Category Archives: Jails

fossil in prison

Since my last post about how I do host fossil I have been asked write about the new setup I do have

The jail content

I have created a minimal jail:

$ find /usr/local/jails/fossil -print
/usr/local/jails/fossil/var
/usr/local/jails/fossil/var/tmp
/usr/local/jails/fossil/libexec
/usr/local/jails/fossil/libexec/ld-elf.so.1
/usr/local/jails/fossil/bin
/usr/local/jails/fossil/bin/sh
/usr/local/jails/fossil/bin/fossil
/usr/local/jails/fossil/lib
/usr/local/jails/fossil/lib/libc.so.7
/usr/local/jails/fossil/lib/libssl.so.7
/usr/local/jails/fossil/lib/libreadline.so.8
/usr/local/jails/fossil/lib/libz.so.6
/usr/local/jails/fossil/lib/libcrypto.so.7
/usr/local/jails/fossil/lib/libncurses.so.8
/usr/local/jails/fossil/lib/libedit.so.7
/usr/local/jails/fossil/data
/usr/local/jails/fossil/dev

/bin/sh is necessary to get the exec.start jail argument to work /var/tmp is necessary to get fossil to open his temporary files (I created it with 1777 credential) /data is a empty directory where the fossil files will be stored

Jail configuration

The configuration file is the following:

fossil {
	path = "/usr/local/jails/fossil";
	host.hostname = "fossil.etoilebsd.net";
	mount.devfs;
	ip4.addr="127.0.0.1";
	exec.start = "/bin/fossil server -P 8084 --localhost --files *.json,*.html,*.js,*.css,*.txt --notfound /index.html /data &";
	exec.system_jail_user = "true";
	exec.jail_user = "www";
	exec.consolelog = "/var/log/jails/fossil.log" ;
}

More about fossil itself

In /data I created an index.html which is an almost empty html with a bit of Javascript.

When loading the javascript will request a list.txt file.

This file contain the list of repositories I want to show publically (one per line).

For each of them the javascript will use the json interface of fossil (meaning your fossil has to be built with json) and gather the name and the description of the repo to print them on the index.

Starting/Stopping the service

2 simple command are necessary to manage the service:

Starting up:

# jail -c fossil

Stopping:

# jail -r fossil

The service is only listening on the localhost, it is up to you to create your reverse proxy, in my case I do use nginx with the following config:

server {
	server_name fossil.etoilebsd.net;
	listen       [::]:443 ssl;
	listen       443 ssl;
	ssl_certificate     ssl/fossil.crt;
	ssl_certificate_key ssl/fossil.key;

	location / {
		client_max_body_size 10M;
		proxy_buffering off;
		proxy_pass http://127.0.0.1:8084/;
		proxy_set_header HTTPS on;
		proxy_set_header   Host             $host;
		proxy_set_header   X-Real-IP        $remote_addr;
		proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
	}
}

Alexander Leidinger

I just updated to a recent -current and tried the new nullfs. Sockets (e.g. the MySQL one) work now with nullfs. No need to have e.g. jails on the same FS and hardlink the socket to not need to use TCP in MySQL (or an IP at all for the jail).

Great work!

Share

FreeBSD: jails, ezjail, pfSense

During the last couple of days I am intensively using ezjail to administer several jails on my machines. They are currently IPv6 only (internet-facing) and are used to build pfsense images to test locally (still setting this up, need to cross compile to i386 from amd64), offer a testjail to a collegue to work together on a Opsview implementation on FreeBSD, whether or not we are going to succeed in that, and I just installed a test environment for my webservices. They are all contained in their own little box, having IPv4 connectivity outgoing through NAT, and native IPv6 connectivity from my “Vendor” on an extra subnet that I obtained.

I like this, so I am probably going to setup some more services here and there to perform some magic for me that might need external access. I will also tie them together with LDAP and the like so that it’s an uniform base. At the moment I do not have additional ideas about moving production services towards jails as well though.

Thanks to FreeBSD this all is damned easy. You should try it, or poke me in case you want to know more! :)

How I setup a Jail-Host

Everyone has his own way of setting up a machine to serve as a host of multiple jails. Here is my way, YMMV.

Initial FreeBSD install

I use several harddisks in a Software–RAID setup. It does not matter much if you set them up with one big partition or with several partitions, feel free to follow your preferences here. My way of partitioning the harddisks is described in a previous post. That post only shows the commands to split the harddisks into two partitions and use ZFS for the rootfs. The commands to initialize the ZFS data partition are not described, but you should be able to figure it out yourself (and you can decide on your own what kind of RAID level you want to use). For this FS I set atime, exec and setuid to off in the ZFS options.

On the ZFS data partition I create a new dataset for the system. For this dataset I set atime, exec and setuid to off in the ZFS options. Inside this dataset I create datasets for /home, /usr/compat, /usr/local, /usr/obj, /usr/ports/, /usr/src, /usr/sup and /var/ports. There are two ways of doing this. One way is to set the ZFS mountpoint. The way I prefer is to set relative symlinks to it, e.g. “cd /usr; ln –s ../data/system/usr_obj obj

En attendant pkgng…

pkgng c'est cool, ça va être tout beau tout ça, mais voila c'est pas encore fini, il y a beaucoup de boulot à prévoir dessus encore pour que ça rentre en production.

En attendant des babasses FreeBSD on en veut toujours en production.

Voici donc comment je gère mes machines FreeBSD en full binaires.

La machine de build

Tout d'abord il vous faut une machine de build. (Je n'aime pas prendre les packages officiels, parce que je veux des versions plus récentes ou des set d'options différents, parce que avoir un mirroir avec 22000 packages ça ne me sert à rien sinon bouffer de l'espace disque.)

Faire les packages à la main n'est pas non plus très industriel, ni très sérieux.

Utiliser tinderbox me donne des boutons.

J'ai donc réutilisé un outil maison poudriere.

J'y ai rajouté une fonction bulk.

Petit rappel pour commencer, poudriere est un outil très simple ne nécessitant rien qui ne soit pas dans base. Son but est de permettre le test et la génération de packages pour FreeBSD.

Avec cette fonctionnalité de bulk, l'utilisateur donne une liste de packages à manger à poudriere et celui-ci va tous les générer, ainsi que leurs dépendances. Il va présenter le tout sous la forme d'un répertoire de packages identique à ceux officiels.

Commençons donc par créer nos environnements de build en considérant poudriere comme déjà installé.

Voici le fichier de configuration de mon poudriere:

ZPOOL=data
FTPHOST=ftp.free.org
IP=192.168.1.58
ETH=nfe0
PORTSDIR=/usr/local/poudriere/ports
POUDRIERE_DATA=/usr/local/pdata
WRKDIRPREFIX=/tmp/wrk
MFSSIZE=4G

poudriere utilise zfs il suffit de lui donner un zpool il se débrouille avec. Ici nous avons choisi "data". poudriere utilise les jails, il a donc besoin de connaître un host ftp pour récupérer les éléments nécessaires à la construction automatique des jails, une adresse IP et une interface réseau sur laquelle rajouter en alias l'adresse IP donnée.

Il a besoin de connaître l'arbre des ports sur lequel il va travailler, et où il va générer ses données: packages et logs.

Enfin quelques informations comme le WRKDIRPREFIX seront nécessaires si l'on veut tout construire en RAM (mdmfs et tmpfs possibles).

poudriere est maintenant utilisable, préparons donc les machines de build:

# poudriere createjail -v 8.2-RELEASE -n 82amd64 -a amd64 -s

Voila c'est tout ! Vous disposez désormais d'une machine de build pour FreeBSD 8.2-RELEASE pour l'architecture amd64. Vous pouvez en rajouter autant que vous voulez bien sûr.

Le bulk

Il s'agit maintenant de construire ses premiers packages. poudriere souhaite une liste, alors allons y:

# cat ~/listpkgs
ports-mgmt/portmaster
editors/vim
www/newsbeuter
www/elinks
devel/git

C'est déjà pas mal pour tester. Il est bien sûr possible de spécifier des options de compilation via: /usr/local/etc/poudriere.d/make.conf pour les options globales et/ou /usr/local/etc/poudriere.d/82amd64-make.conf pour les options spécifiques à la jail 82amd64.

# cat /usr/local/etc/poudriere.d/82amd64-make.conf
NOPORTDOCS=yes
WITHOUT_NLS=yes
WITHOUT_X11=yes
NO_GUI=yes

C'est prêt on peut lancer le build:

# poudriere bulk -f ~/listpkgs -j 82amd64

Si l'option -j n'est pas donnée alors il fera sur le boulot sur chacune des jails disponibles.

Ce que fait poudriere là c'est construire dans la jail vierge (merci les snapshots zfs) tous les packages demandés, en ayant pris soin de supprimer tout résidu d'un précédent bulk. Puis il va générer l'INDEX et le compresser en bzip2.

Cette étape peut donc être très longue.

Une fois terminée les résultats se trouveront dans : /usr/local/pdata/packages/bulk-82amd64

Le Répertoire étant utilisable tel quel.

Le client maintenant

On part donc d'une installation toute fraiche de freebsd sans l'arbre des ports

# export PACKAGESITE=http://monjoliserver/avec/mes/packages/
# pkg_add -r portmaster

Quelques options pour le portmaster.rc

# cat /usr/local/etc/portmaster.rc
MASTER_SITE_INDEX=http://monjoliserver/avec/mes/packages/
LOCALBASE=/usr/local
PACKAGESITE=http://monjoliserver/avec/mes/packages/
PM_PACKAGES=only
PM_INDEX=yes
PM_INDEX_ONLY=pm_index_only

Comme portmaster recherche encore quelques informations sur l'arbre des ports et que l'on ne souhaite pas ce comportement :

# mkdir /usr/ports/Mk
# touch /usr/ports/Mk/bsd.port.mk

portmaster est maintenant utilisable:

# portmaster www/newsbeuter
[...]
===>>> The following actions will be taken if you choose to proceed:
	Install www/newsbeuter
	Install devel/gettext
	Install converters/libiconv
	Install devel/pkg-config
	Install devel/stfl
	Install ftp/curl
	Install security/ca_root_nss
	Install textproc/libxml2
	Install databases/sqlite3

===>>> Proceed? y/n [y]

[...]
===>>> The following actions were performed:
	Installation of converters/libiconv (libiconv-1.13.1_1)
	Installation of devel/gettext (gettext-0.18.1.1)
	Installation of devel/pkg-config (pkg-config-0.25_1)
	Installation of devel/stfl (stfl-0.21_1)
	Installation of security/ca_root_nss (ca_root_nss-3.12.9)
	Installation of ftp/curl (curl-7.21.3_1)
	Installation of textproc/libxml2 (libxml2-2.7.8_1)
	Installation of databases/sqlite3 (sqlite3-3.7.5)
	Installation of www/newsbeuter (newsbeuter-2.4)
#

Voila retour/docs/patchs bienvenus, as usual :)

Nano jails

A la demande populaire voici un micro howto sur comment créer des nanos jails(8).

Pour cela je vais vous monter comment tourne mon blog (à base de cblog).

Quelques petites commandes pour bien montrer de quoi on parle

$ jls -j cblog
JID  IP Address      Hostname                      Path
1  10.50.0.1       cblog                         /zdata/jails/cblog/
$ du -hs /zdata/jails/cblog/
2,3M    /zdata/jails/cblog

c'est tout rien de plus.

Il y a même des choses en trop par exemple cette jail n'a pas besoin de réseau pour fonctionner normalement.

En fait une jail n'a pas besoin de grand chose pour fonctionner et depuis que l'on dispose des jails persistantes elles ont même besoin de rien du tout.

Examinons un peu le contenu de cette jail :

/zdata/jails/cblog
/zdata/jails/cblog/bin
/zdata/jails/cblog/bin/cblog.fcgi
/zdata/jails/cblog/data
/zdata/jails/cblog/data/*
/zdata/jails/cblog/usr/local/etc
/zdata/jails/cblog/usr/local/etc/cblog.conf
/zdata/jails/cblog/libexec
/zdata/jails/cblog/libexec/ld-elf.so.1
/zdata/jails/cblog/lib
/zdata/jails/cblog/lib/libfcgi.so.0
/zdata/jails/cblog/lib/libz.so.5
/zdata/jails/cblog/lib/libc.so.7

Nous y retrouvons donc le strict nécessaire pour faire tourner cblog.

pour en arriver là il faut préparer le fs. (je suis utilisateur de zfs :))

$ zfs create /zdata/jails/cblog
$ mkdir /zdata/jails/cblog/bin
$ mkdir /zdata/jails/cblog/lib
$ mkdir /zdata/jails/cblog/libexec

Je dépose ensuite le binaire cblog.fcgi (je l'ai pris dans le paquet officiel)

$ cp /tmp/cblog-0.1.15/libexec/cblog.fcgi /zdata/jails/cblog/bin

Je regarde ce que demande ce binaire:

$ ldd /zdata/jails/cblog/bin/cblog.fcgi
/zdata/jails/cblog/bin/cblog.fcgi:
libfcgi.so.0 => /usr/local/lib/libfcgi.so.0 (0x80066b000)
libz.so.5 => /lib/libz.so.5 (0x800775000)
libc.so.7 => /lib/libc.so.7 (0x80088a000)

Je rajoute donc ce qui va bien dans ma future jail:

$ cp /lib/libz.so.5 /zdata/jails/cblog/lib
$ cp /lib/libc.so.7 /zdata/jails/cblog/lib
$ cp /usr/local/lib/libfcgi.so.0 /zdata/jails/cblog/lib

J'ai vérifié les dépendances de la libfcgi et elle ne ramène rien d'autre.

Le paquet cblog est compilé avec comme prefix /usr/local du coup il cherche son fichier de conf dans /usr/local/etc/cblog.conf (vu de la jail)

$ mkdir /zdata/jails/cblog/usr/local/etc

Je prévoie de mettre les données que le binaire va manipuler dans /data (vu de la jail)

$ mkdir /zdata/jails/cblog/data

Je prépare le fichier de conf de mon cblog pour lui dire de trouver ses données dans /data (je zappe cette partie ce n'est pas le but de ce post). Le fichier de conf est déposé dans /zdata/jails/cblog/usr/local/etc sous le nom cblog.conf comme attendu.

C'est là que ça devient intéressant. Il est impossible de faire tourner une jail sans son runtime link-editor.

$ cp /libexec/lib-elf.so.1 /zdata/jails/cblog/libexec/ld-elf.so.1

Ici j'ai pris celui du système hôte car les binaire sont ceux du même format que ceux de l'hôte. Dans le cas d'un jail linux par exemple, il faudra prendre l'équivalent au format linux.

Nous pouvons maintenant démarrer la jail en question.

Ne surtout pas passer par /etc/rc.d/jail qui est complètement dépassé maintenant.

$ jail -c persist name=cblog path=/zdata/jails/cblog/ host.hostname=cblog ip4.addr=10.50.0.1

Si vous ne voulez pas d'adresse ip ni de hostname

$ jail -c persist name=cblog path=/zdata/jails/cblog/

jls vous montrera la jail qui tourne.

Démarrons le cblog pour qu'il écoute sur une socket unix.

$ jexec cblog /sbin/cblog.fcgi unix:/cblog.sock

Il suffit de donner le chemin /zdata/jails/cblog/cblog.sock à nginx par exemple dans sa config fastcgi pour que votre cblog soit accessible au plus grand nombre.

Pour stopper la jail:

$ jail -r cblog

All internal services migrated to IPv6

In the last days I migrated all my internal services to IPv6.

All my jails have an IPv4 and an IPv6 address now. All Apaches (I have one for my picture gallery, one for webmail, and one for internal management) now listen on the internal IPv6 address too. Squid is updated from 2.x to 3.1 (the most recent version in the Ports Collection) and I added some IPv6 ACLs. The internal Postfix is configured to handle IPv6 too (it is delivering everything via an authenticated and encrypted channel to a machine with a static IPv4 address for final delivery). My MySQL does not need an IPv6 address, as it is only listening to requests via IPC (the socket is hardlinked between jails). All ssh daemons are configured to listen to IPv6 too. The IMAP and CUPS server was picking the new IPv6 addresses automatically. I also updated Samba to handle IPv6, but due to lack of a Windows machine which prefers IPv6 over IPv4 for CIFS access (at least I think my Windows XP netbook only tries IPv4 connections) I can not really test this.

Only my Wii is a little bit behind, and I have not checked if my Sony-TV will DTRT (but for this I first have to get some time to have a look if I have to update my DD-WRT firmware on the little WLAN-router which is “extending the cable

IPv6 in my LAN

After enabling IPv6 in my WLAN router, I also enabled IPv6 in my FreeBSD systems. I have to tell that the IPv6 chapter in the FreeBSD handbook does not contain as much information as I would like to have about this.

Configuring the interfaces of my two 9-current systems to also carry a specific IPv6 address (an easy one from the ULA I use) was easy after reading the man-page for rc.conf. After a little bit of experimenting it came down to:

ifconfig_rl0_ipv6=“inet6 ::2:1 prefixlen 64 accept_rtadv“
ipv6_defaultrouter=

Update on FreeBSD Jail Based Virtualization Project

Bjoern Zeeb has provided a summary regarding the completion of the funded portion of the FreeBSD Jail Based Virtualization Project:

I am happy to report that the funded parts of the FreeBSD Jail Based Virtualization project are completed. Some of the results have been shipping with 8.1-RELEASE while others are ready to be merged to HEAD.

Jails have been the well known operating system level virtualization technique in FreeBSD for over a decade. The import of Marko Zec's network stack virtualization has introduced a new way for abstracting subsystems. As part of this project, the abstraction framework has been generalized. Together with Jamie Gritton's flexible jail configuration syscalls, this will provide the infrastructure for, and will ease the virtualization of, further subsystems without much code duplication. The next subsystems to be virtualized will likely be SYSV/Posix IPC to help, for example, PostgreSQL users. This will probably be followed by the process namespace.

Along with the framework, debugging facilities, such as the interactive kernel debugger, have been enhanced so that every new subsystem will be able to immediately make use of these improvements without modifying a single line of code. Libjail and jls can now work on core dumps and netstat is able to query individual live network stacks attached to jails.

For the virtual network stack, work was focused on network stack teardown, a concept introduced with the network stack virtualization. The primary goal was to prototype a shutdown of the (virtual) network stacks from top to bottom, which means letting interfaces go last rather than first and still being able to cleanly shutdown TCP connections. Good progress was made, but a lot of code over the last two decades was never written in a way to be cleanly stopped. Work on this will have to continue, along with virtualizing the remaining network subsystems to allow long term stability and a leak and panic free shutdown. As a side effect, users of non-virtualized network stacks will also benefit, as other general network stack problems are identified and fixed along the way.

I am happy to see more early adopters, former OpenSolaris users, and people contributing code or reporting problems and would like to encourage people to further support this project.

My special thanks go the FreeBSD Foundation and CK Software GmbH for having sponsored this project, as well as to John Baldwin and Philip Paeps for helping with review and excellent suggestions.

Resource Containers Project

We are pleased to announce that Edward Tomasz Napierala has been awarded a grant to implement resource containers and a simple per-jail resource limits mechanism.

Unlike Solaris zones, the current implementation of FreeBSD Jails does not provide per-jail resource limits. As a result, users are often forced to replace jails with other virtualization mechanisms. The goal of this project is to create a single, unified framework for controlling resource utilisation, and to use that framework to implement per-jail resource limits. In the future, the same framework might be used to implement more sophisticated resource controls, such as Hierarchical Resource Limits, or to implement mechanisms similar to AIX WLM. It could also be used to provide precise resource usage accounting for administrative or billing purposes.

"It's great that the Foundation decided to fund this project", Edward noted. "It will make jail-based virtualization a much better choice in many scenarios, for example for Virtual Private Server providers."

This project will be completed December, 2010.

Update on Jail Based Virtualization Project

One of the proposals selected for funding earlier this year was for jail based virtualization. Bjoern Zeeb, the developer being funded, recently provided an update on the progress of this project:

Bjoern A. Zeeb has been awarded a grant to improve FreeBSD's jail based virtualization infrastructure and to continue to work on the virtual network stack. His employer, CK Software GmbH is matching the Foundation's funding with hours.

FreeBSD has been well known for its jail based virtualization during the last decade. With the import of the virtual network stack, FreeBSD's operating system level virtualization has reached a new level.

This project includes cleanup of two years of import work and development and, more notably, brings the infrastructure for a network stack teardown. Cleanly shutting down a network stack in FreeBSD will be the major challenge in the virtualization area to get the new feature to production ready quality for the 9.x release
lifecycle.

Further, the project includes generalization of the virtual network stack framework, factoring out common code. This will provide an infrastructure and will ease virtualization of further subsystems like SYSV/Posix IPC with minimal overhead. All further virtualized subsystems will immediately benefit from shared debugging facilities, an essential feature for early adopters of the new technology.

Improved jail based virtualization support, that continues to be very lightweight and as easily manageable as classic jails, will be a killer feature for the next few years. It will allow people to partition their FreeBSD server, run simulations
without racks of hardware, or provide thousands of virtual instances in hosting environments fairly easy and efficiently. While this follows the trend of green computing, it also adds to FreeBSD's virtualization portfolio with Xen or other more heavyweight hypervisor support, which can be mixed with jails as needed.

While work in this area will have to continue, the funding for this project will end mid-July 2010.

The night of 1000 jails

As FreeBSD 8.0 is right around the corner it's the right time to get it some more exposure. Just for kicks I got the idea to stress the Jails subsystem - the cheap (both in $$$ and resource requirements) OS-level virtualization technology present in FreeBSD for nearly 10 years now. Behold... the bootup of 1,000, count them - 1,000 virtual machines on a single host with 4 GB of RAM.

Read more...