Best Practices

This section provides some generic guidelines and tips for working with iocage managed jails.

Use PF as a module

This is the default setting in the GENERIC kernel. There seems to be a VNET bug which is only triggered when PF is directly compiled into the kernel.

Always name jails and templates!

Use the -n option with iocage create to set a name for the jail. This helps avoid mistakes and easily identify jails.

Example: iocage create -r 11.0-RELEASE -n testjail

Set the notes property

Set the notes property to something meaningful, especially for templates and jails used infrequently.

Example:

[root@tester ~]# iocage set notes="This is a test jail." testjail
Property: notes has been updated to This is a test jail.

[root@tester ~]# iocage get notes testjail
This is a test jail.

VNET

VNET provides more fine control and isolation for jails. VNET also allows jails to run their own firewalls. See Known Issues for more about VNET.

Discover templates!

Templates simplify using jail creation and customization, give it a try! See Using Templates to get started.

Use iocage restart instead of start/stop

Always restart a jail with the iocage restart -s command. This performs a soft restart and leaves the VNET stack alone, which is less stressful for both kernel and user.

Check the firewall rules

When using IPFW inside a VNET jail, put firewall_enable=”YES” and firewall_type=”open” into /etc/rc.conf. This excludes the firewall from accidentally blocking the user right from the beginning! Re-lock it once finished testing. It is also recommended to check the PF firewall rules on the host if jail and host rules are mixed.

Delete old snapshots

Remove unnecessary snapshots, especially from jails where data is constantly changing!