jails How to best automate creation and management of Jails?

subnetspider · Oct 20, 2022

I'm learning ansible(1) and bastille(8) to introduce some level of automation to my homelab and to use jails instead of FreeBSD VMs for my services.
At the moment I manually create thick VNET jails with bastille(8) and then set up my services with ansible(1) where each jail is treated as a separate host.
This is not very ideal as each jail runs sshd, needs a user for ansible and needs the ssh keys, sudo/doas and python package installed.

Do you know better workflows and tools to achieve more automation with jails?
I'm open to suggestions.

W.hâ/t · Oct 20, 2022

You can always make your own script

patmaddox · Oct 21, 2022

bastille has a bunch of commands to run things in specific containers. So, you might be able to call those from a script.

Additionally, many config commands take a `-f` flag to specify the file, or `-r` flag to specify the root to operate on. So you can write a script that does things like:

Code:

sysrc -f /jails/jail1/etc/rc.conf hostname="jail1"
pkg -r /jails/jail1 install -y emacs-nox

I've gotten a lot of mileage out of scripting with those sorts of flags, and so far have not needed to use ansible for defining jails.

Some of it depends on whether you think of a jail as long-running (like a host), or destroyable (like a docker container). I am leaning towards the destroyable side, but with persistent /var/db/ folders as necessary. That way I don't have to run ansible to upgrade, install packages, etc. I just rebuild the jail from scratch.

Holger · Oct 21, 2022

Have you already tried creating and managing jails “the hard way”, i.e. only using that which the FreeBSD base system provides? It might be less complex than you might think!

I have been managing my jails that way (following Michael Lucas Book “Absolute FreeBSD”) for some time now and I have to say: While some automation in some minor aspects (e.g. installing basic stuff inside the jail, etc.) would be handy, there is actually very little that needs to be automized for my non-industrial use-case.

Someone else here in the forum once said: The steps of creating a jail are so trivial that there is no framework needed.

So, basically, my answer is just some more elaboration on what W.hâ/t said: Create your own scripts!

freebuser · Oct 21, 2022

And with zfs to clone jails it cannot be easier.

xedos832 · Oct 21, 2022

just try with CBSD where maybe is more confortable to manage jails and if you want ,bhyve VMs in the same way , can containerize a VMs inside a jail and manage theme easely look at this project.You can build the management tool by following the tutorial or simply using the package offered by FreeBSD.
CBSD

subnetspider · Oct 21, 2022

patmaddox said:
I've gotten a lot of mileage out of scripting with those sorts of flags, and so far have not needed to use ansible for defining jails.

I also dont "need" to use Ansible to create and manage Jails, but it is a way for me to learn Ansible.

Holger said:
Have you already tried creating and managing jails “the hard way”, i.e. only using that which the FreeBSD base system provides? It might be less complex than you might think!

Creating jails with /etc/jail.conf and bsdinstall was the first thing I have tried, and it works very easily.

Holger said:
I have been managing my jails that way (following Michael Lucas Book “Absolute FreeBSD”) for some time now and I have to say: While some automation in some minor aspects (e.g. installing basic stuff inside the jail, etc.) would be handy, there is actually very little that needs to be automized for my non-industrial use-case.

I am also reading "Absolute FreeBSD 3rd edition" and "FreeBSD Mastery: Jails" which are the reason why I want to use Jails instead of FreeBSD VMs.

And again, I know how easy it is to manage Jails by Hand, but learning Ansible is a lot easier if I can actually use it and I dont have a hard time when it comes the time when Jails need to be recreated from scratch.

From what I have gathered, it seems that creation and management of Jails would be best done utualizing the onboard tools FreeBSD provides with my Ansible "scripts" (playbooks).

chrbr · Oct 21, 2022

subnetspider said:
This is not very ideal as each jail runs sshd, needs a user for ansible and needs the ssh keys, sudo/doas and python package installed.

I am not sure about ansible, but if it is possible for you to have the same owner Id for each jail user you can use sysutils/jailme instead of the ssh stuff.

degauss4 · Aug 11, 2024

I am also interested in running ansible for FreeBSD Jails, but I am also wary of maybe its a bit overkill. The way I use ansible is not only to create automation, but also documentation of procedures. When I am learning something practically, I test it out using ansible roles.

For now though, I am using just the basic tools that FreeBSD comes with. The only things that would be interesting for me would be to create my personal user, add my ssh key, configure basic services and so forth. Yet for most of that, I could create a thin jail template and clone it.

chrbr said:
I am not sure about ansible, but if it is possible for you to have the same owner Id for each jail user you can use sysutils/jailme instead of the ssh stuff.

That tool looks interesting, I might try it out but it seems that the last update was in late 2022

kalleboy · Sep 9, 2024

There is also Jailer.dev: https://jailer.dev/

A modern, minimal, flexible, and easy-to-expand FreeBSD Jail manager built with love by experienced users for both neophytes and experts.

DaLynX · Sep 13, 2024

subnetspider said:
VMs for my services.
At the moment I manually create thick VNET jails with bastille(8) and then set up my services with ansible(1) where each jail is treated as a separate host.
This is not very ideal as each jail runs sshd, needs a user for ansible and needs the ssh keys, sudo/doas and python package installed.

Use Bastillefile? https://bastille.readthedocs.io/en/latest/chapters/template.html