Linux Jails (sandboxes / containers) with Jailmaker

TrueNAS SCALE can create persistent Linux ‘jails’ with systemd-nspawn. These containers are very similar to Jails from TrueNAS CORE or LXC, LXD and Incus containers on Linux. Jailmaker helps with the following:

  • Setting up the jail so it won’t be lost when you update SCALE
  • Choosing a distro (Debian 12 strongly recommended, but Ubuntu, Arch Linux or Rocky Linux seem good choices too)
  • Optional: configuring the jail so you can run Docker inside it
  • Optional: GPU passthrough (including nvidia GPU with the drivers bind mounted from the host)
  • Starting the jail with your config applied

The original jailmaker topic on the old community forum is available in read-only mode.

12 Likes

Download Jailmaker from GitHub and check out the TrueNAS documentation about this feature. I recommend to subscribe to the project on GitHub to be notified of new releases.

Am i correct in assuming that this requires TrueNAS SCALE 24.04 (Dragonfish)?

Also, this would effectively replace “Apps” correct? We should not be using both that is?

This looks really promising, i definitely want to try this out on my own system, but it’s currently not running Dragonfish.

@Jip-Hop’s jailmaker script will work on 23.10.

I have replaced my apps with corresponding jails, mainly because my needs are few (basically Tailscale, rsyncd and DDNS) and easily configured. YMMV.

3 Likes

Thanks!

I’m not aware of compatibility issues with Apps. Users have reported jailmaker and Apps working fine side by side. I only use jailmaker so I have no experience with using the two simultaneously.

2 Likes

Most users may not hit any issues. We just have to put a precaution there so that users know to pay attention and don’t try to reserve same ports in both, over commit resources, that kind of thing.

1 Like

Does anyone have experience with running this with namespaces in order to get better isolation/security? Anything to know about it?

Some users shared their experience with this in the old forum thread. You can find an example in the documentation here: jailmaker/templates/podman at main · Jip-Hop/jailmaker · GitHub

1 Like

I wanna use docker_hddfancontrol to control my case fan.

I tried smartctl -a /dev/sda inside a jail to test if i can get the SSD data, but get this Smartctl open device: /dev/sda failed: No such device.

Shall i mount --bind='/dev:/dev', or is there a different method to get access to the device data?

This is the way

1 Like

With --bind='/dev:/dev' the jail does not start.

I found the answer here.

--bind-ro=/dev/sda works, but if i run the smartctl command, i get Read Device Identity failed: Permission denied

root@smart-test:~# smartctl -a /dev/sda
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.1.74-production+truenas] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, www.smartmontools.org


Probable ATA device behind a SAT layer
Try an additional '-d ata' or '-d sat' argument.
smartctl -d ata -a /dev/sda
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.1.74-production+truenas] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, www.smartmontools.org

Read Device Identity failed: Permission denied

Try just bind, not bind read-only

Tried --bind=/dev/sda:/dev/sda, but still not works.

Solution (thanks to @Jip-Hop scrutiny docker container - /dev/sd* · Jip-Hop/jailmaker · Discussion #62 · GitHub)

docker_compatible=1 and --bind-ro=/dev/sda in systemd_nspawn_user_args was the solution.

1 Like

I have problem with jailmaker on freshly installed 24.04 RC1 with root account disabled (recommended option during installation). Documentation on TrueNAS website and github page says Jailmaker installation and operation has to be done with root account, i had to append sudo with every command until ‘jailmaker create’. Sudo doesn’t work, su -c ‘jailmaker create’ doesn’t work. How do i proceed? Do i need to enable root account?

iX says root account will eventually be disabled permanently in future, how will people use Jailmaker when that happen?

It seems to me Jailmaker is rootful containalization, but is it still possible for me to have unprivileged LXC or rootless Podman within privileged LXC?

Can’t you become root with sudo su?

To rule out it has anything to do with the jlmkr alias I recommend you to run ./jlmkr.py create directly from the jailmaker directory. In case you’re not already root, you’d probably have to put sudo in front.

Future is looking bright for Jailmaker

7 Likes

Anyone might know offhand why bridge networking might not be working? I get these errors when I try:

root@dockerrt:/etc/docker# docker container start 7a6d30e48198
Error response from daemon: failed to add interface vethaa2cec3 to sandbox: error setting interface "vethaa2cec3" IP to 172.31.0.2/16: cannot program address 172.31.0.2/16 in sandbox interface because it conflicts with existing route {Ifindex: 98 Dst: 172.31.0.0/16 Src: 172.31.0.1 Gw: <nil> Flags: [] Table: 254 Realm: 0}
Error: failed to start containers: 7a6d30e48198

The conflicting route seems to be because it is being (also) created outside the nspawn-container.

So far I’ve worked around using host networking.