Role to manage creation of basic jails on freebsd.
I try to keep this as simple as possible. Therefore I try to not use any feature or tool which is not part of the base system.
Most of the variables are used from the guest's variables.
Only a few comes from the host. Which comes from the host, must be a dict within the variable name jail.
The mandatory variables within the jail is:
root: the definition of the rootchild_group: the child's groupnameuser: user name to be created within the jailsssh_key: ssh public-key installed into the user's authorized_keys.
Within the root the following two keys must be defined:
dataset: The dataset name which will contain all of your jails. Eg.zroot/jailsmountpoint: Where your dataset should be mounted. Eg./jails
child_group must contain that ansible inventory group name which have the all the jails on this host
eg. write this into the host_variables (host_vars/beastie.yaml) :
jail:
root:
dataset: zroot/jails
mountpoint: /jails
child_group: beastie_jails
user: ansible
ssh_key: ssh-rsa AAA...=
Configuration of the jails themselves are imported from the hostvars of the given jail.
Specifically, you must create a variable called jail and every jail related setting is below this dict.
Though the jail role goes through every singe host in the above defined group within your inventory, there is a way to add a dobule-check step:
If the jail configuration has a parent key defined, and the value of the given key is different from the parent hosts's hostname, than that jail will be skipped in processing.
Possible variables for the jails:
parent: Whichansible_hostis the host of this jail. default: the host we are running steps on.vnet: A string or list of bridge names which will it add an epair interface toinet: network configuration line (or lines) of the interfaces of the epair interfaces. This goes right away to the jail's rc.conf into the respective line or lines. N.B. If an array of interfaces are defined, than vnet[0]'s inet config within the jail is inet[0], and so on...defaultrouter: defaultrouter of the jailns_search: This string will be appeneded after thesearchkeyword in the guest's resolv.confns_server: ip, or list of ips of nameservers for the jail.mounts: list of mount points. A list element is either a simple directory name. In this case the directory must be the same on the host and within the jail. Or a list of two elements: the directory name on the host, and the directory name, how you can see it within the jail. Prefix of the jail's root must be omited.custom: custom jail configurations can be added here, eg. enabling sysv ipc.os: Can beFreeBSDorDevuanso far. If not defined, the default isFreeBSDosver: In case you want to install a devuan into a jail, the release name of the distro. NB.: I've only tested this with ascii just yet.
There is one important configuration item in the jails' hostconfig: the ansible_user. With this you can override the username from the host's configuration on a per-jail basis.
example jail's host vars (e.g.: host_vars/beelzebub.yaml) :
jail:
parent: beastie
vnet:
- vm-foo
- vm-bar
inet:
- [ 'inet 10.0.0.2 netmask 255.255.255.0', 'inet vhid 10 pass SecreT123 advskew 8 alias 10.0.0.1/24']
- inet 10.0.1.1 netmask 255.255.255.0
- ifname: epair1b
ifconf: 'inet 10.0.2.2 netmask 255.255.255.0'
- ifname: epair1b_alias0
ifconf: 'inet vhid 10 pass SecreT123 advskew 8 alias 10.0.2.1/24'
defaultrouter: 10.0.0.254
ns_search: srv.intra dmz.intra
ns_server:
- 10.0.0.254
- 10.0.1.254
mounts:
- [/srv/beelzebub, /srv]
custom:
enforce_statfs: 1
sysvshm: new
sysvmsg: new
sysvsem: new
ansible_user: pasztor
alternatively, when if you want to manage the interface addition and removeal manually in the prestart and poststop scripts
jail:
parent: beastie
inet:
- ifname: epair1b
ifconf: 'inet 10.0.2.2 netmask 255.255.255.0'
- ifname: epair1b_alias0
ifconf: 'inet vhid 10 pass SecreT123 advskew 8 alias 10.0.2.1/24'
defaultrouter: 10.0.2.254
ns_search: srv.intra dmz.intra
ns_server:
- 10.0.2.254
mounts:
- [/srv/beelzebub, /srv]
custom:
enforce_statfs: 1
sysvshm: new
sysvmsg: new
sysvsem: new
exec.prestart:
- 'ifconfig vm-dmz addm epair1a'
exec.poststop:
- 'ifconfig vm-dmz deletem epair1a'
vnet.interface: 'epair1b'
ansible_user: pasztor
Example devuan host host_vars file:
jail:
parent: beastie
os: Devuan
quota: 5G
vnet:
- vm-srv
inet:
- 10.1.1.11 netmask 255.255.255.0
defaultrouter: 10.1.1.1
ns_search: srv.intra dmz.intra intra
ns_server:
- 10.1.1.1
- 10.1.0.1
As you can see from the example, it uses the bridge preconfigured by vm-bhyve.
example inventory file:
[jailhosts]
beastie
[beastie_jails]
beelzebub
devuan
Rest of the tasks don't have any tags. Though at certain points for debug reasons a few variables can be displayed if you allow the debug tags to run too.
If you only provide the --tags debug to ansible-playbook, than no task will run. In order to run the usual steps and the debug tags, you should use the --tags all,debug parameters to allow these debug steps to run.
This role doesn't depend on any other role, installed function or anything. It only uses tools coming with the base system.
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: jailhosts
roles:
- pasztor.jail
BSD
source url: https://github.com/pasztor/jail Most of the idea and hints are coming from this tutorial:
- https://eoli3n.eu.org/2021/06/08/jails-part-1.html
- https://eoli3n.eu.org/2021/06/09/jails-part-2.html
- https://eoli3n.eu.org/2021/06/14/jails-part-3.html
Ideas for devuan installation is coming from here: https://forums.freebsd.org/threads/setting-up-a-debian-linux-jail-on-freebsd.68434/