From 580a224240db293c594babf0df1bb278113bc528 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Sun, 23 Nov 2014 20:29:00 -0600 Subject: [PATCH 1/8] Set ezjail config --- roles/jail/templates/ezjail.conf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 roles/jail/templates/ezjail.conf diff --git a/roles/jail/templates/ezjail.conf b/roles/jail/templates/ezjail.conf new file mode 100644 index 0000000..0d31dbf --- /dev/null +++ b/roles/jail/templates/ezjail.conf @@ -0,0 +1,16 @@ +# {{ ansible_managed }} +ezjail_jaildir=/usr/local/jail +ezjail_jailtemplate=${ezjail_jaildir}/newjail +ezjail_jailbase=${ezjail_jaildir}/base +ezjail_sourcetree=/usr/src +ezjail_ftphost=freebsd.isc.org +ezjail_default_execute="/usr/bin/login -f root" +ezjail_default_flavour="base" +ezjail_archivedir=/usr/local/jail/archived + +# ezjail_uglyperlhack="YES" +ezjail_mount_enable="NO" +ezjail_devfs_enable="YES" +ezjail_devfs_ruleset="devfsrules_jail" +ezjail_procfs_enable="NO" +ezjail_fdescfs_enable="NO" From 19378d813f932fb98e294ec329d9ecfdedf1ea23 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Sun, 23 Nov 2014 14:25:22 -0600 Subject: [PATCH 2/8] Copy config --- roles/jail/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/jail/tasks/main.yml diff --git a/roles/jail/tasks/main.yml b/roles/jail/tasks/main.yml new file mode 100644 index 0000000..02ca053 --- /dev/null +++ b/roles/jail/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: ezjail config + template: + src: ezjail.conf + dest: /usr/local/etc/ezjail.conf From cf04dfc7064741ab40e993ea30e6c58e229e3074 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Mon, 24 Nov 2014 20:14:48 -0600 Subject: [PATCH 3/8] Install FreeBSD root, with ports, for the base jail --- roles/jail/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/jail/tasks/main.yml b/roles/jail/tasks/main.yml index 02ca053..f2123c6 100644 --- a/roles/jail/tasks/main.yml +++ b/roles/jail/tasks/main.yml @@ -3,3 +3,9 @@ template: src: ezjail.conf dest: /usr/local/etc/ezjail.conf + +# Step 1, populate the base jail. This only needs to be done once. +- name: Populate basejail + command: ezjail-admin install -p + args: + creates: /usr/local/jail/base From 201757863738ab0b834032746e93f57000333ad1 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Mon, 24 Nov 2014 22:07:50 -0600 Subject: [PATCH 4/8] Add base flavour config The jails will be configured via Ansible so minimal configuration needs to happen from the flavour. --- roles/jail/files/flavours/base/etc/make.conf | 8 ++++++++ roles/jail/files/flavours/base/etc/periodic.conf | 8 ++++++++ roles/jail/files/flavours/base/etc/rc.conf | 9 +++++++++ roles/jail/files/flavours/base/ezjail.flavour | 7 +++++++ 4 files changed, 32 insertions(+) create mode 100644 roles/jail/files/flavours/base/etc/make.conf create mode 100644 roles/jail/files/flavours/base/etc/periodic.conf create mode 100644 roles/jail/files/flavours/base/etc/rc.conf create mode 100644 roles/jail/files/flavours/base/ezjail.flavour diff --git a/roles/jail/files/flavours/base/etc/make.conf b/roles/jail/files/flavours/base/etc/make.conf new file mode 100644 index 0000000..b78dc9b --- /dev/null +++ b/roles/jail/files/flavours/base/etc/make.conf @@ -0,0 +1,8 @@ +WRKDIRPREFIX=/var/ports +DISTDIR=/var/ports/distfiles +PACKAGES=/var/ports/packages +INDEXDIR=/var/ports + +NO_DOCS=yes +NOPORTDOCS=yes +NOPORTEXAMPLES=yes diff --git a/roles/jail/files/flavours/base/etc/periodic.conf b/roles/jail/files/flavours/base/etc/periodic.conf new file mode 100644 index 0000000..2e0d63c --- /dev/null +++ b/roles/jail/files/flavours/base/etc/periodic.conf @@ -0,0 +1,8 @@ +daily_output="/var/log/daily.log" +weekly_output="/var/log/weekly.log" +monthly_output="/var/log/monthly.log" +daily_status_security_output="/var/log/daily_status_security.log" +daily_status_network_enable="NO" +daily_status_security_ipfwlimit_enable="NO" +daily_status_security_ipfwdenied_enable="NO" +weekly_whatis_enable="NO" # our jails are read-only /usr diff --git a/roles/jail/files/flavours/base/etc/rc.conf b/roles/jail/files/flavours/base/etc/rc.conf new file mode 100644 index 0000000..e068b92 --- /dev/null +++ b/roles/jail/files/flavours/base/etc/rc.conf @@ -0,0 +1,9 @@ +network_interfaces="" +rpcbind_enable="NO" +cron_flags="$cron_flags -J 15" +syslogd_flags="-ss" +sendmail_enable="NO" +sendmail_submit_enable="NO" +sendmail_outbound_enable="NO" +sendmail_msp_queue_enable="NO" +sshd_enable="NO" diff --git a/roles/jail/files/flavours/base/ezjail.flavour b/roles/jail/files/flavours/base/ezjail.flavour new file mode 100644 index 0000000..5a246e4 --- /dev/null +++ b/roles/jail/files/flavours/base/ezjail.flavour @@ -0,0 +1,7 @@ +#!/bin/sh +# +# BEFORE: DAEMON +# +# ezjail flavour base + +# Everything is configured via Ansible. From 09a7a495f1d86b40a6bc11253dd121555ed1bedf Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Tue, 25 Nov 2014 21:26:11 -0600 Subject: [PATCH 5/8] Create config and jail --- roles/jail/tasks/main.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/roles/jail/tasks/main.yml b/roles/jail/tasks/main.yml index f2123c6..98faa94 100644 --- a/roles/jail/tasks/main.yml +++ b/roles/jail/tasks/main.yml @@ -4,8 +4,29 @@ src: ezjail.conf dest: /usr/local/etc/ezjail.conf -# Step 1, populate the base jail. This only needs to be done once. - name: Populate basejail command: ezjail-admin install -p args: creates: /usr/local/jail/base + +- name: Create base flavour directories + file: + path: '/usr/local/jail/flavours/base/{{ item }}' + state: directory + with_items: + - etc + +- name: Set base flavour config + copy: + dest: '/usr/local/jail/flavours/{{ item }}' + src: 'flavours/{{ item }}' + with_items: + - base/ezjail.flavour + - base/etc/make.conf + - base/etc/periodic.conf + - base/etc/rc.conf + +- name: Install jail + command: ezjail-admin create -f base {{ name }} {{ ip_address|join(',') }} + args: + creates: '/usr/local/jail/{{ name }}' From f3c423724d8267475da6333e7998ecd199fc90f6 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Tue, 25 Nov 2014 21:48:40 -0600 Subject: [PATCH 6/8] Enable jails in /etc/rc.conf --- roles/jail/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/jail/tasks/main.yml b/roles/jail/tasks/main.yml index 98faa94..20b32a5 100644 --- a/roles/jail/tasks/main.yml +++ b/roles/jail/tasks/main.yml @@ -30,3 +30,9 @@ command: ezjail-admin create -f base {{ name }} {{ ip_address|join(',') }} args: creates: '/usr/local/jail/{{ name }}' + +- name: Enable jails + lineinfile: + dest: /etc/rc.conf + line: 'jail_enable="YES"' + state: present From 79ae8dc36810b58c03b46f857b7c3486549efd36 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Tue, 25 Nov 2014 22:01:37 -0600 Subject: [PATCH 7/8] Use OPTIONS option in make.conf for FreeBSD 10 --- roles/jail/files/flavours/base/etc/make.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/jail/files/flavours/base/etc/make.conf b/roles/jail/files/flavours/base/etc/make.conf index b78dc9b..869b261 100644 --- a/roles/jail/files/flavours/base/etc/make.conf +++ b/roles/jail/files/flavours/base/etc/make.conf @@ -3,6 +3,4 @@ DISTDIR=/var/ports/distfiles PACKAGES=/var/ports/packages INDEXDIR=/var/ports -NO_DOCS=yes -NOPORTDOCS=yes -NOPORTEXAMPLES=yes +OPTIONS_UNSET=DOCS EXAMPLES From 1b10510f464ba0f70c7a565aaf21143ccda8148a Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Wed, 26 Nov 2014 20:23:03 -0600 Subject: [PATCH 8/8] Add a demo playbook that uses jail role --- jail.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 jail.yml diff --git a/jail.yml b/jail.yml new file mode 100644 index 0000000..f7214fa --- /dev/null +++ b/jail.yml @@ -0,0 +1,7 @@ +--- +- name: Jail test + hosts: servicehosts + roles: + - { role: jail, name: jailtest.buildbot.net, ip_address: ['vtnet0|192.168.122.16'] } + +# vim:ft=yaml:nosi:noai:ts=2:sw=2