After I setup my new FreeBSD (10.1-RELEASE) server, I decided to run each of the services I needed in it’s own jail. The easiest way to do this, is with iocage. This article should help you to get started with the most common functions of it.

To prepare your system for networking jails (allowing you to ping from within the jail, as well as making them behave like normal hosts in the network), edit your /etc/sysctl.conf file and add following lines:

# jail rules

Then reboot your system… If you don’t want ro reboot, you can execute the following sysctl commands, so you can activate these rules without a reboot:

sysctl security.jail.sysvipc_allowed=1
sysctl security.jail.allow_raw_sockets=1

Anyway, just to be sure it will work, just reboot, except you know what you are doing.

For the rest of the article, I used the following tutorial (its more detailed and also explains what you are doing):

Getting started with iocage for jails on FreeBSD by Dan Langille

Now we are ready to install iocage:

pkg install iocage

The next step is to setup the default jail (download an image of FreeBSD). Type the following:

iocage fetch

You will be asked some questions:

please select a pool for iocage jails [zroot]:

The default zpool in my system is named zroot, because I have a bootable RAIDZ-2 configuration of 5 disks. In your system it may be called whatever you named it in the installation. Anyway, just type the zpool, you prefer to install your iocage root.

Supported releases are: 
Please select a release [10.1-RELEASE]:

In my case, I prefer the default 10.1-RELEASE, just to have the same system like my host.

base.txz                                      100% of   63 MB   10 MBps 00m06s
doc.txz                                       100% of 1395 kB 7014 kBps 00m01s
lib32.txz                                     100% of   15 MB   10 MBps 00m01s
Exctracting: base.txz
Exctracting: doc.txz
Exctracting: lib32.txz
* Updating base jail..
Looking up mirrors... 5 mirrors found.
Fetching metadata signature for 10.1-RELEASE from done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

The following files will be added as part of updating to 10.1-RELEASE-p6:

The following files will be updated as part of updating to 10.1-RELEASE-p6:
     Installing updates...   install: /iocage/releases/10.1-RELEASE/root//usr/src/crypto/openssl/util/ No such file or directory

After this, you can immediately create your first jail. In my case, I wanted to create a jail, where I can run my DNS resolve cache (the already installed local_unbound is doing it just fine for my small domain). So it is my DNS jail.

Just type:

iocage create ip4_addr="bge0|" defaultrouter= allow_sysvipc=1 allow_raw_sockets=1

Replace with your domain, bge0 with your network interface and with a free IP in your network (the IP adress you wish that the jail should have). Also set the defaultrouter option to the IP address of your router.

When your jail is build, type in the following commands:

iocage set boot=on
iocage set priority=01
iocage set

The first command activates your jail on boot.
The second command will set the priority of the jail when booting your machine. In my case, I want my dns to start before any other jail, so i give it a priority of 01.
The third command is setting the hostname of the jail. I wanted my dns jail to be the same like the tag.

To start the jail, type:

iocage start

That’s it. Try to ping the IP address you have assigned to your jail. It should respond.

Now, you can login as root in the jail by simply typing:

iocage console

You will notice, that you can handle the jail exactly like if it was a normal host or virtual machine. Just like being in the shell of another host. You can use pkg or /usr/local/ports the usual way and install things and stuff, start and stop services, or experiment whatever you want. When you type exit, you can logout from the jail and return to your host.

If you want to stop the jail, just give:

iocage stop

Now your newly created jail is shut down. In this state, you can also delete your jail if you don’t need it anymore.

iocage destroy

That’s simple, isn’t it?