Jail management tool


#1

What is the current standard jail management tool for TrueOS and how does it works? iocage seems to be not supported for me. (Or am I wrong? I do not even see it with a SysAdm client (aka the Conrol Panel).)


#2

Quite a while ago I remember some discussion of changing the warden gui to use iocage as a back-end, but I have not not ceen anything recently about this.

(I just run Plain FreeBSD on my servers and just use the iocage for my jails and iohyve for my VMs)


#3

I heard Kris mention on BSD Now that iocage is being rewritten. Oh, and just check on their github it says the same thing.
In the mean time, you can try ezjail.


#4

There is another one, http://chyves.org/ but I am not sure if this is the one that was taled about on BSD Now. Currently PC-BSD and TrueOS seem free of any iocage dependency; previously PC-BSD base depended on iocage-devel which had problems with my existing Jails, that was why I had go to plain FreeBSD (also to be compatible with Digital Ocean Droplets) and the stable iocage. TrueOS also has package for chyves so it might be worth a try.


Working with chyves – a a bhyve front-end manager
#5

chyves is for managing bhyve VMs, not jails.


#6

I’m using iocage in production and on my desktop machines. Mainly because there are ansible roles available to fully deploy a jail host + jails with various applications. But also because I really like the deeply baked-in ZFS support. Due to the fact that properties are stored in the dataset-metadata the jails can be easily ported/restored to other hosts.

iocage is mainly just a bunch of shellscripts wrapped around zfs and jail - as long as these tools don’t change their cli-syntax massively, iocage should keep working just fine, even without ongoing development. (OTOH: whats to develop on a working and fairly complete tool?)

The SysAdm Client currently only supports ezjail IIRC, but as SysAdm is under heavy development I wouldn’t base the decision on what jails-management to use on the support from SysAdm. This might change at any time, but migrating existing jails to another management tool can be quite some work…


#7

Hi, this is newbie question with some problems with iocage. I have set up local TrueOS server on 192.168.1.2 lan:

[samob@osa] ~% uname -a
FreeBSD osa.rula.org 12.0-CURRENT FreeBSD 12.0-CURRENT #14 1717ae3(drm-next-4.7): Fri Oct 28 13:49:49 UTC 2016 root@gauntlet:/usr/obj/usr/src/sys/GENERIC amd64

I have followed this article from march 2015. I installed iocage:

iocage --version
iocage 1.7.4 (2016/02/17)

Created new jail with ip 192.168.1.3:

jls
JID IP Address Hostname Path
1 192.168.1.3 webserver.rula.org /iocage/jails/08b11181-a9d7-11e6-a783-001fd098cc7c/root

I can “jump in” jail with:

iocage console 08
FreeBSD 12.0-CURRENT (GENERIC) #14 1717ae3(drm-next-4.7): Fri Oct 28 13:49:49 UTC 2016

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace “en” with a language code like de or fr.

Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier

Edit /etc/motd to change this login announcement.
root@webserver:~ #

IP numbers are ok in jail:

root@webserver:~ # ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 00:1f:d0:98:cc:7c
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 vhid 3
media: Ethernet autoselect (1000baseT )
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

Jail ip is visible in host server:

[root@osa] ~# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 00:1f:d0:98:cc:7c
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT )
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo

Now the problem is that I can’t ssh into jail from PCBSD machine. I have “adduser” in jail and set up password, but ssh user@192.168.1.3 does not let me in :frowning:

I have added this line to my PCBSD desktop in /etc/hosts (just to be safe tried both ip/url):

192.168.1.3 webserver webserver.rula.org

Output of that is:

[samob@pcbsd] ~% ssh samob@webserver.rula.org
The authenticity of host ‘webserver.rula.org (192.168.1.3)’ can’t be established.
ECDSA key fingerprint is SHA256:raFE5//mf0w9V6f6Hk2LG8koRKNGcNf4R+6C5IAlZ70.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘webserver.rula.org’ (ECDSA) to the list of known hosts.
Password for samob@webserver.rula.org:
Password for samob@webserver.rula.org:
Password for samob@webserver.rula.org:
Permission denied (publickey,keyboard-interactive).

Now the password in jail is entered with no special characters, simple lower letters and numbers combination. What am I doing wrong?

Edit:
I just realised my nginx web server running on bare metal host (192.168.1.2) is reachable on jail ip as well (192.168.1.3), so this indicates firewall problems?


#9

@jmaloney without detracting from that focus: equally, it will be good to have a capable, user-friendly GUI to jails. Some dependency conflicts are difficult to avoid (and I do not expect this to change in the near future), at least:

– it’s great to have the staged works in progress, I have no wish to push the contributors.

I suspect that for some lapsed users of jails, so many months have passed that we have forgotten the power and potential beauty of jailing in FreeBSD.


#10

@grahamperrin We supposedly had a UI for iocage in sysadm. I have never gotten it to work so I suspect it just needs finished. There is a somewhat functional UI for iohyve if it is installed. Overall I think iocage is the best way forward for running more complete, complex setups, or older versions of FreeBSD.

For those who want to check it out what I have came up with it is otherwise mostly usable. I just need to think about networking, and finish it over a weekend sometime.

https://github.com/pkgdemon/trueos-pkg-base-jail


#11


#12

I was too lazy to read “man iocage” because it was too long, it scared me! :dizzy_face:
Don’t know much about warden. But, I like it and use it in my (chroot) jail experiments, with a simple (in and out) jail for Apache, Postgres, exim, PHP7, Drupal 8.* and few other things. Main system gets Dynamic LAN/IP from the router, warden jail uses Public/Static IP with FQDNS host. TCP/IP services (ports) are managed by ipfw and NAT from the main system. All seem to work (somehow) according to me - hehe. I see evil hackers trying to break into my jail day&night. Tho, warden seem to handle the TCP/IP abuse OK.


#13

#14

So am I missing something here? Should iocage work in TrueOS 12? I have 1.7.6_1 installed, and a jail that I built on 10.3, and when I try to start it, I get the following error:

   [storm@defiant ~]$ iocage list
    JID   UUID                                  BOOT  STATE  TAG                   IP
    -     83ddfee0-0a18-11e6-a125-8c89a53530be  on    down   worf   192.168.224.56
    [storm@defiant ~]$ sudo iocage start worf
    ERROR: hostid mismatch, start failed!
        jail hostid: 2c2cd557-565d-11e5-97ac-8c89a53530be
      host's hostid: 81fdf9f5-8827-11e6-858f-8c89a53530be

This was built on the same machine under 10.3, and it worked prior to the upgrade from PCBSD to TrueOS. So I deleted that jail and created a new one on 12.0.

[storm@defiant] /usr/home/storm# iocage create -c tag=kira ipv4_addr="re0|192.168.224.55/24" release="10.3-RELEASE"
[storm@defiant] /usr/home/storm# iocage list
JID   UUID                                  BOOT  STATE  TAG                   IP
-     5bfe1e90-d410-11e6-8b30-8c89a53530be  off   down   kira   none
[storm@defiant] /usr/home/storm# iocage start kira
ERROR: hostid mismatch, start failed!
    jail hostid: 2c2cd557-565d-11e5-97ac-8c89a53530be
  host's hostid: 81fdf9f5-8827-11e6-858f-8c89a53530be

The jail hostid and the host hostid are the same for both jails ( 2c2cd557-565d-11e5-97ac-8c89a53530be and 81fdf9f5-8827-11e6-858f-8c89a53530be respectively) and are different from the jails’ UUIDs (83ddfee0-0a18-11e6-a125-8c89a53530be and 5bfe1e90-d410-11e6-8b30-8c89a53530be respectively).

So how do I get my jails to run in TrueOS?


#15

You need the jils hostid to match the /etc/hostid value for each jail or you get the unable to start message. It is a protection so that when you zfs send a jail to another machine the copy will not start until you have adjusted the jail’s settings for the new system.


#16

That's is why I use warden. I don't know much about current support level for warden other than it's still in FreshPorts, also as "pkg" in TrueOS repos and it installs OK without any warnings. I know of it from PC-BSD days. Its CLI interface with "warden help" are very helpful and self-explanatory. Again, I am a noob, so I can't say if warden is the viable jail solution in current version of TruesOS

Maybe someone can shed some light on the topic. Thanx.

#17

I thought iocage was the new hotness, and what little testing I had time to do in 10.3, it seemed to work fairly well. What I am wondering, since iocage seems to be in mid-rewrite for TrueOS,

I have asked this question before but not gotten an answer. Of the different jail programs (warden, ezjail, iocage, iocell, etc.), do they create compatible jails? Say I went with warden or ezjail right now, can I “upgrade” to iocage or iocell in the future, and still be able to use those jails without rebuilding for the new jail manager?


#18

With reference to above basic FreeBSD jail system


My noobish understanding of jails is that FreeBSD jail is a “chroot” environment that relies on main system kernel’s resources and its jails are limited to some *nix, FreeBSD, then PC-BSD, and now TrueOS systems. All custom jail utilities are just various scripting frameworks which help with ez management of FreeBSD jails. I assume that some are better than others and each may have more or less of sophisticated features such as templates, jail types, fs type, firewall and network configuration. But I don’t think that one can import or export jails created by different custom jail utilities. Even with the same jail utilitiy, exporting and importing jail(s) from/to different versions of the main system can be an issue, in case of major updates or upgrades. Then one has to update or upgrade the world and pkg configuration inside the jail. no matter which utility that jail was created with.
So, that’s my take on jails - correct me if I’m wrong or misunderstand the concept. I shall run my -fbsd and -trueos warden jails until they break or get broken into - lol


#19

How do you set this? I looked for a /etc/hostid in /iocage/jails, I looked in /iocage/.defaults, but the directory was empty.


#20

@ichibiri,

More or less, but some of the newer frameworks like iocage (and presumably iocell) use zfs properties to store information about the jail. Therefore, jails can be migrated between zpools similar to a zfs dataset.

My question is which of the jail managers treat their jail in this manner.


#21

@VulcanRidr If iocell uses the same paths, and zfs properties I would think it would just work as an upgrade. I believe a new version of iocage is being worked on. I can try to look into making sure the existing version works from 10-28-16, and future later this week, or next if you want to throw us a ticket @ https://www.github.com/trueos/trueos-core. I know I had iocage-devel working fine with earlier OpenRC builds.