How to pre-install packages in a jail

[cen1]

I need to dynamically create jails with a few packages preinstalled. Each jail has some of the same packages but most of them are different.

My research so far:
-Docker on FreeBSD would work fine because I can specify all the packages in Dockerfile (RUN), but Docker needs 11.0-CURRENT, is experimental and not fully implemented so I don't think I want to use it just yet.

-Ezjail does not work on FreeBSD 10 (some error with old configuration style being used). Ezjail does support FLAVOURS which I think? would work:

In its default form it will create some groups and users, change the
ownership of some files and install all packages residing under /pkg.

although I am not sure what exactly it means by packages residing in /pkg. I assume in /usr/jails/flavour directory?

-Qjail seems to work best for me so far but.. Flavours only seem to have configuration changes and no setup script options. It does says it merges the filesystem when creating from flavour but then this means I would need to actually install packages into the flavour directory (is this possible?). I checked qjail flavour examples and can't find anything about installing packages. Man page does mention that you can create a SEED jail and then create jails from that archive but:
-I would need a different SEED for each jail which seems like a waste
-You need to get into the jail and install the packages to create the SEED which defeats the whole purpose.

Finally, I guess I could install packages on startup from customized rc.d but that seems wrong.


What is the best approach for the described task?

 

[wblock@]

Ezjail does not work on FreeBSD 10 (some error with old configuration style being used).

It works fine. The "error" is just a warning.

 

[hukadan]

You can also have a look to iocage(8). It provides an automatic package installation at creation time and from what you told in your post, the template feature could be what you are looking for.

But you have to use ZFS.

 

[cen1]

Seems promising. ZFS could be problematic because I am planning to use DigitalOcean and they use UFS by default. Would iocage(8) work if I made a zroot just like FreeBSD Docker wiki does https://wiki.freebsd.org/Docker ?

 

[leebrown66]

You could just use pkg(8). It can take a jail name/id as a parameter and then executes inside the jail.

Create the jail structure, start it up, run pkg(8) on it with the -j ( --jail) parameter.

I would also recommend building your own package repository with poudriere(8) so you can fetch binary packages locally and control their compilation switches.

 

[Beastie7]

You can also have a look to iocage(8). It provides an automatic package installation at creation time and from what you told in your post, the template feature could be what you are looking for.

But you have to use ZFS.

This.

edit: P.S. iocage(8) should really replace ezjail(7) in the handbook.

 

[hukadan]

Seems promising. ZFS could be problematic because I am planning to use DigitalOcean and they use UFS by default. Would iocage(8) work if I made a zroot just like FreeBSD Docker wiki does https://wiki.freebsd.org/Docker ?

From the iocage(8) man :

iocage relies on ZFS and at least one ZFS pool must be present on the host system.

So if you have one ZFS pool, it should work.

 

[scottro]

ZFS pool in this case, includes a FreeBSD installation to a single disk, formatted in ZFS. I haven't used ezjail in a long time, but iocage is great.

 

[cen1]

Ok, iocage(8) does indeed look the best so far there is just one thing bothering me: I can create a template (lets say a jail with ssh installed and enabled by default) but I can't iocage create from template, I can only iocage clone it. Which means I can't use pkglist property on top of cloning because pkglist property only works with create command. Arrgh! Always some catch 101.

I am guessing that if I want to create an ssh enabled jail at creation time I need to add ssh to pkglist and then add script to
exec_start property which will enable it, create a user and so on? Perhaps something like this:

exec_start="/bin/sh /etc/rc && sysrc -f /etc/rc.conf docker_enable=\"YES\""

I'll experiment with this and see how it goes.

 

[protocelt]

This.

edit: P.S. iocage(8) should really replace ezjail(7) in the handbook.

I would have to respectfully disagree with this. sysutils/ezjail works well and is filesystem agnostic while sysutils/iocage is ZFS only. Many people still use UFS and want a good jail management tool(s).

 

[hukadan]

Ok, iocage(8) does indeed look the best so far there is just one thing bothering me: I can create a template (lets say a jail with ssh installed and enabled by default) but I can't iocage create from template, I can only iocage clone it. Which means I can't use pkglist property on top of cloning because pkglist property only works with create command. Arrgh! Always some catch 101.

May be have a look to https://github.com/ployground/bsdploy then. I have not tried it but it is basically Ansible designed for jails. Few months ago, M. LUCAS made a list of jail(8) related tools : http://blather.michaelwlucas.com/archives/2291. The list is quite long so I am sure you will find what you are looking for.

-- Edit --
Sorry sysutils/bsdploy needs ZFS, I am not sure you can use it in your situation.

 

[Beastie7]

I would have to respectfully disagree with this. sysutils/ezjail works well and is filesystem agnostic while sysutils/iocage is ZFS only. Many people still use UFS and want a good jail management tool(s).

A person would be be doing themselves a huge disservice using UFS for Jails. Also, ezjail is terribly limited in comparison, because it leverages less of the Jail related infrastructure within FreeBSD. One of the reasons why iocage is such a smooth and completely featured experience is because of ZFS. And for myself, the command line syntax is miles ahead.

Besides it shouldn't take much to add some sort of feature flag for UFS users.

 

[wblock@]

edit: P.S. iocage(8) should really replace ezjail(7) in the handbook.

But it was just pointed out that sysutils/iocage requires ZFS. sysutils/ezjail does not.

 

[Beastie7]

But it was just pointed out that sysutils/iocage requires ZFS. sysutils/ezjail does not.

So that's it? The handbook is just going to list an inferior framework that doesn't even touch all the Jail subsystem has to offer? What percentage of users are even using UFS in conjunction with Jails to that of ZFS? Most users of FreeBSD I come across are using ZFS with Jails. It simply makes sense.

 

[wblock@]

The Handbook will include the ezjail section until there is a reason to remove it. That does not preclude adding more sections on other jail frameworks.

 

[leebrown66]

A person would be be doing themselves a huge disservice using UFS for Jails.

Would you mind expanding on that a little? What is the advantage of ZFS over UFS where a jail is concerned? (I don't use frameworks, so the merits of one port over the other are lost on me).

 

[vejnovic]

This.

edit: P.S. iocage(8) should really replace ezjail(7) in the handbook.

sysutils/cbsd is also very good tool for jails.

 

[cen1]

I decided to give ezjail one more try before I venture elsewhere, I am having trouble bootstraping pkg though. I created a flavour and I derive from that.

My ezjail.conf (this is the bootstrap file, runs on first jail start):

echo "nameserver 8.8.8.8" >> /etc/resolv.conf
env ASSUME_ALWAYS_YES=yes
env
pkg bootstrap
pkg -y install openjdk8
...

Network alias:

em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:bd:88:c6
inet 192.168.2.60 netmask 0xffffff00 broadcast 192.168.2.255
inet 192.168.2.66 netmask 0xffffff00 broadcast 192.168.2.255

Creating jail:
ezjail-admin create -f base testjail 192.168.2.66

Jail log:

Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Clearing /tmp (X related).
ASSUME_ALWAYS_YES=yes
MAIL=/var/mail/root
PATH=/sbin:/bin:/usr/sbin:/usr/bin
PWD=/root
TERM=xterm
HOME=/
USER=root
SHELL=/bin/csh
BLOCKSIZE=K
RC_PID=10553
MAIL=/var/mail/root
PATH=/sbin:/bin:/usr/sbin:/usr/bin
PWD=/root
TERM=xterm
HOME=/
USER=root
SHELL=/bin/csh
BLOCKSIZE=K
RC_PID=10553
The package management tool is not yet installed on your system.
Please set ASSUME_ALWAYS_YES=yes environment variable to be able to bootstrap in non-interactive (stdin not being a tty)
The package management tool is not yet installed on your system.
Please set ASSUME_ALWAYS_YES=yes environment variable to be able to bootstrap in non-interactive (stdin not being a tty)
...

Why is this failing me? If I open the jail after it starts I can run pkg bootrstrap just fine but it seems the env variable is not being picked up.

 

[protocelt]

I've never used flavours so can't be of much help, but I believe

env ASSUME_ALWAYS_YES=yes

is incorrect. I think it should be

env ASSUME_ALWAYS_YES=YES

 

[cen1]

I've never used flavours so can't be of much help, but I believe

env ASSUME_ALWAYS_YES=yes

is incorrect. I think it should be

env ASSUME_ALWAYS_YES=YES

Unfortunately not, the same error appears.


Edit: setting env in the same line works.. https://dan.langille.org/2013/12/06...freebsd-unattended-and-without-answering-yes/

env ASSUME_ALWAYS_YES=YES pkg bootstrap

Why would this work but setting the env in a seperate line does not?

 

[kpa]

Unfortunately not, the same error appears.


Edit: setting env in the same line works.. https://dan.langille.org/2013/12/06...freebsd-unattended-and-without-answering-yes/

env ASSUME_ALWAYS_YES=YES pkg bootstrap

Why would this work but setting the env in a seperate line does not?

Because that's how the env(1) utility works. It won't export the variable to the current shell's environment and that's why the variable is not visible after env has finished running.