jails Which type of jail for production use cases?

The concept of 'ephemeral data' is an axiom. *thumbs up*.

I too agree with the concept of 'easier to recreate than fix'. *thumbs up*

I keep my jail configs in directories instead of using:
<program> -s up -w down -i left -t right -c 098 -h 123

I prefer to have my "wants" kept in a key/value type config file for each jail instead of calling a <program> with specific -s -w -i -t -c -h es which may or may not change depending on future requirements/needs. Not to mention, having configuration records ('wants') separate from actual implementation allows me to remember what was and wasn't set in each jail.

name=up
key=down
ip=123
foo=bar

The <program> should read that config file and be expected to do what's necessary. This is called Separation of Concerns (SoC); -i.e. why you typically create a library in programming. If the "how" creating a jail changes, I shouldn't have to change all my 'wants' to account for that. My configurations list what I 'want' in my jails not 'how' because the 'want' is irrelevant to the 'how'. You do not write a function to "calculate GCD" for every program you write.

I create thick jails, but I want to dive into trying out thin when I find time.

Upon a new release.
1. I download the latest userland.
2. Create a "base userland" -i.e., add in all the stuff I want in all jails like: dot.nexrc, dot.cshrc, sshd_config, whatever, etc..
3. Zip that up.
4. (re)create my jails from that 'base userland'.
 
JohnK said:
4. (re)create my jails from that 'base userland'.
Click to expand...
Another great idea. If we will be making thick jails, why not start at a base template with everything we will need and zip it. Make things reusable

Which jail manager do you use to read your key-value config files? Or did you create a script yourself?
 
degauss4 said:
Which jail manager do you use to read your key-value config files? Or did you create a script yourself?
Click to expand...
I created myself a tool to keep my jail configurations in key/value files. Currently, my tool reads the key/values and builds a jail using the handbook method but it can be a wrapper for almost any "jail manager" (my tool isn't about being a jail manager but as it stands there are zero dependencies to try it).

The examples I gave are a bit more complicated than you'd actually need in real life but they are for demonstration purposes (my actual configs I use are not as complicated as those) and should work with little configuration and/or give you something to build a test upon. Also, the git example is an emulation of my git server and may or may not make total sense.

NOTE:
1. I built my key/value to emulate the UCL config language jail.conf uses.
2. If you want to test my scripts, clone the repo and do a "doas make install". A man page will be installed so you can "man jcreate". A "doas make uninstall" will remove the tool.
3. If you do actually test my script, let me know if it works for you.

github.com

GitHub - JohnKaul/jcreate: Script to create a FreeBSD jail.conf style jail with setup script, mounts, copy-in abilities

Script to create a FreeBSD jail.conf style jail with setup script, mounts, copy-in abilities - JohnKaul/jcreate
github.com github.com

To create a custom userland I do something like the following (replace with default commands/methods):
Code: 
# jcreate /path/to/templates/base/base.conf
# doas service jail start base
# doas jexec base
... configure 'base' jail ...
# doas service jail stop base
# cd /usr/local/jails/media
# doas chflags -R 0 /usr/local/jails/containers/base
# doas tar -cJf userland.txz -C /usr/local/jail/containers/base/ .
# jdestroy base
 
You must log in or register to reply here.
Back
Top