ployground / ploy_ezjail Goto Github PK

from the ezjail-admin(8) page:

ipaddress[,ipaddress2,...]
        The IP address or addresses of the jail. Since FreeBSD 7.2, it is
        possible to assign several several IPv4 or IPv6 addresses to a
        jail, by separating them with commas. Previous versions of
        FreeBSD allowed only a single IPv4 address per jail.

however, when trying to start this jail:

[ez-instance:test]
master = jailhost
ip = 10.0.0.3,2a03:b0c0:3:d0::3a4d:c002

we get the following stack-trace:

% ploy start test
INFO: Creating instance 'test'
Traceback (most recent call last):
  File "/home/igalic/src/me/meenix/bsdploy/bin/ploy", line 11, in <module>
    sys.exit(ploy())
  File "/home/igalic/src/me/meenix/bsdploy/local/lib/python2.7/site-packages/ploy/__init__.py", line 561, in ploy
    return ctrl(argv)
  File "/home/igalic/src/me/meenix/bsdploy/local/lib/python2.7/site-packages/ploy/__init__.py", line 553, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/home/igalic/src/me/meenix/bsdploy/local/lib/python2.7/site-packages/ploy/__init__.py", line 288, in cmd_start
    result = instance.start(overrides)
  File "/home/igalic/src/me/meenix/bsdploy/local/lib/python2.7/site-packages/ploy_ezjail/__init__.py", line 150, in start
    jails = self.master.ezjail_admin('list')
  File "/home/igalic/src/me/meenix/bsdploy/local/lib/python2.7/site-packages/ploy_ezjail/__init__.py", line 489, in ezjail_admin
    jails[entry.pop('name')] = entry
KeyError: 'name'

Creating the jail is possible, however, further processing then is hampered by our ezjail-admin list parsing code:

        elif command == 'list':
            rc, out, err = self._ezjail_admin('list')
            if rc:
                msg = out.strip() + '\n' + err.strip()
                raise EzjailError(msg.strip())
            lines = out.splitlines()
            if len(lines) < 2:
                raise EzjailError("ezjail-admin list output too short:\n%s" % out.strip())
            headers = self.ezjail_admin_list_headers
            jails = {}
            for line in lines[2:]:
                line = line.strip()
                if not line:
                    continue
                entry = dict(zip(headers, line.split()))
                jails[entry.pop('name')] = entry
            return jails

which cannot deal with output like this:

ezjail-admin list 
STA JID  IP              Hostname                       Root Directory
--- ---- --------------- ------------------------------ ------------------------
ZS  N/A  10.0.0.3        test                           /usr/jails/test
    N/A  2a03:b0c0:3:d0::3a4d:c002

currently rc.conf is simply copied over, however in most cases it would be feasible to generate it from data provided in aws.conf, in particular we should honour these variables:

• bootstrap-network-device (i.e. em0, re0 etc.)
• bootstrap-network-netmask
• bootstrap-default-router (if not set, omit and assume DHCP?)

alternatively, we could simply allow to override the entire ifconfig_XXX line from aws.conf instead of specifying device and netmask individually.

either way, it should be possible to bootstrap a host only using data provided in aws.conf, i.e. w/o requiring the end user to provide custom config files.

Having a "local" mode that does not require to ssh to connect to the "jailhost" (i.e. running on the jailhost itself) would be very useful. In that case, no ssh as root , no need to run sudo, and so on.

Sorry, this isn't really an issue, so much as a question.

I get that it's useful to container-ize using a loopback interface (lo1), so as to hide jails from the outside world, and use PF to open up network access to specific services from the host.

However, it is also just as useful to bridge jails onto host networks, so as to export jails in lieu of additional hardware.

I didn't see an option to allow a jail to be created with IP addresses other than on the lo1 loopback interface.

Did I miss something?

i.e. how do I create a jail that has a public IP address and is bridged with the host's em0, for example?

One less dependency in the FreeBSD port

<3