jails What about creating a jail automatically when installing a package?

[Freedom]

While discovering FreeBSD, jails & related management tools (ezjail, bastille, pot, etc) there is something I can't figure out:
Why not give pkg the ability to actually create the jail that will contain the packages we install? something like pkg -cj webserverjail install nginx nginx-prometheus-exporter

I am aware there are many types of jails (thin, thick, etc.) but it wouldn't be too complicated to define this in /etc/jail.conf so pkg would know how to create the jail. And the jail could always be customized to a certain extend afterward.

My intuition is we would simplify 80% of the use cases for jails as I guess most people just want to contain & run an application/service.

I am also guessing a lot of Linux distros are gonna do that in a much less elegant way by packaging the Docker container in their package manager, especially for immutable & container oriented OS like Fedora CoreOS & Suse MicroOS.
If FreeBSD had that relatively simple feature it would make even more obvious it's superiority in terms of os-level virtualization.

Instead it seems management tools like sysutils/bastille follow the path of Docker with a templating system or Dockerfile type language https://bastille.readthedocs.io/en/latest/chapters/template.html which is IMHO just an ugly thing on top of the OS package manager.

What am I missing here?

 

[DtxdF]

Installing a package inside a jail is only part of the pie. When you install a package, you have to worry about enabling it (if it's an rc script) and configuring it (if necessary). Those are a few layers to abstract, since you first have to download the necessary FreeBSD components (base.txz, lib32.txz, etc.), unpack them, and decide what kind of network configuration to choose. I'm considering only a few applications, like NGINX, MariaDB and so on, but what about GUI applications? Another problem to worry about. Another problem may be the kernel modules. Implementing such a feature can be problematic instead of using helpers like the ones you described, with predefined instructions.

Of course, it is not impossible, but maybe those instructions are better realized as a pkg(8) plugin.

 

[Freedom]

Thanks !

I wasn't aware of pkg plugins and apparently it can be used to take pre-installation actions (eg https://github.com/freebsd/pkg-plugins/tree/master/zfssnap#general-information) what is want I wanted to do: setup the target jail if it doesn't exist yet.

When you install a package, you have to worry about enabling it (if it's an rc script) and configuring it (if necessary).

but this is the case if you install on the host or in preexisting jail anyway...

but what about GUI applications?

Yes I haven't used a FreeBSD graphical environment but I guess it adds layers of complexity.

I also realised that I assumed jail types (https://docs.freebsd.org/en/books/handbook/jails/#jail-types) were a defined standard but in fact it is probably just examples of possible setups given in the handbook.
So I believe I understand the flaw in my initial reasoning: FreeBSD provides the base jail mechanisms, the jail management tools provide the ways jail I created.
So what I want to do belong in a jail management tool, not in pkg

 

[DtxdF]

Yeah, it's not a bad idea, it's just that the problem is implementing it: the basic idea is to create a jail to install a package, but you will realize that you are creating a new jail management tool when you think about all the things you need to implement.

but this is the case if you install on the host or in preexisting jail anyway...

It depends on the software you are installing. Software that may work just by running it is firefox, pipe-viewer, neovim, etc.

Yes I haven't used a FreeBSD graphical environment but I guess it adds layers of complexity.

Yes, a little bit, or at least there is no single way to run a graphical application: you can use XRDP, VNC, xhost+nullfs(/tmp/.X11-unix), X11 Forwarding via SSH, etc.

---

I recently added to AppJail what you describe: create a jail and install a package with a single command.

appjail quick micro pkg=micro start virtualnet=":<random> default" nat

You can specify `pkg` multiple times, but I think Makejails or Bastille Templates are a better approach when you need to recreate an environment many times.

Note: At the moment, this feature can only be used in the bleeding-edge version of AppJail, but will be updated to sysutils/appjail and sysutils/appjail-devel as soon as possible.

 

[Freedom]

appjail quick micro pkg=micro start virtualnet=":<random> default" nat

I haven't tried any jail management tools but I will definitely AppJail & that feature first.

Many thanks for your explanations !

 

[SirDice]

So I believe I understand the flaw in my initial reasoning: FreeBSD provides the base jail mechanisms, the jail management tools provide the ways jail I created.

Well, the only flaw I see is missing the Unix philosophy. Simply put, don't cram all that functionality into one, single tool.

So what I want to do belong in a jail management tool, not in pkg

Yes, that's the idea. A jail management tool should focus on managing jails, a package tool focuses on manages packages.

As mentioned pkg(8) does have a plugin system. You could leverage this, not to manage jails directly, but to hand off the creation/management of the jails to a tool like bastille.

 

[mer]

Simply put, don't cram all that functionality into one, single tool.

Heh. Systemd.



Original UNIX (tm) design: a tool does one thing only, accepts stdin and pushes to stdout. Problem is too many things (tools) have "evolved".

 

[SirDice]

Do I need to wash that mouth with soap? Careful now ?

 

[mer]

Do I need to wash that mouth with soap? Careful now ?

"Sorry Dad. I'll use protection from now on"

 

[Deleted member 43773]

Problem is too many things (tools) have "evolved".

Agree.

Too many believe having an aicraft-carrier to catch a mouse was a good idea.
Being blinded by a buttload of fancy features and the may-be-sometimes-possibilities they never use
they simply oversee to make an aircraft-carrier catch a mouse takes way more effort than to tinker with wire, wood, and brain.
Wire and wood are not cool.
But being cool was not the target.
Catch a mouse was.

 

[forquare]

I did something like this for my undergrad dissertation a little over a decade ago. My idea was for desktops, applications would get sandboxed (or as I described it: placed in a "virtual application environment"), I used OpenSolaris (I had completed a year experience in industry at Sun, so *Solaris was very familiar to me at the time) and basically each thing that the OpenSolaris pkg command installed would get put into a Zone, in the Global Zone a script would be placed to X forward the application, along with setting up NIS to make sure users were synced across multiple Zones.
It didn't all work, and looking at the code I create now I'm equal parts in awe that I managed to do it and cringe at how bad my scripting was!

I am also guessing a lot of Linux distros are gonna do that in a much less elegant way by packaging the Docker container in their package manager, especially for immutable & container oriented OS like Fedora CoreOS & Suse MicroOS.

I think the closest thing Linux is doing would be snaps and flatpak.