What's the future of FreeBSD jail management utilities?


#1

I’m checking, periodically, on development/update status of my fav PCBSD/TrueOS/FreeBSD jail management utilities: warden, iocage and iocell (a fork of iocage). Although they all seem to work OK, for my needs, and can be easily configured to install and run TrueOS serve or FreeBSD inside with custom templates using manually downloaded current master distribution files, tho I don’t see any info on github about the future improvement or updates of those utilities so that they can deal directly with current repositories of TrueOS and FreeBSD.

I know that docker can do nice things inside its container, but that’s a different idea with different application, and at that with Linux inside and go outside. When someone builds nice docker app/package, it’s an ez play. But, when docker needs custom configuration of various daemons, frameworks and net with firewall, it’s a major operation since docker was not really designed for such tasks, but FreeBSD jails are.

That’s why I’m nagging about FreeBSD jails, because I would like to run TrueOS server or FreeBSD inside jail(s) - thin, thick or full. Raw jail utility is fine, but why not maintain some, or at least one good jail management utility up to date that reflect(s) current state(s) of TrueOS and FreeBSD?


#2

TrueOS is working closely with the developer(s) of iocage for jail functionality.

If you want to see some of the stuff we have been collaborating on, look at the “plugins” option for iocage. That is a simple way to install/run/configure any application within a stand-alone jail/container.


#3

That is it, I guess

Edit:

Had to also read this to understand what’s going on :face_with_raised_eyebrow:


#4

That is just the ones that the FreeNAS guys have been putting together and updating.
I was more referring to the “iocage help” documentation on the plugin commands. Basically, anybody can generate a JSON manifest for an application and iocage can use that to fetch/install/configure the application in a FreeBSD jail. The people I have talked to who have been working on this say it only takes about 5-15 minutes to make a brand-new plugin manifest for iocage. Actually making one on the host system is incredibly easy/fast.


#5

Until now, I was in the warden and iocell (the so called better iocage) worlds, tho both without ongoing support. I didn’t even notice that iocage turned into py36-iocage in repos.

Where does the “iocage help” documentation about plugins come from?

iocage -v
Version 0.9.9.2 09/30/2017

I must be looking at the wrong iocage package. Nothing here about plugins in "iocage --help"
man iocage offers info on existence of --plugins option, but I’ve seen all that before.

I’m lost again, I don’t see anything new in here :confused:

Edit:

I’ll play with it, fetching&creating 11.1 to see what’s going on

Fetching: 11.1-RELEASE

Downloading: MANIFEST: 100% 8.51Kbit/s Elapsed: 00:00 Remaining: 00:00
Downloading: base.txz: 100% 7.14Mbit/s Elapsed: 00:14 Remaining: 00:00  
Downloading: lib32.txz: 100% 5.91Mbit/s Elapsed: 00:03 Remaining: 00:00
Downloading: doc.txz: 100% 1.65Mbit/s Elapsed: 00:00 Remaining: 00:00
Extracting: base.txz... 
Extracting: lib32.txz... 
Extracting: doc.txz... 

* Updating 11.1-RELEASE to the latest patch level... 
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update4.freebsd.org... done.
Fetching metadata signature for 11.1-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 42 patches.....10....20....30....40. done.
Applying patches... done.

The following files will be updated as part of updating to 11.1-RELEASE-p6:
.
.
Installing updates... done.
bae6a64c-5fa5-4a13-bb7d-64323014e822 successfully created!

bbl to complain - lol


#6

@beanpole135

After these experiments, I’m begining to understand what’s goin’on with the new iocage jail container and plugins :wink:

jls
   JID  IP Address      Hostname                      Path
   2  192.168.0.20    jenkins                       /iocage/jails/jenkins/root
   4  10.1.10.20      ClamAV                        /iocage/jails/ClamAV/root

I tried both, remote and local plugins installation - from remote (jenkins) plugin did not work well, but the local install of (ClamAV) plugin looks ok. I’ am using the iocage plugin samples from freenas/iocage-ix-plugins to learn.

Edit: Update

iocage fetch --plugins --name "jenkins" ip4_addr="bge0|10.1.10.25" 
Plugin: jenkins
  Using RELEASE: 11.1-RELEASE
  Post-install Artifact: https://github.com/freenas/iocage-plugin-jenkins.git
  These pkgs will be installed:
    - devel/jenkins
    - www/nginx
Fetching artifact... 
Running post_install.sh

Command output:
jenkins_enable:  -> YES
nginx_enable:  -> YES
Starting jenkins.
Performing sanity check on nginx configuration:
Starting nginx.



 jls
   JID  IP Address      Hostname                      Path
     
     4  10.1.10.20      ClamAV                        /iocage/jails/ClamAV/root
     6  10.1.10.25      jenkins                       /iocage/jails/jenkins/root

Both, local and remote install of plugins work like a charm - amazing!

In first try of remote installation of jenkins plugin, I used wrong LAN/IP segment for the plugin in this system that lives in C class 10.1.10.0 net, not in 192.168.0.0 :blush:

End Edit

I’ve been away from iocage for a few months, playing olden warden, iocell, fighting UNSTABLE(S), radeon driver and few other TrueOS demons, so I missed all the new tech of iocage

Time to play and learn more!

Thank you for the heads-up. Keep up the good work. I’m awating the openrc-1.0 and Lumina-2.0 :stuck_out_tongue_winking_eye:

All the best!


#7

You might also have a look at the vmadm port from Project FiFo. It resembles the vmadm tool on smartOS and creates nested VNET jails for full separation and networking capabilities of the jails.
Its not yet production-ready, but I’ve played with it a few weeks ago and apart from some network configuration issues I had it looks really promising.

As on smartOS, jails are defined in a JSON manifest and fed to vmadm create - You could write the manifest by hand, but its more convenient to use some form of automation (e.g. ansible or chef) and generate them from templates. With a carefully written template (and e.g. ansible playbook/roles) you can easily deploy services either in jails or zones from the same set of configuration/scripts.

For quick deployments, there are already some images for vmadm jails available, and as with zones it is quite easy to create custom images (these managed by imgadm).

I haven’t looked at the plugins option of iocage (still running the 0.9.9.2 version from pkg on our FreeBSD hosts), but I think I will give it a try on one of my TrueOS machines.


#8

Thanks for all the work on OpenRC scripts for iocage, xrdp and xrdp-sesman\o/

OpenRC for iocage works very well. Tho, had to fix the /usr/local/etc/init.d/xrdp and xrdp-sesman to make it work as i should with OpenRC

My versions of xrdp and xrdp-sesman that work.

less /usr/local/etc/init.d/xrdp

#!/sbin/openrc-run

name="xrdp"
command="/usr/local/sbin/${name}"
pidfile="/var/run/${name}.pid"
# command_args="--nodaemon"
start_pre() {
    if [ -f /usr/local/etc/xrdp/rsakeys.ini ] ; then
        /usr/local/bin/xrdp-keygen xrdp /usr/local/etc/xrdp/rsakeys.ini
    fi
}

depend() {
        after net-online
}

less /usr/local/etc/init.d/xrdp-sesman

#!/sbin/openrc-run

name="xrdp-sesman"
command="/usr/local/sbin/${name}"
# command_args="--nodaemon"
pidfile="/var/run/${name}.pid"

Edit:
In both cases, the command_args="–nodaemon" was causing issues when starting the services with OpenRC. I just commented out those entries, as above.

At boot all start up:
=================

rc-status | grep iocage

iocage [ started ]

rc-status | grep xrdp

xrdp [ started ]
xrdp-sesman [ started ]