Using FreeBSD jails involves two things, a service that creates/destroys a jail, and zero or more services that are then run in that jail. The external configuration import subsystem converts jails to this native form.
Jail services are a simple exercise in the use of the BSD jail
command.
The service's start
program uses jail -c
with its persist
option to create a jail that keeps running even whilst it contains no processes.
The service is marked as "ready after run" and "remain", and has a no-op run
program that does nothing but exit.
The service's stop
program uses jail -r
to remove the jail.
Thus a jail's lifetime is controlled by the start and stop of a service, which has no running process itself.
The various configuration settings for the jail
command are exposed as service environment variables, accessible with the rcctl
or the set-service-env
and print-service-env
commands.
Services that run in a jail, jailed services, simply use the BSD jexec
command in its chain-loading mode.
They use it to move the current process, the dæmon itself, into a jail created and destroyed by a jail service.
They have wants/
and after/
relationships to the jail service.
Because the jail service becomes ready after the jail is fully created, they do not run until there is a jail for them to switch themselves into; and starting them implicitly starts the service for the jail that they run in.