This is a short list of known issues.
88 character mount path limitation¶
There is a know mountpoint path length limitation issue on FreeBSD which is set to a historical 88 character limit.
This issue does not affect iocell jails from functioning properly, but can present challenges when diving into ZFS snapshots (cd into .zfs/snapshots, tar, etc.).
ZFS snapshot creation and rollback is not affected.
To workaround this issue iocell 1.6.0 introduced a
Shut down jail:
iocell stop myjail
hack88 property to “1”:
iocell set hack88=1
iocell start myjail
To revert back to full paths repeat the procedure but set
To create a system wide default (introduced in 1.6.0) for all newly created jails use:
iocell set hack88=1 default
iocell does not validate properties right now. Please refer to man page to see what is supported for each property. By default iocell pre-configures each property with a safe default.
VNET/VIMAGE can cause unexpected system crashes when VNET enabled jails are destroyed - that is when the jail process is killed, removed, stopped.
As a workaround iocell allows a warm restart without destroying the jail. By default the restart sub-command will execute a warm restart.
iocell restart UUID
FreeBSD 10.1-RELEASE is stable enough to run with VNET and warm restarts. There are production machines with iocell and VNET jails running well beyond 100 days of uptime running both PF and IPFW.
VNET/VIMAGE issues w/ ALTQ¶
As recent as FreeBSD 10.1-RELEASE-p10, there is some interesting interaction between VNET/VIMAGE and ALTQ, which is an ALTernate Queueing system used by PF and other routing software. Should you compile a kernel, make sure that you do not have any of the following lines in your kernconf (unless you want to disable VNET):
options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ
Otherwise, should you try to start a jail with VNET support enabled, your host system will more than likely crash. You can read a little more at the mailing list post here.
IPv6 host bind failures¶
In some cases a jail with an ip6 address may take too long adding the address to the interface, and services defined to bind specifically to that address may fail. In such cases, adding the following sysctl do disable DAD (duplicate address detection) probe packets.
sysctl net.inet6.ip6.dad_count=0. To make it permanent, add the
setting to sysctl.conf.
# disable duplicated address detection probe packets for jails net.inet6.ip6.dad_count=0