Wheezy

A complete Debian GNU/kFreeBSD system should work within a jail, on a GNU/kFreeBSD or regular FreeBSD host system, with a few limitations.

Jails work a lot like Linux OpenVZ. On the host you can see all process running in all jails. Within a jail, you can only see processes that are running in that jail.

Limitations

Be aware that some files in /proc or /sys, such as /proc/mounts, are not partitioned per jail, and this may leak some (read-only) information about the host, or other guests' mountpoints.

Some features such as sysvipc are not namespaced for individual jails, so for security reasons they are disabled by default. As a result of this postgresql-server will not normally work in a jail.

The raw_sockets feature is normally disabled, to prevent IP spoofing from inside the jail. The ping tool will not work properly as a result.

Starting or stopping a jail

Assuming a debootstrap'd installation already exists in /srv/jail/$JID/, here is an example of how to start it up in a jail:

JID=101

# Linux-like /proc and /sys filesystems
mount -t linprocfs linprocfs /srv/jail/$JID/proc
mount -t linsysfs linsysfs /srv/jail/$JID/sys
  
# Ramdisk required for /run
mount -t tmpfs tmpfs /srv/jail/$JID/run
  
# A restricted, read-only /dev filesystem
mount -t devfs devfs /srv/jail/$JID/dev
  
# Compatibility symlink from /dev/shm to /run/shm
ln -s /run/shm /srv/jail/$JID/dev/
  
# Optionally enable networking
HOSTNAME=jail$JID.example.com
# The IP address must be assigned to an interface on the host
IP=10.1.0.$JID

mkdir -p /var/run/jail
jail -J /var/run/jail/$JID.jid -c jid=$JID \
  name=jail$JID \
  path=/srv/jail/$JID \
  host.hostname=$HOSTNAME \
  ip4.addr=$IP \
  command=/bin/sh -- "/etc/init.d/rc S && /etc/init.d/rc 2"

If openssh-server is installed within the jail, you should be able to SSH into it like a virtual private server.

The devd package may be removed as it will typically not work in a jail.

jls (to list running jails) is not available yet.

jexec is not available yet, but you can probably get by with jail -m jid=$JID command=/bin/bash

A jail stops 'running' when all processes within it exit. (Within the jail, /etc/init.d/rc 0 ; exec kill -1 might be a way to force a shutdown?)

Squeeze

The libjail package was not distributed with Squeeze.