Re: Jail, and specifically iocage, best practices -- summary

Hello, all.

On 6 Feb 2022, at 12:58, Norman Gray wrote:

> Greetings.
>
> On the freebsd-questions list recently, there was a useful thread about freebsd-update and jails.  This prompts a related question of mine.
>
> Is there anywhere a collection of recommended practices with respect to jails?

Thanks, everyone, for very useful comments on this.

I don't want to repeat everyone's suggestions, though I encourage people to look at the thread [1].  But the things that particularly stood out for me are:

  * Several people mentioned that Lucas's Jails book [2] does cover iocage!  We have a copy of this book on the shelf, and now I can get my hands on it again, physically, I see 'iocage' all over the ToC, whereas I'd previously convinced myself it was jail(8)-only.  I feel rather foolish about that...

  * Peter Boosten said 'use a mix', suggesting that it's reasonable to use a script to set up a jail, and then unscripted tools to manage it thereafter.  That is, a script isn't (necessarily) locking you into a particular way of managing these, and it's reassuring to be reminded, in particular, that ezjail/iocage/... aren't adding any particular secret sauce to the jail.

There was also a mention of iocell [3], as a fork of iocage.  I'm always a bit nervous of forks, and note that the iocell documentation doesn't mention the circumstances of the fork (and I remember the ezjail/qjail unpleasantness of a few years ago).  Is there a story here?

It sounds as if a one line summary of the thread (acknowledging that there isn't a universal consensus here) is:

    You won't go far wrong with iocage; buy Lucas's Jails book.

Thanks again, everyone.  Best wishes,

Norman


[1] https://lists.freebsd.org/archives/freebsd-questions/2022-February/000622.html
[2] [FreeBSD Mastery: Jails](https://mwl.io/nonfiction/os#fmjail)
[3] https://iocell.readthedocs.io/en/latest/


-- 
Norman Gray  :  https://nxg.me.uk