Automate deploying a bunch of thin jails

I’m setting up the *ARR suite apps in jails (using the Bastille manager). I used to do this in debian and docker but this time I moved to freeBSD to try out it’s native zfs support.

In setting up I need to setup a uniform user, setup external mounts (the involved bit) and install the apps on each jail. I did this manually on a trial system and it works perfectly (finally!).

In docker this was all automated in the form of compose scripts. I write it up once and then don’t need to worry about it when I reinstall/upgrade the host..

Is there any automation tool I can use in my case?

Asked By: Anton A


The automation tool would be simple shell scripts or if you are already using Bastille you would create an equally simple template.

You can either do your actions from "outside" the jail by directly modifying the the filesystem running a script on the host system. Or you can do them running "within" the context of the jail (container) using jexec(8)

jexec myjail /bin/sh

This will start a shell within the container context. Rather than starting an interactive shell you could just start a shell script.

The same principle applies when you wrap everything with the Bastille tool. Look for CMD in the template section.

At the top of that page they link to a repo with a lot of ready to use examples. If we take a quick look at apache we see the following content in the Bastillefile:

PKG apache24
SYSRC apache24_enable=YES
SYSRC apache24_flags=""
CMD httpd -t
SERVICE apache24 start

The Bastillefile is then a list of Template Automation Hooks which are typical FreeBSD primitives. And the CMD let you run any command/script.

Most user setup is typically done automatically on FreeBSD using ports/packages (ie. apache). Which is why you do not see a lot of recipes doing that. If you want to look further into that you should checkout the ports tree an look into how packages are created. This is documented in FreeBSD Porter’s Handbook. So for FreeBSD it would not be unusual that you roll your own packages as part of your automation (typically using poudiere). This would however be overkill for a home setup but this is "how things are done".

But we can still setup users without much ado. We simply use pw and just expand the example given in the man page with the -u option:

pw useradd -u 1001 -n gsmith -c "Glurmo Smith" -s csh -m -w random

You can run that from the host into the jail using jexec or as a CMD in the Bastillefile.

If you want to run pw outside the jail you should use the options -R rootdir and -V etcdir. You would then point those into the chroot location of your jail.

Remember that when you run things with jexec or CMD you only have access to the files within the context of the chroot assigned to the jail. That is: If you want to run a script inside the jail it needs to be within the jails filesystem.

Answered By: Claus Andersen
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.