Linux Jails (sandboxes / containers) with Jailmaker

Something weird is happening with your static thumbnail on that video, fyi:

Hi all please read my announcement: Jailmaker by Jip-Hop - End of Life October 2024. Thanks! :slight_smile:

3 Likes

Well Stux I for one appreciate all of the amazing effort you put in on this and all the projects that you have done for the TrueNas envioronment. I spent days and lots of hair pulling trying to get a simple application working in TrueCharts when I discovered your Jailmaker. I was about to give up. Thanks again.

To solve this problem, there is text. A written howto can be read exactly as fast as the consumer requires, and commands can even be copy&pasted. Somehow, I fail to understand the benefit of a video for this purpose…

3 Likes

This is in no way to degrade you or your project. It’s just an observation.

From the time I started using TrueNAS a number of years ago, I have seen plugins, TrueNAS apps, Truecharts apps, jailmaker, and now the latest, Eletric Eel apps. The only thing that has stood the test of time is BSD jails. This is very important for me as I don’t want to spend all my time migrating back and forth between container backends.

Hopefully someone will step up and take over your jailmaker project, or (fingers crossed) Electric Eel will stay with docker-compose for a long time.

3 Likes

Docker compose will be here for a long haul. But I also hope the community keeps maintaining Jailmaker, since I expect there’s still users aplenty who prefer that method of full-blown nspawn management. I want to personally thank @Jip-Hop for his work on this until now, he helped a lot of folks with a neat solution that enabled people to do more with their SCALE boxes :trophy:

4 Likes

With Docker Compose, does each “app” have its own full network stack, in the same way that each FreeBSD jail does?

In other words, each “app” can have its own IP address, separate from the host’s IP address and those of the other “apps”?

Just depends on how you specify the networking, but that is supported, yes.

2 Likes

@kris, what conditions (if any, ever) would be necessary for iX to consider bringing the jailmaker project under the truenas organization?

1 Like

So not just me :-/

I think it’s something to do with the video being linked twice in this thread…

It’s @Jip-Hop’s jailmaker :slight_smile:

But thank you :slight_smile:

But Stux is like the jailmaker mascot! :smile:

6 Likes

Thank you for jailmaker, it really gave more control over apps with less hassle then a VM.

Really hope the community or even IX takes over this project as yes native docker in EE is nice. Jailmaker gives the ability to have multiple docker environments separate and used for different purposes and access levels, and i can do it all without spinning up VMs.

2 Likes

I really hope that Jailmaker can continue to be maintained by either iXsystems, or Jip-Hop and the community, as having these full jails/sandboxes/containers has been awesome and a game-changer for me. At my work, we run commercial backup software which doesn’t come as a Docker - it just has a native Linux installer. I recently moved that into a generic Debian 12 (Bookworm) Jailmaker container and the performance is fantastic. I love how I can just bind-mount the ZFS datasets I use for backups into the container. Really nice.

My previous solution was running a dedicated Linux VM (first on CORE and then on SCALE), but that required me to run NFS across an internal network bridge. The performance of that setup leaved a lot to be desired. It got the job done but I was never really satisfied with it. This new Jailmaker setup blows that away in performance.

The only thing that’s different now is in recovering individual files and directories out of the VM backups. That uses iSCSI (mounts the backups via iSCSI then uses Linux NTFS utils to pull out the required items). The Linux kernel iSCSI code is not namespace aware (as I write this) and so I can’t use the container natively for iSCSI.

But this is fine, since the backup software provides proxy appliance VMs to do these iSCSI-based operations from, and there’s no issues with that setup. I’ve been a happy sysadmin with a smile ear to ear ever since Jailmaker came out, and I can’t thank Jip-Hop and Stux enough. You two are rock stars!

3 Likes

Hi I switched over to the new forum but I am unsure of how to DM you directly.

Hello to the community. Migrating all my apps of my noob truecharts implementation. Managed to get jailmaker up and running thanks to the great guide and following issues on this thread. nginx manager other containers up and running after some trial and error. Unfortunaty, for the life of me I can’t figure out how to rebuild pihole inside my docker jail.

Based on the error it seems that the host is consuming port 53 and since i’m using the bridge method I believe nginx manager has port 80. Do I need to make a seperate jail just for pihole?

Error response from daemon: driver failed programming external connectivity on endpoint pihole (fd9fd3a9ccbccac41dd67b9a2f6d1e8aee542074eb93a72f33775932a01d1e1c): failed to bind port 0.0.0.0:53/tcp: Error starting userland proxy: listen tcp4 0.0.0.0:53: bind: address already in use

Appreciate any assistance
This is my compose file below :

services:
pihole:
container_name: pihole
image: pihole/pihole:latest
# For DHCP it is recommended to remove these ports and instead add: network_mode: “host”
ports:
- 53:53/tcp
- 53:53/udp
- 8081:80/tcp
environment:
# WEBPASSWORD: ‘set a secure password here or it will be random’
# Volumes store your data between container upgrades
volumes:
- /mnt/mk-nas/docker/data/pihole:/etc/pihole
- /mnt/mk-nas/docker/data/dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
restart: unless-stopped
networks: {}

Port 53 is used by resolved inside the jail, disable resolved to get it working.
in the jail use
sudo systemctl disable systemd-resolved.service
and
sudo systemctl stop systemd-resolved

Edit: Fixed Typos

3 Likes

Thanks for the prompt resonse, so I used “jlmkr shell docker” . However, when I run the systemctl diasable I get the an error that says “Failed to disable unit: Unit: file systemd-rsolved.service.service does not exist”.

You both need to check your spelling.

Does tab-completion work in the jail? If so, use that.

3 Likes

Thanks, that did the trick.