iocage jail

If you’ve read part 1 and 2, I promise this will be the last one where I’m going to talk about how I rebuilt my iocage jails, talking each one in turn.


I started with this one as I knew installing the ports within the jail would be straightforward, but I’d need to get my head around mounting datasets within the jail.  I also run my old Warden jail with the emby configuration folder in its own dataset (/mnt/tank/embydb) which I was hoping would make the migration a little easier.

It was exactly as I expected, once I’d worked out how to mount the datasets, which proved more tricky due to some of the names, which included spaces.  I just couldn’t work this out in iocage, so ended up having to change the names to include _ instead of the spaces, and then apply this to the old emby jail, updating the configuration.

Once I’d done that and built the jail from the ports (e.g. make clean install) and not pkg (the emby package installs old versions of FFmpeg and mono) everything fired up perfectly, and I simply redirect the IP in my reverse proxy jail.  I suspect the external users didn’t even notice the switch!


I wasn’t actually running a Nextcloud jail, but having played around with the latest version in a Docker container for the last few months, I think I prefer the way it’s heading to the ownCloud Warden jail I had.  Building all the components using pkg install isn’t complicated, but there are lots of steps to follow.  There are some excellent guides on the FreeNAS forum, including some new scripts that automate everything from jail creation to service configuration, a little like the plugins.  

I didn’t go down this route, as I didn’t need some of the packages (e.g. Letsencrypt) and stuck to a tried and tested ownCloud guide, simply replacing the references for Nextcloud.  There was nothing to migrate as I simply replicated each user’s data back to the server (which took the most time), and mounting datasets for the database and files was simple having learnt from the emby experience.


So this is the one that I expected the most problems with, having taken some time and several failed attempt to get it set-up in a Warden jail.  It’s the only one I haven’t got working, and I’m not going to go into too much detail here as I suspect they’ll be more blogs about getting this working.  

There is a known issue with iocage networking in 11.1-U4, which might, or might not, be related, but I still have the old Warden jail working so I’m going to wait for a future FreeNAS update before spending too much more time on resolving.

Nginx reverse-proxy with SSL

This one was remarkably straightforward, as it’s just a couple of services, installed from ports as I wanted the latest version of OpenSSL and Certbot.  After that I simply copied these folder from my old jail:

  • /usr/local/etc/nginx/nginx.conf
  • /usr/local/etc/nginx/sites-available/*
  • /usr/local/etc/letsencrypt

A few minor changes to create symbolic links to the sites-enabled folder and Nginx was up and running.  Then, much to my surprise, the Certbot renewal ran successfully, although didn’t renew anything as it wasn’t due.  The acid test will be when the cron job runs and renews a cert but until then migration complete.

Unbound DNS

Another simple one to create as it’s only the unbound port and nothing mounted.  I could have copied the configuration file but thought it was better to rebuild from the excellent DrKK guide on the FreeNAS forum / Youtube video.  The only issues I found was that some of the configurations needed updating to reflect the later version of unbound, but it didn’t take long to work out.


This jail has been really useful for transferring e-books from my Mac to Kindles without having to use any wires, but it was never updated from the time it was built so is almost 2 years old.  Over that time Calibre has moved on quite significantly, and the interface is so much nicer than it was.   You can create user accounts, access multiple libraries, edit metadata, read books in the browser window (not the nicest interface) and even add new books (although not tried this yet) in the latest version.

Starting the service was a little tricky as the commands have changed a little, but the user documentation got me there in the end.  A great improvement and one I aim to keep much more up to date with iocage!


I’d left this one until the end as I expected this one to be more problematic than it turned out to be, although it did present some challenges!

To be fair, I’d learnt quite a bit by this stage and creating the iocage jail really wasn’t that bad.  I first needed to build a FEMP stack (nginx, mariadb102 and php71) which I just did using pkg install for speed.  Then I configured the MariaDB server, before mounting my old WordPress database dataset into the new jail (iocage fstab -a wordpress “/mnt/tank/wpdb /var/db/mysql nullfs rw 0 0”).  I then copied across the wordpress folder from my old jail to the new one and restarted everything.

Unsurprisingly that didn’t work, as I’d forgotten to install the WordPress package which has a number of dependencies!  After installing this, I then needed to fight through various WordPress errors, mainly down to a couple of WPMU DEV plugins (Hummingbird and Defender) which I needed to disable and then a couple of PHP modules that I’d missed.  

Once these were resolved, everything appeared to work fine and my company webpage and this blog were back online (I’d needed to redirect the address in the reverse-proxy server to diagnose the issues).  It was only a few hours later when I tried to log in and change some things that my password didn’t work.  Not sure why, and changing using the MySQL commands proved more difficult than I imagined, but eventually everything was working as it was before.  

And that’s pretty much it.  All of my main jails have been rebuild using iocage and the old ones switched off.  I still have 3 Warden jails running – ownCloud (until I update some shared links), OpenVPN (until I get the iocage one working) and a really old FEMP jail (that I have a bunch of stuff I’d set up to play with and test, including my really old WordPress service, Joomla and Drupal services) with no plans to move this and when it dies it dies.  There are also 4 Warden jails switched off – Plex, PlexPy, the old Nginx Reverse-proxy and WordPress jails.  I’ll delete these over the coming months once I’m happy everything is working as it should.

Whilst not directly related, as part of this upgrade project I also spent some time rationalising my Docker containers in the iohyve VM.  I got everything running in Portainer through a docker-compose.yml file and sharing a single MySQL database container, although that’s starting to sound a lot like another blog…