Introduction

Certain directories within a jail can be swapped out to (datasets) "outside". This allows this data to be stored independently of the jail. The goal, similar to Docker, is to depend as little as possible on the jail itself. This way, if the jail is corrupted or deleted for some reason, we are able to restore the previous configuration and data with minimal effort. Also, these directories can then be efficiently and regularly backed up via snapshot, which also simplifies further backups. Not to mention moves or migrations.

Last update:

  • 30.11.2024: Revision
  • 17.11.2024: TrueNAS references removed, converted to Bastille and adapted to the FreeBSD Server article series and Bastille
  • 03.03.2024: Minor adjustments
  • 23.01.2024: Some tweaking and configuration added to TrueNAS
  • 18.08.2023: Initial version

Terminology

  • JAILNAME = The name of the jail
  • SOURCEPATH = The directory (DATASET) on the FreeBSD, e.g. /usr/local/bastille/data/JAILNAME, which points to the ZFS pool data in the dataset bastille_data/JAILNAME
  • TARGETPATH = The directory inside the jail, ex. /usr/local/bastille/jails/JAILNAME/root/var/db
  • ID = Required user ID within the jail, ex. 123

Directory structure

Jails are usually stored in /usr/local/bastille/ with the following directory structure:

└── jails         # Jail main directory
    └── JAILNAME  # Jail Name
        └── root  # / of the Jail

For this purpose, a new dataset named jails_data is now created, which hosts the "jail data" and mirrors the above structure somewhat, so that it remains easily traceable. For example, this could be on a completely different pool /mnt/ZPOOLNAME/jails_data, which may have much more storage space. This is very useful for large data files like pictures or file shares, which have no place in the jail. Also read only if needed.

└── jails_data     # As a counterpart to jails.
    └── JAILNAME   # The same name as in jails, ex. `gitea`
        └── DATASET  # source directories of the outsourced data, ex. `data`

NullFS

But how does that come together? Quite simply via NullFS. NullFS virtually puts the contents of directory A on directory B, even across jail boundaries. Very handy! A key factor is access rights and proper permissions. If there is a user USER with ID 123 in the jail, then the directory outside the jail MUST have the same permissions. Fortunately, the user ID is sufficient for this, so it is not necessary to create the corresponding username in the TrueNAS/FreeBSD host each time as well. Since the directories usually do not yet exist in the jail, they have to be created beforehand. Actually they are created only during the installation of the packages, but this is too late. Because during the installation the content is often already created within the destination directory.

Everything that is executed hereafter happens on the TrueNAS/FreeBSD host. NOT inside the jail!

TrueNAS

User creation

  • TrueNAS / Accounts / Groups / Add
    GID: ID    # ex. 211
    Name: NAME # ex. gitea
  • TrueNAS / Accounts / Users / Add
    Full Name: NAME    # ex. Gitea User
    Username: USERNAME # ex. gitea
    Password: PASSWORD # ex. 123
    User ID: ID        # ex. 211
    Primary Group: ID  # ex. 211
    Shell: nologin     # No login allowed
    Home: /nonexistent # No home directory

Create data dataset

  • TrueNAS / Storage / Pools / tank/jails_data/JAILNAME / Add Dataset
    Name: POOLNAME # ex. data

Dataset permissions

  • TrueNAS / Jails / Mount Points / tank/jails_data/JAILNAME / Edit Permissions
    User: ID  # ex. 211
    Group: ID # ex. 211

Mount dataset

Practical: The target directories in the jail are created automatically when the mount points are assigned. Also recursive!

  • TrueNAS / Jails / JAILNAME / Mount Points / Actions / Add
    data:
    └──Source: SOURCE           # ex. /mnt/tank/jails_data/gitea/data
    └──Destination: DESTINATION # ex. /mnt/tank/iocage/jails/gitea/root/var/db/gitea

So in the jail GITEA the directory /usr/local/etc/gitea points to the actually external directory /mnt/tank/jails_data/gitea/data.
Everything clear? Good!

Voilá