
should be using ZFS!
Is ZFS jailing supported? Yes, please refer to man page.
1.2 Pre-flight checklist
1. If you need VNET make sure your kernel is VIMAGE/VNET enabled (check man page for details)
3
iocage Documentation, Release 1.4.2
2. Enable IP forwarding with: sysctl net.inet.ip.forwarding=1
3. Add the physical interface to bridge0 and assign an IP address.
Example:
ifconfig bridge0 addm em0 192.168.1.254 up
In this case the IP 192.168.1.254 will become the default gateway for all jails attached to
bridge0
4. Configure either routing or NAT to handle jail traffic
5. Configure interfaces inside jail, example:
ifconfig vnet0 192.168.1.10/24 up
route add default 192.168.1.254
6. Test whether you can ping the default gateway and reach any external hosts
Gotchas!
• Important: for VNET to work, don’t compile PF directly into the kernel - use it as a module (this is the default
in GENERIC kernel)!
• Watch out for PF or IPFW! Traffic originating from jails needs to be allowed in/out!
• If IPFW is turned on don’t forget to add firewall_enable="YES" firewall_type="open" to
/etc/rc.conf inside the jail to test connectivity
• In case both PF and IPFW is enabled make sure you execute pfctl -f /etc/pf.conf on the host after
jail is started
• Also consider configuring the following to allow traffic to bypass firewall for the bridge:
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=0
1.3 Best practices
These are some generic guidelines for working with iocage managed jails.
Use PF as a module
This is the default setting in the GENERIC kernel. There seem to be bug which is only triggered when PF
is directly compiled into the kernel.
Always tag your jails and templates!
This will help you avoid mistakes and easily identify jails.
Set the notes property
Set the notes property to something meaningful, especially for templates and jails you might use only
once in a while.
Use VNET!
VNET will give you more control and isolation. Also allows to run per jail firewalls.
Don’t mix RELEASES!
4
Chapter 1. Documentation:
iocage Documentation, Release 1.4.2
As best practice only run jails with the same RELEASE as the host system.
Don’t overuse resource limiting!
Unless really needed, let the OS decide how to do it best. Set limits with the “log action” before enforcing
“deny”. This way you can check the logs before creating any performance bottlenecks.
Discover templates!
Templates will make your life easy, try them!
Use the ‘restart‘ command instead of ‘start‘ ‘stop‘
If you wish to restart a jail use the restart command which performs a soft restart and it leaves the
VNET stack alone, less stressful for the kernel and you.
Check your firewall rules
When using IPFW inside a VNET jail put firewall_enable="YES" firewall_type="open"
into /etc/rc.conf for a start. This way you can exclude the firewall from blocking you right from the
beginning! Lock it down once you’ve tested everything. Also check PF firewall rules on the host if you
happen to mix both.
Get rid of old snapshots
Remove snapshots you don’t need, especially from jails where data is changing a lot!
Don’t change the hostname
Unless really needed, don’t change the jail’s UUID based hostname in /etc/rc.conf. Add required
entries to /etc/hosts instead.
Use the ‘chroot‘ sub-command
In case you need to access or modify files in a template or a jail which is in stopped state, use iocage
chroot UUID. This way you don’t need to spin up the jail or convert the template.
1.4 Using UUIDs
You can use shortened UUIDs!
Example:
Instead of typing or pasting the long UUID:
iocage console f7253c38-01c7-11e4-bfd9-cc52afcf0d66
Just enter the first few characters:
iocage console f725
If multiple jails match the short name iocage will throw a warning.
You can use the short UUIDs with any subcommand.
1.5 How to turn on auto boot
To enable auto starting of jails at boot time follow these steps:
• Put the rc.d iocage script into your /usr/local/etc/rc.d/ folder.
• Add iocage_enable="YES" to the hosts /etc/rc.conf
1.4. Using UUIDs
5
iocage Documentation, Release 1.4.2
• Set the boot property to on for jails you wish to auto-boot iocage set boot=on UUID
• If you need to specify a boot order you can do it by setting the priority value iocage set priority=20
UUID . Lower value means higher boot priority.
1.6 Automatic package installation
Packages can be installed automatically at creation time!
Specify the pkglist property at creation time, which should point to a text file containing one package name per
line. Please note you need to have Internet connection for this to work as pkg install will try to get the packages
from online repositories.
Example:
Create a pkgs.txt file and add package names to it.
pkgs.txt:
nginx
tmux
Now simply create a jail and supply the pkgs.txt file:
iocage create pkglist=/path-to/pkgs.txt tag=myjail
This will install nginx and tmux in the newly created jail.
1.7 Configuring Network Interfaces
iocage handles network configuration for both, shared IP and VNET jails transparently.
Configuring a shared IPv4 jail:
iocage set ip4_addr="em0|192.168.0.10/24" UUID
This will add an IP alias 192.168.0.10/24 to interface em0 for the shared IP jail at start time.
A better approach using VNET:
iocage set ip4_addr="vnet0|192.168.0.10/24" UUID
iocage set defaultrouter=192.168.0.254 UUID
For VNET jails a default route has to be specified too, just like for a normal host system.
Hints
To start a jail with no IPv4 address whatsoever set these properties:
iocage set ip4_addr=none UUID
iocage set defaultrouter=none UUID
1.8 Non VNET jails (shared IP)
To start a jail with a shared IP based networking (non VNET) follow these steps:
Assumptions:
6
Chapter 1. Documentation:
iocage Documentation, Release 1.4.2
You either have a working NAT or shared IP set up which is part of your LAN.
Turn VNET off
iocage set vnet=off UUID
Set the shared IP and pin it to the right interface:
iocage set ip4_addr="em0|10.1.1.10/24"
Start jail:
iocage start UUID
Drop into jail and try to install some package:
iocage console UUID
pkg install tmux
Notes:
If your network is set up the right way pkg will fetch the package from an online repo. For non VNET jails you don’t
need to specify a default gateway.
Consider adding these entries to ‘‘/etc/rc.conf‘‘ for shared IP jails:
hostname=UUID
cron_flags="$cron_flags -J 15"
# Disable Sendmail by default
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# Run secure syslog
syslogd_flags="-c -ss"
Comment out adjkerntz -a in /etc/crontab as well (time cannot be controlled from a jail).
Also make sure SSH on the host is binding to a single IP only (snip below)!
/etc/ssh/sshd_config
ListenAddress YOUR-HOST-IP
1.9 Help! My jail has no Internet connectivity!
The steps below are for a VNET jail.
There are two options to get Internet connectivity for jails:
• NAT
• Routed traffic
NAT is probably the easiest method for most cases.
Follow these steps to get Internet connectivity inside a jail with NAT (handled in PF):
1. Enable the following sysctl’s:
1.9. Help! My jail has no Internet connectivity!
7
iocage Documentation, Release 1.4.2
net.inet.ip.forwarding=1
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=0
#
#
#
#
Enable IP forwarding
Only pass IP packets
Packet filter on the
Packet filter on the
between interfaces
when pfil is enabled
bridge interface
member interface
2. Assign an IP to your bridge0 ifconfig 10.1.1.254/24 up (this will become the default GW for the
jail)
3. Add your physical interface (example em0) to bridge0 ifconfig bridge0 addm em0 up
4. Configure jail Interfaces ifconfig vnet0 10.1.1.10/24 up
5. Add nameservers to /etc/resolv.conf
nameserver 194.132.32.32
nameserver 46.246.46.246
6. Exit from chroot
7. Configure outbound NAT (“Real world example with VNET, NAT, PF, IPFW and port forwarding”)
8. Start jail iocage start UUID
9. Drop into jail iocage console UUID
10. ping default gateway 10.1.1.254, you should have a reply!
11. ping Internet addresses, if all is good you should have Internet access now!
1.10 Create a jail package!
What is a jail package? A jail package is basically a small differential image template which can be deployed on top
of vanilla jails. The RELEASE and patch level has to match between the package and a vanilla jail.
iocage uses the record function for this, which is a unionfs mount under the hood.
The resulting package can be stored on a web server with a checksum file ready to be deployed anywhere.
1. create a new jail iocage create -c tag=nginx
2. start jail iocage start UUID
3. configure networking to enable internet access for this jail
4. issue iocage record start UUID, from now on every change will be recorded under
/iocage/jails/UUID/recorded
5. install nginx with pkg install nginx
6. install any other software you might require
7. customize configuration files
8. once finished, stop recording changes with iocage record stop UUID optionally stop jail
9. examine /iocage/jails/UUID/recorded,
-type f
run
find /iocage/jails/UUID/recorded
10. remove any unnecessary files, make final customization/changes
11. run iocage package UUID, this will create a package in /iocage/packages with a SHA256 checksum
file
12. optionally discard the jail now with iocage destroy UUID
8
Chapter 1. Documentation:
iocage Documentation, Release 1.4.2
The resulting UUID.tar.xz can now be deployed on top of any new vanilla jail!
1. create new jail iocage create -c
2. deploy package iocage import UUID tag=myjail
3. list jail iocage list|grep myjail, grab UUID
4. start jail iocage start UUID
5. examine your changes and packages - they are all there!
Enjoy!
1.11 Dealing with clones
When a jail is cloned, iocage creates a ZFS clone filesystem. In a nutshell clones are cheap lightweight writable
snapshots.
A clone depends on its source snapshot and filesystem. If you’d like to destroy the source jail and preserve its clones
you need to promote the clone first, otherwise the source jail cannot be destroyed.
To promote a cloned jail, simply run:
iocage promote UUID
The above step will reverse the clone and source jail relationship. Basically the clone will become the source and the
source jail will be demoted to a clone.
Now you can remove the demoted jail with:
iocage destroy UUID
1.12 Destroying jails
Destroy any jail with iocage destroy UUID
Warning this will irreversibly destroy the jail!
Example:
iocage destroy acfb86bf-0001-11e4-a88a-3c970ea3222f
WARNING: this will destroy jail acfb86bf-0001-11e4-a88a-3c970ea3222f
Dataset: zroot/iocage/jails/acfb86bf-0001-11e4-a88a-3c970ea3222f
Are you sure ? Y[n]: Y
Destroying: acfb86bf-0001-11e4-a88a-3c970ea3222f
Please note the capital “Y” - issuing a lowercase “y” will do nothing. This is to prevent accidental deletion.
Always double check the jail UUID before destroying any jails!
1.13 How to use templates
Templates can save you precious time!
1.11. Dealing with clones
9
iocage Documentation, Release 1.4.2
Set up a jail any way you like, and create a template from it. All packages and pre-configured settings will be available
for deployment next time within seconds.
Any jail can be converted to a template and back to a jail again as required. In fact a template is just another jail which
has the property template set to “yes”. The difference is that templates are not started by iocage, they are ignored!
Here is how to do it with iocage:
1. create a new jail iocage create tag=mytemplate
2. configure the jail’s networking
3. install any package you like and customize jail
4. once finished with customization stop the jail iocage stop UUID
5. a good idea is set some notes iocage set notes="customized PHP,nginx jail" UUID
6. turn the template property on iocage set template=yes UUID
7. list your template with iocage list -t
To create a new jail from this template simply clone it!
1. iocage clone UUID-of-mytemplate tag=mynewjail
2. list new jail iocage list
3. start jail iocage start UUID
Done!
If you need to make further customization in the template or want to patch it, you have two options.
• convert template back to jail with iocage set template=no UUID-of-template, and start the jail
• if you don’t need network access to make the changes simply run iocage chroot UUID-of-template,
make the changes and exit
1.14 Resource limiting
iocage can enable optional resource limits for a jail. The outlined procedure should provide enough for a decent
starting point.
Limit jail to a single hardware thread or core (CPU affinity).
1. pin jail to a single thread or core number 1 iocage set cpuset=1 UUID
2. start jail iocage start UUID
3. list applied limits iocage limits UUID, you should see CPU affinity:
run on core/thread number 1.
1, jail is only allowed to
Limit RSS memory use (can be done on-the-fly)
1. limit to 4G DRAM memory use iocage set memoryuse=4G:deny UUID
2. turn on resource limiting for jail iocage set rlimits=on UUID
3. apply limit on-the-fly iocage cap UUID
4. check active limits iocage limits UUID, should list jail:ioc-UUID:memoryuse:deny=4096M
Limit CPU execution to 20%
1. iocage set pcpu=20:deny UUID
10
Chapter 1. Documentation:
iocage Documentation, Release 1.4.2
2. iocage cap UUID
3. check limits iocage limits UUID
1.15 Snapshot management
You can create ZFS snapshots for your jails!
iocage supports transparent ZFS snapshot management out of the box. Snapshots are point-in-time copies of data, a
safety point to which a jail can be reverted at any time. Initially snapshots take up almost no space as only changing
data is recorded.
You can list snapshots anytime for a jail with:
iocage snaplist UUID
To create a new snapshot run:
iocage snapshot UUID
This will create a snapshot based on current time. If you’d like to create a snapshot with custom naming
run:
iocage snapshot UUID@mysnapshotname
To remove a snapshot use:
iocage snapremove UUID@snapshotname
To revert a jail’s state to a snapshot run:
iocage rollback UUID@snapshotname
Simple as that - don’t need to know ZFS internals!
1.16 Thin provision or thick provision?
iocage supports two provisioning types, thick (default) and thin. Thin is basically a ZFS clone of the base jail. If you
plan to replicate the jail over the network with ZFS send/receive use the default thick provisioning! This will create a
fully independent jail copy which can be sent over the network with ZFS send/receive.
Create a normal jail
iocage create tag=myjail or just iocage create
Create a thin jail
iocage create -c tag=myjail
1.17 Updating jails
Updates are handled with the freebsd-update(8) utility. Jails can be updated while they are stopped or running.
To update a jail to latest patch level run:
iocage update UUID
1.15. Snapshot management
11
iocage Documentation, Release 1.4.2
This will create a back-out snapshot of the jail automatically.
When finished with updating and the jail is working OK, simply remove the snapshot:
iocage snapremove UUID@snapshotname
In case the update breaks the jail, simply revert back to the snapshot:
iocage rollback UUID@snapshotname
If you’d like to test updating without affecting a jail, create a clone and update the clone the same way as outlined
above.
To clone run:
iocage clone UUID tag=testupdate
1.18 Real world example with VNET, NAT, PF, IPFW and port forwarding
This is a tested real world set up with VNET jails running IPFW and the host running both PF and IPFW. IPFW was
set to allow all traffic to simplify this example.
After making the following changes make sure the host can restart cleanly.
For IPFW to work inside a jail set the securelevel property to “2”:
iocage set securelevel=2 UUID
The host
The host has the following relevant configuration needed to support VNET jails (these are relevant snippets only):
/etc/sysctl.conf
net.inet.ip.forwarding=1
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=0
security.bsd.unprivileged_read_msgbuf=0
# This is only for routing tables if any
# (do not create default routing tables for all FIB’s)
net.add_addr_allfibs=0
/etc/rc.conf:
cloned_interfaces="bridge0 bridge1"
ifconfig_bridge0="addm em0 10.1.1.254/24 up"
pf_enable="YES"
pflog_enable="YES"
firewall_enable="YES"
firewall_type="open"
iocage_enable="YES"
/etc/pf.conf:
# MACROS -------------------------------if = "{" em0 "}"
int_if = "{" bridge epair vnet "}"
12
Chapter 1. Documentation:
iocage Documentation, Release 1.4.2
# TABLES -------------------------------table <abusive_hosts> persist
# don’t filter on the loopback, VNET and bridge
set skip on lo
set skip on vnet
set skip on bridge
set skip on epair
set loginterface em0
# TRAFFIC NORMALIZATION -----------------scrub on $if all fragment reassemble
# QUEUEING ------------------------------# TRANSLATION ---------------------------nat on em0 inet from ! em0 to any -> em0
# port forward http to jail (varnish)
rdr on $if inet proto tcp to port 80 -> 10.1.1.10 port 80
# PACKET FILTERING ----------------------# setup a default deny policy
block log all
block in quick from <abusive_hosts>
# pass all traffic to and from the local network.
pass out quick on $if from any to any modulate state
# allow SSH and http/https
pass log on $if proto { tcp udp } from any to any port { ssh http 445 } keep state
# allow ping
pass in inet proto icmp all icmp-type echoreq
The jail
/etc/rc.conf:
hostname=UUID
cron_flags="$cron_flags -J 15"
# Configure vnet0
ifconfig_vnet0="10.1.1.10/24"
# Set default GW to point to bridge0 IP
defaultrouter="10.1.1.256"
# Disable Sendmail by default
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# Run secure syslog
syslogd_flags="-c -ss"
# Set IPFW to allow all
1.18. Real world example with VNET, NAT, PF, IPFW and port forwarding
13
iocage Documentation, Release 1.4.2
firewall_enable="YES"
firewall_type="open"
/etc/resolv.conf:
nameserver 8.8.4.4
nameserver 8.8.8.8
1.19 Create a Debian squeeze jail (gnu kFreeBSD)
In this howto we will set up a Debian (gnu/kFreeBSD) jail. gnu/kFreeBSD is a Debian userland tailored for
FreeBSD kernel.
Don’t forget to replace UUID with your jail’s full UUID!
Create an empty jail with linux specifics:
iocage create -e tag=debian exec_start="/etc/init.d/rc 3"
exec_stop="/etc/init.d/rc 0"
Install debootstrap on the host:
pkg install debootstrap
Grab the mountpoint for our empty jail, append /root/ to it and run debootstrap:
iocage get mountpoint UUID
debootstrap squeeze /iocage/jails/UUID/root/ (you can replace squeeze with wheezy if that is
what you need)
Edit the jail’s fstab and add these lines:
/iocage/jails/UUID/root/fstab
linsys
linproc
tmpfs
/iocage/jails/UUID/root/sys
linsysfs rw
0 0
/iocage/jails/UUID/root/proc
linprocfs rw
0 0
/iocage/jails/UUID/root/lib/init/rw tmpfs
rw,mode=777 0 0
Start the jail and attach to it:
iocage start UUID
iocage console UUID
What you gain is a 64bit Debian Linux userland. Please note this is not recommended for production use. The intention
was to show that iocage will let you do almost anything you want with your jails.
If you wish to install a Linux only Debian jail you can follow this tutorial: debian-linux-freebsd-jail-zfs
Only 32bit Linux jails are supported right now.
1.20 Indices and tables
• genindex
• modindex
• search
14
Chapter 1. Documentation: