bootstrap basejail

[Sebastian]

Hello Freebsd folks!

I would like to manage my whole server through ansible, but FreeBSD does not make it easy.

I'm trying to create a useable basejail (vnet) for my playbook. Before I can run my playbook I need to enable ssh access etc.

- SSH enabled
- Login via public key
- No root login
- Login via $user
- Install $package

How can I create a basejail which has a $user preinstalled and python preinstalled ?

It looks like I need my own special freebsd build ?

best regards, sebastian

 

[Bobi B.]

Try to make a template by yourself. Create a new directory, say /path/to/basejail, and extract base.txz in there (base.txz is in FreeBSD install media). Copy current /etc/resolv.conf to /path/to/basejail/etc/. chroot(8) in your new directory: chroot /path/to/basejail. Once inside install all packages you gonna need with pkg(8). Tell sshd(8) to auto-start with sysrc sshd_enable="YES", install your public key, make respective changes in /etc/ssh/sshd_config (while in chroot!), etc. Exit chroot and you're almost ready.

If you want to create users or install additional packages later, after cloning template dir, use pw(8) with -R rootdir command-line argument, or pkg(8) with -c rootdir.

 

[Sebastian]

Hey Bobi B. ,

thank you for the hint with chroot. I have never used the tool, but if this works . It will make my playbook a lot easier !

 

[abishai]

I manage my FreeBSD server with ansible, but I bootstrap jails with bsdinstall jail manually.
Also, I recommend not to use basejail scheme, it makes jail update process very complex.

 

[tommiie]

I recommend not to use basejail scheme, it makes jail update process very complex.

Could you explain this please?

 

[abishai]

Could you explain this please?

If "basejail" assumes to share userland with nullfs you have the following potential problems:
1. out-of-sync /etc (you are forced to use mergemaster for /etc and freebsd-update for basejail
2. it is generally unsafe to update basejail if jails are running. While the probability is rather low, daemons could crash. Anyway, you must check all of your jails for any issues after basejail update.

Probably if you run SSD pool or you have a number of jails it makes sense, but for my 20 jails I prefer simplicity. FreeBSD userland is not so big.

 

[Sebastian]

I'm still working on this and it is still a huge pain ... because I can't use bsdinstall. ( ansible )

Is it possible to use bsdinstall jail with a non interactive mode ? I would like to pass variables to it and wait .... .

 

[Bobi B.]

It'll be easier if you're more specific or post some code.

 

[SirDice]

I'm still working on this and it is still a huge pain ... because I can't use bsdinstall. ( ansible )

Is it possible to use bsdinstall jail with a non interactive mode ? I would like to pass variables to it and wait .... .

The installer really doesn't do much, all it does is create partitions (not needed for a jail) and extract a couple of archives, like base.tgz. Then it sets up rc.conf. So the whole installation of a jail could be done with "pure" Ansible.

But besides that, read bsdinstall(8):

     jail destination         Sets up a new chroot system at destination,
                              suitable for use with jail(8).  Behavior is
                              generally similar to auto, except that disk
                              partitioning and network setup are skipped and a
                              kernel is not installed into the new system.

     script script            Runs the installation script at script.  See
                              SCRIPTING for more information on this target.