Linux Jails (sandboxes / containers) with Jailmaker

Jip-Hop · April 6, 2024, 8:29am

TrueNAS SCALE can create persistent Linux ‘jails’ with systemd-nspawn. These containers are very similar to Jails from TrueNAS CORE or LXC, LXD and Incus containers on Linux. Jailmaker helps with the following:

Setting up the jail so it won’t be lost when you update SCALE
Choosing a distro (Debian 12 strongly recommended, but Ubuntu, Arch Linux or Rocky Linux seem good choices too)
Optional: configuring the jail so you can run Docker inside it
Optional: GPU passthrough (including nvidia GPU with the drivers bind mounted from the host)
Starting the jail with your config applied

The original jailmaker topic on the old community forum is available in read-only mode.

Jip-Hop · April 6, 2024, 8:30am

Download Jailmaker from GitHub and check out the TrueNAS documentation about this feature. I recommend to subscribe to the project on GitHub to be notified of new releases.

vinylen · April 9, 2024, 12:03pm

Am i correct in assuming that this requires TrueNAS SCALE 24.04 (Dragonfish)?

Also, this would effectively replace “Apps” correct? We should not be using both that is?

This looks really promising, i definitely want to try this out on my own system, but it’s currently not running Dragonfish.

Cellobita · April 9, 2024, 12:07pm

@Jip-Hop’s jailmaker script will work on 23.10.

You should use either Apps or jails, preferably not both at the same time. Apps are easier to install and configure, but there is an overhead in terms of CPU and power consumption that jails won’t have.

I have replaced my apps with corresponding jails, mainly because my needs are few (basically Tailscale, rsyncd and DDNS) and easily configured. YMMV.

vinylen · April 9, 2024, 12:26pm

Thanks!

Jip-Hop · April 9, 2024, 1:01pm

I’m not aware of compatibility issues with Apps. Users have reported jailmaker and Apps working fine side by side. I only use jailmaker so I have no experience with using the two simultaneously.

kris · April 9, 2024, 1:14pm

Most users may not hit any issues. We just have to put a precaution there so that users know to pay attention and don’t try to reserve same ports in both, over commit resources, that kind of thing.

Davvo · April 9, 2024, 6:32pm

Does anyone have experience with running this with namespaces in order to get better isolation/security? Anything to know about it?

Jip-Hop · April 10, 2024, 5:44am

Some users shared their experience with this in the old forum thread. You can find an example in the documentation here: jailmaker/templates/podman at main · Jip-Hop/jailmaker · GitHub

benda · April 12, 2024, 12:22pm

I wanna use docker_hddfancontrol to control my case fan.

I tried smartctl -a /dev/sda inside a jail to test if i can get the SSD data, but get this Smartctl open device: /dev/sda failed: No such device.

Shall i mount --bind='/dev:/dev', or is there a different method to get access to the device data?

Jip-Hop · April 12, 2024, 12:38pm

This is the way

benda · April 12, 2024, 8:20pm

With --bind='/dev:/dev' the jail does not start.

I found the answer here.

--bind-ro=/dev/sda works, but if i run the smartctl command, i get Read Device Identity failed: Permission denied

root@smart-test:~# smartctl -a /dev/sda
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.1.74-production+truenas] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, www.smartmontools.org


Probable ATA device behind a SAT layer
Try an additional '-d ata' or '-d sat' argument.

smartctl -d ata -a /dev/sda
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.1.74-production+truenas] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, www.smartmontools.org

Read Device Identity failed: Permission denied

Stux · April 12, 2024, 10:41pm

Try just bind, not bind read-only

benda · April 13, 2024, 12:16pm

Tried --bind=/dev/sda:/dev/sda, but still not works.

benda · April 13, 2024, 4:22pm

Solution (thanks to @Jip-Hop scrutiny docker container - /dev/sd* · Jip-Hop/jailmaker · Discussion #62 · GitHub)

docker_compatible=1 and --bind-ro=/dev/sda in systemd_nspawn_user_args was the solution.

nva · April 14, 2024, 3:43pm

I have problem with jailmaker on freshly installed 24.04 RC1 with root account disabled (recommended option during installation). Documentation on TrueNAS website and github page says Jailmaker installation and operation has to be done with root account, i had to append sudo with every command until ‘jailmaker create’. Sudo doesn’t work, su -c ‘jailmaker create’ doesn’t work. How do i proceed? Do i need to enable root account?

iX says root account will eventually be disabled permanently in future, how will people use Jailmaker when that happen?

It seems to me Jailmaker is rootful containalization, but is it still possible for me to have unprivileged LXC or rootless Podman within privileged LXC?

Jip-Hop · April 14, 2024, 4:15pm

Can’t you become root with sudo su?

Jip-Hop · April 14, 2024, 6:34pm

To rule out it has anything to do with the jlmkr alias I recommend you to run ./jlmkr.py create directly from the jailmaker directory. In case you’re not already root, you’d probably have to put sudo in front.

Stux · April 18, 2024, 8:08am

Future is looking bright for Jailmaker

glowtape · April 20, 2024, 5:24pm

Anyone might know offhand why bridge networking might not be working? I get these errors when I try:

root@dockerrt:/etc/docker# docker container start 7a6d30e48198
Error response from daemon: failed to add interface vethaa2cec3 to sandbox: error setting interface "vethaa2cec3" IP to 172.31.0.2/16: cannot program address 172.31.0.2/16 in sandbox interface because it conflicts with existing route {Ifindex: 98 Dst: 172.31.0.0/16 Src: 172.31.0.1 Gw: <nil> Flags: [] Table: 254 Realm: 0}
Error: failed to start containers: 7a6d30e48198

The conflicting route seems to be because it is being (also) created outside the nspawn-container.

So far I’ve worked around using host networking.