thick jail

Enable jails.

sysrc jail_enable=YES
Sysrc jail_parallel_start=YES

Create zfs datasets.

zfs create -o mountpoint=/jails zroot/jails
zfs create zroot/jails/media
zfs create zroot/jails/base

Fetch userland.

fetch https://download.freebsd.org/ftp/releases/$(uname -m)/$(freebsd-version -k)/base.txz -o /jails/media/$(freebsd-version -k)-base.txz

Extract it to base.

cd /jails
tar -xf media/$(freebsd-version)-base.txz -C base --unlink
ls -l base

Copy DNS and time zone configurations to the template.

cp /etc/resolv.conf base/etc/
cp /etc/localtime base/etc/

Patch base.

freebsd-update -b /jails/base fetch install

Bootstrap pkg (execute pkg(8) inside a chroot(8)).

pkg -c /jails/base install -y pkg

Create snapshot, this will become a template.

zfs snapshot zroot/jails/base@$(freebsd-version)-$(date +%d-%b-%y)

Clone template for new jail.

zfs clone zroot/jails/base@<snapshot from above> zroot/jails/alcatraz

Set default configuration in /etc/jail.conf.

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";

allow.raw_sockets;
exec.clean;
mount.devfs;

devfs_ruleset=4;
enforce_statfs=1;
securelevel=2;

.include "/etc/jail.conf.d/*.conf";

Jail specific configurations should go inside /etc/jail.conf.d/.

alcatraz {
  exec.consolelog = "/var/log/jail_console_${name}.log";

  host.hostname = "${name}.jail";
  path = "/jails/${name}";

  ip4.addr = 192.168.0.63;
  interface = re0;
}

Add new jail to the rc.

sysrc jail_list+="alcatraz"

Jail is ready to go.

jls
service jail start alcatraz
jls
jexec -u root alcatraz