How early can jails be started?

[James Gritton]

On 8/9/2014 6:53 PM, Warren Block wrote:
> Is it technically possible to start a jail much earlier in the boot 
> order?
>
> The reason is that a jailed DNS server could be used by the host if it 
> was started before any of the host's network services needed DNS.  
> After /etc/rc.d/netwait, say.
>
> There may be other jailed services that would also benefit from an 
> early start, but DNS is something of a special case and the only one 
> that comes to mind.

Sure - jails can go quite early.  Technically, very near the beginning.

You'll want local filesystems, assuming you want your jail chrooted 
somewhere (you do for normal-use jails, but it's not as obviously true 
for single-purpose jails).  In the same situation, you'd want to depend 
on devfs so you can mount a devfs with the proper ruleset.

If you want to add IP address aliases, you'll need networking set up, 
but if you just want to restrict to already existing addresses or run in 
an unrestricted IP setup, you don't even need that. Except ...

Other than that, the only restriction is what you want to do with the 
jail.  So for the DNS server example, it's whatever an unjailed DNS 
server would require.  So yeah, something like netwait.

- Jamie