I am new to FreeBSD & jails.
I am aware that using a tool like sysutils/pot would probably do what I wanna do but my goal is to learn before picking one of those.
I have created a set of thin jail using ZFS snapshots (https://docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-openzfs-snapshots) to run various services.
I have followed exactly the instructions in the handbook so my jails are in /usr/local/jails/containers and owned by
my /etc/jail.conf looks like this:
Everything is working fine.
Next step is:
I have installed nomad & now want to run & monitor my services running within the jail using nomad.
My goal IS NOT to use the nomad task driver to manage all the jails setup & teardown like explained in this article https://freebsdfoundation.org/wp-content/uploads/2019/09/HashiCorp-Nomad.pdf. I just want to use nomad to run & monitor my services within the jails. Also it seems the nomad jail-task-driver https://github.com/cneira/jail-task-driver might be overkill here and not really used or maintained.
So I am considering just using the
My questions are:
1. Is this approach of running services with nomad, the
2. If it is possible, what is the best way (secure) to give permission to
One solution I consider is using sysutils/jailme but it would require to create & map a
3. Also for now I have tried to keep everything running as root within the jail for simplicity & because I assumed the jail mecanism isolate & protect my host system if a service would be compromised. I am wrong in this approach?
Many thanks for your help.
I am aware that using a tool like sysutils/pot would probably do what I wanna do but my goal is to learn before picking one of those.
I have created a set of thin jail using ZFS snapshots (https://docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-openzfs-snapshots) to run various services.
I have followed exactly the instructions in the handbook so my jails are in /usr/local/jails/containers and owned by
root:wheelmy /etc/jail.conf looks like this:
Code:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
allow.raw_sockets;
exec.clean;
mount.devfs;
interface = re0;
exec.consolelog = "/var/log/jail_console_${name}.log";
host.hostname = "${name}";
path = "/usr/local/jails/containers/${name}";
myjail1 {
ip4.addr = 192.168.8.120/24;
}Everything is working fine.
Next step is:
I have installed nomad & now want to run & monitor my services running within the jail using nomad.
My goal IS NOT to use the nomad task driver to manage all the jails setup & teardown like explained in this article https://freebsdfoundation.org/wp-content/uploads/2019/09/HashiCorp-Nomad.pdf. I just want to use nomad to run & monitor my services within the jails. Also it seems the nomad jail-task-driver https://github.com/cneira/jail-task-driver might be overkill here and not really used or maintained.
So I am considering just using the
raw_exec driver and jexec to start the services. Something like this:
JSON:
job "raw-jexec-job-test-1" {
datacenters = ["*"]
type = "service"
group "raw-jexec-group-test-1" {
count = 1
task "raw-jexec-task-test-1" {
driver = "raw_exec"
config {
command = "/usr/sbin/jexec"
args = ["myjail1 /usr/local/bin/myprogram --log-file /var/log/myprogram.log"]
}
}
}
}My questions are:
1. Is this approach of running services with nomad, the
raw_exec driver and jexec wrong or naive ?2. If it is possible, what is the best way (secure) to give permission to
nomad to start the services within the jails (as right now only root is allowed)?One solution I consider is using sysutils/jailme but it would require to create & map a
nomad user within each jail.3. Also for now I have tried to keep everything running as root within the jail for simplicity & because I assumed the jail mecanism isolate & protect my host system if a service would be compromised. I am wrong in this approach?
Many thanks for your help.