AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible FreeBSD Jail Management: jailexec Connection Plugin Guide

By Luca Berton · Published 2024-01-01 · Category: installation

How to manage FreeBSD jails with Ansible using the jailexec connection plugin. Run tasks inside jails via jexec without SSH, with practical examples.

Introduction

Managing FreeBSD jails with Ansible has traditionally required SSH access into each jail — something you typically don't want in a secure jail setup. The ansible-jailexec connection plugin solves this by running tasks inside jails via jexec on the jail host.

The plugin recently shipped two major releases: 1.1.0 (complete refactor) and 1.2.0 (jail root override).

See also: Ansible on FreeBSD 14 Automation Complete Guide

How jailexec Works

Instead of SSHing directly into each jail, the plugin: SSH to the jail host (the FreeBSD machine running the jails) Uses jexec to execute commands inside the target jail Inherits all SSH options from ansible-core's built-in SSH plugin

This means features like ControlPersist, jump hosts, SSH keys, and password authentication all work automatically.

Installation

# Install from Galaxy (when available)
ansible-galaxy collection install community.jailexec

# Or install directly from GitHub
pip install git+https://github.com/chofstede/ansible_jailexec.git

See also: How to install Ansible in FreeBSD — Ansible install

Basic Configuration

Inventory Setup

# inventory/freebsd-jails.ini
[jail_host]
freebsd-host ansible_host=192.168.1.50 ansible_user=admin

[jails]
web-jail ansible_host=freebsd-host ansible_connection=jailexec ansible_jail_name=web
db-jail ansible_host=freebsd-host ansible_connection=jailexec ansible_jail_name=db
mail-jail ansible_host=freebsd-host ansible_connection=jailexec ansible_jail_name=mail

YAML Inventory

# inventory/freebsd-jails.yml
all:
  children:
    jail_host:
      hosts:
        freebsd-host:
          ansible_host: 192.168.1.50
          ansible_user: admin
    jails:
      vars:
        ansible_connection: jailexec
      hosts:
        web-jail:
          ansible_host: freebsd-host
          ansible_jail_name: web
        db-jail:
          ansible_host: freebsd-host
          ansible_jail_name: db
        mail-jail:
          ansible_host: freebsd-host
          ansible_jail_name: mail

Managing Jails with Playbooks

Basic Jail Configuration

- name: Configure FreeBSD jails
  hosts: jails
  tasks:
    - name: Install packages in jail
      ansible.builtin.raw: pkg install -y nginx python3

- name: Create web directory
      ansible.builtin.file:
        path: /usr/local/www/mysite
        state: directory
        mode: '0755'


- name: Deploy nginx configuration
      ansible.builtin.template:
        src: nginx.conf.j2
        dest: /usr/local/etc/nginx/nginx.conf
        mode: '0644'
      notify: restart nginx


- name: Enable and start nginx
      ansible.builtin.service:
        name: nginx
        state: started
        enabled: true


handlers:
    - name: restart nginx
      ansible.builtin.service:
        name: nginx
        state: restarted

Using ansible_jail_root (New in 1.2.0)

For nested or VNET jails where the default jls -j path probe returns incorrect paths:

# Override jail root path for complex setups
jails:
  vars:
    ansible_connection: jailexec
  hosts:
    nested-jail:
      ansible_host: freebsd-host
      ansible_jail_name: nested
      ansible_jail_root: /zroot/jails/nested/root
    vnet-jail:
      ansible_host: freebsd-host
      ansible_jail_name: vnet-web
      ansible_jail_root: /usr/local/bastille/jails/vnet-web/root

See also: Ansible AWS: Complete Guide to Cloud Automation (2026)

Security Considerations

The jailexec approach is more secure than SSH into jails:

- name: Security-hardened jail management
  hosts: jails
  tasks:
    - name: No SSH daemon needed inside jails
      ansible.builtin.service:
        name: sshd
        state: stopped
        enabled: false
      ignore_errors: true

- name: Restrict jail networking
      ansible.builtin.lineinfile:
        path: /etc/rc.conf
        line: "{{ item }}"
      loop:
        - 'sshd_enable="NO"'
        - 'sendmail_enable="NONE"'

FAQ

Do I need SSH running inside the jails?

No — that's the main advantage. The plugin uses jexec from the host, so jails don't need SSH daemons.

Does it work with Bastille or ezjail?

Yes. Use ansible_jail_root to specify the correct filesystem path if the default probe doesn't work with your jail manager.

What ansible-core versions are supported?

The plugin is tested against ansible-core 2.14 through 2.20, covering all current supported versions.

Conclusion

The ansible-jailexec connection plugin makes FreeBSD jail management with Ansible practical and secure. No SSH inside jails, full SSH option inheritance, and proper support for complex jail topologies.

Related Articles

Ansible Connection Plugins GuideAnsible for Linux System AdministrationAnsible SSH with Passwords: Fix sshpass

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home