jails infrastructure as code and orchestration tools : ansible vs iocage vs (appjail + director + overlord)

[JohnK]

Ahhh, that's so simple. Ok, I'll try that.

This is starting to touch on why I choose to do things the way I do them (-e.g. my jail script vs others) and I'm interested in how you're going to tackle these types of things. Tell us how it goes (obviously, UID--for example--is easy, but I want to see how you're going to tackle these types of "issues" in an automated setup). Very cool to watch! Keep going.

 

[toddg]

atax1a

I'm still having trouble with this. I have created a user named backup in both my HOST and JAIL, and the UID is 2001 in both cases. The jails root user can see the host files, but not the backup.

# 1. host user
root@fbsdhost4:/home/toddg # grep backup /etc/passwd
backup:*:2001:2001:User &:/home/backup:/bin/sh

# 2. jail user
root@fbsdhost4:/home/toddg # jexec -l backitup grep backup /etc/passwd
backup:*:2001:2001:User &:/home/backup:/bin/sh

# 3. host datasets / filesystems are chowned to backup:backup
root@fbsdhost4:/home/toddg # ls -lsat /opt
total 21
17 drwxr-xr-x  23 root   wheel  28 Feb 17 21:23 ..
 1 drwxr-x---   4 backup backup  4 Feb 14 12:41 prod
 1 drwxr-x---   5 backup backup  5 Feb 14 12:41 .
 1 drwxr-x---   4 backup backup  4 Feb 14 12:41 stage
 1 drwxr-x---   4 backup backup  4 Feb 14 12:41 dev
root@fbsdhost4:/home/toddg # ls -lsat /opt/dev
total 4
1 drwxr-x---  5 backup backup 5 Feb 14 12:41 ..
1 drwxr-x---  4 backup backup 4 Feb 14 12:41 .
1 drwxr-x---  2 backup backup 2 Feb 14 12:41 postgres
1 drwxr-x---  2 backup backup 2 Feb 14 12:41 feeds
root@fbsdhost4:/home/toddg # ls -lsat /opt/dev/feeds/
total 2
1 drwxr-x---  4 backup backup 4 Feb 14 12:41 ..
1 drwxr-x---  2 backup backup 2 Feb 14 12:41 .
root@fbsdhost4:/home/toddg # ls -lsat /opt/dev/postgres/
total 2
1 drwxr-x---  4 backup backup 4 Feb 14 12:41 ..
1 drwxr-x---  2 backup backup 2 Feb 14 12:41 .

# 4. root user inside jail can see the files 
root@fbsdhost4:/home/toddg # jexec -l backitup find /opt
/opt
/opt/prod
/opt/prod/postgres
/opt/prod/feeds
/opt/dev
/opt/dev/postgres
/opt/dev/feeds
/opt/stage
/opt/stage/postgres
/opt/stage/feeds
/opt/stage/feeds/fakefeed.txt

# 5. the backup user inside the jail cannot see the files
root@fbsdhost4:/home/toddg # jexec -l -u backup backitup find /opt
/opt
find: /opt/prod: Permission denied
find: /opt/dev: Permission denied
find: /opt/stage: Permission denied
find: /opt: Permission denied

# 6. trying with both the "-u" and "-U" flags, same result
root@fbsdhost4:/home/toddg # jexec -l -U backup backitup find /opt
/opt
find: /opt/prod: Permission denied
find: /opt/dev: Permission denied
find: /opt/stage: Permission denied
find: /opt: Permission denied

Any suggestions would be most welcome

 

[JohnK]

Taking a quick fly-by.
Try "chown 2001:wheel"

I, personally, don't necessarly create a user on host AND jail (jail: yes, host: no) but I keep the same UID on both. So for example, I created some directories on a dataset with a UID of 211 (way back when). If in my jail I create a user with a UID of 211 if I want RW.

host (/var/db/repositories/):
drwxr-s---   9 211  wheel     9 Jan 25 15:25 server/
jail (/var/db/git/):
drwxr-s---   9 git  wheel     9 Jan 25 15:25 server/

Both the host--in this case--and the jail have this directory mounted from another system (I have an NFS server and three physical servers and one remote). One host has ~3 or 4 jails Another host has ~4+ jails and the third host has ~2 jails.

 

[toddg]

Ahhh. I think something is borked in my ZFS dataset. When I try this with a fresh dataset everything works as expected:

# 1. create fresh new dataset
root@fbsdhost4:/home/toddg # zfs create -o mountpoint=/fubar zroot/fubar

# 2. populate it with a file
root@fbsdhost4:/home/toddg # touch /fubar/somefile.txt

# 3. chown to the user I'll be using in the jail
root@fbsdhost4:/home/toddg # chown -R backup:backup /fubar/

# 4. verify file perms
root@fbsdhost4:/home/toddg # ls -lsat /fubar/
total 19
 1 drwxr-xr-x   2 backup backup  3 Feb 17 22:54 .
 1 -rw-r--r--   1 backup backup  0 Feb 17 22:54 somefile.txt
17 drwxr-xr-x  24 root   wheel  29 Feb 17 22:53 ..

# 5. update the jail's fstab to mount this new dataset
root@fbsdhost4:/home/toddg # vim /jails/fstab/backitup.fstab

 >>> /fubar  /jails/containers/backitup/fubar              nullfs rw 0 0


# 6. make the mount point in the jail
root@fbsdhost4:/home/toddg # jexec -l backitup mkdir /fubar

# 7. restart the jail to reload the fstab
root@fbsdhost4:/home/toddg # service jail restart backitup
Stopping jails: backitup.
Starting jails: backitup.

# 8. drumroll....
root@fbsdhost4:/home/toddg # jexec -l backitup ls /fubar
somefile.txt

# 9. Ok, so that worked
root@fbsdhost4:/home/toddg # jexec -l backitup cat /fubar/somefile.txt

# 10. add some text to the file
root@fbsdhost4:/home/toddg # vim /fubar/somefile.txt

# 11. cat it out
root@fbsdhost4:/home/toddg # jexec -l backitup cat /fubar/somefile.txt
snthaoeusnth
sanoteusatheu
snth

Ok, so the advice from atax1a was spot on, and I have to clean my ZFS.

More on this soon.

(thx JohnK, I'll keep y'all updated as I progress)

 

[toddg]

JohnK, I like your idea of not having those user accounts on the HOST.

# 1. remove the backup user from HOST
root@fbsdhost4:/home/toddg # rmuser backup
Matching password entry:

backup:...

Is this the entry you wish to remove? (yes/no): y
Remove user's home directory? [/home/backup] (yes/no): y
Removing user (backup): mailspool home passwd.

# 2. verify files on the HOST use the correct UID (in this case 2001)
root@fbsdhost4:/home/toddg # ls -lsat /fubar/
total 19
 1 drwxr-xr-x   2 2001 2001   3 Feb 17 22:56 .
 1 -rw-r--r--   1 2001 2001  33 Feb 17 22:56 somefile.txt
17 drwxr-xr-x  24 root wheel 29 Feb 17 22:53 ..

# 3. verify that the jail root user can see the files 
root@fbsdhost4:/home/toddg # jexec -l backitup cat /fubar/somefile.txt
snthaoeusnth
sanoteusatheu
snth

# 4. verify that the HOST user cannot do anything (it's been deleted)
root@fbsdhost4:/home/toddg # jexec -l -u backup backitup cat /fubar/somefile.txt
jexec: backup: no such user

# 5. verify that the JAIL user can see the files
root@fbsdhost4:/home/toddg # jexec -l -U backup backitup cat /fubar/somefile.txt
snthaoeusnth
sanoteusatheu
snth

So sure, that seems like a good way to go, thx!