How to copy files from one jail to another

[marschro]

Hi all,
I am currently searching for a simple solution to copy files between jails.

What I think I understood: Jails are jails. they are kept safe.
If I want to access a jail from another jail, I need to allow that, i.e. via ssh.
Lets say, I want to copy files from jail A to jail B, then, as usual with remote shells, I have to create a key pair on A, somehow transmit the publicly to B, enable and start ssh on both machines, also allow probably root for ssh login and then I can ssh-in from A to B and use whatever ssh based file copy utility...

Right?
There is no other - more easy way to do that?
I always have to manually provision those servers etc. (maybe partly automatable by provisioning on jail creation, still root enablement has to be changed manually in the ssh config file)

If anyone has a good idea on using other strategies to copy files from a "build" jail in a ci-cd pipeline to the "server" jail, it would be appreciated

cheers,
Martin

 

[byrnejb]

The answer depends on how you manage your jails and what file you wish to transfer. I use iocage so that is what my discussion assumes.

iocage uses zfs. In consequence there is an iocage dataset under zroot. Under iocage there is a jails dataset. Under that there are the datasets for the jails themselves. iocage creates two (2) datasets for each jail. One is the jail itself. The other is the jail's root. The directory structure looks like this:

tree -d -L 2 /zroot/iocage/jails/
/zroot/iocage/jails/
|-- accounting-2
|   `-- root
|-- bkuprcvy-3
    `-- root

The root dataset of each jail contains all the files. So, for example, if I wished to copy /roor/.ssh/id_rsa* from accounting-2 to bkuprcvy-3 I could do this on the host:

cp -p /zroot/iocage/jails/accounting-2/root/root/.ssh/id_rsa*   /zroot/iocage/jails/bkuprcvy-3/root/root/.ssh/

Jails are of course completely, or nearly so, isolated from each other. So there is no other way to manipuate files between jails other than from the host system. To transfer file directly between jails one needs something like rsync or sftp and setup a password-less login between the two jails if automation is involved.

 

[chrbr]

You could create a transfer directory as /var/transfer or so. Then you can mount -t nullfs ... the transfer directory of the host to directories in the jails. The handling of files requires scripts or such monitoring the content of the directories and to trigger actions based on that. I am not sure if this is simpler but it is a different approach.

 

[sko]

If anyone has a good idea on using other strategies to copy files from a "build" jail in a ci-cd pipeline to the "server" jail, it would be appreciated

With iocell/iocage all jails (of the same release) share the same /usr/ports dataset, which is nullfs-mounted read-only into the jails.
I leverage that by using a dedicated "buildjail" on my jailhosts that has rw access to this dataset and has its work/dist/package-dir configured to folders within that dataset via /etc/make.conf.
This buildjail then is used to build packages for e.g. postfix, nginx and dovecot (for which I need other build options than used in packages), and the jails just install those custom built packages from the shared /usr/ports/packages path. To prevent interference with normal pkg upgrade routine I lock those packages, so I have to specifically and manually upgrade them after building them.

This works for a small number of servers and ports/packages - if you have a larger number of servers and/or packages that you have/want to build with custom configuration, you might want to set up your own buildhost e.g. with poudriere and host your own pkg repository.