Like 0
Fork 0

Last active 1751058965

a set of tools for interactively deploying jails for ephemeral usage

jails

dch's Avatar dch revised this gist 1751058964. Go to revision

1 file changed, 6 insertions, 4 deletions

jz.fish

@@ -4,8 +4,8 @@ function jz
4 4 set MACH (sysctl -n hw.machine)
5 5 set ARCH (sysctl -n hw.machine_arch)
6 6 set DOMAIN skunkwerks.at
7 - set RELEASE 14.2-RELEASE
8 - set RELDATE 1402000
7 + set RELEASE 14.3-RELEASE
8 + set RELDATE 1403000
9 9 set FLAVOUR $RELEASE-$MACH-$ARCH
10 10 # grab the name
11 11 set JAIL $argv[1]
@@ -33,7 +33,7 @@ function jz
33 33 && doas zfs snapshot $ZPOOL$INSTANCE@ready
34 34
35 35 # add a softlink if missing
36 - test -L /jails/tags/$JAIL || ln -s $INSTANCE /jails/tags/$JAIL
36 + ln -sf $INSTANCE /jails/tags/$JAIL
37 37
38 38 # derive a hopefully non-clashing IP address
39 39 set IPA (echo -n $JAIL | sha512 | cut -c 1,2)
@@ -84,7 +84,6 @@ function jz
84 84 allow.raw_sockets \
85 85 allow.reserved_ports \
86 86 allow.sysvipc=1 \
87 - allow.novmm \
88 87 children.max=0 \
89 88 devfs_ruleset=4 \
90 89 enforce_statfs=1 \
@@ -96,4 +95,7 @@ function jz
96 95 sysvsem=disable \
97 96 command=/bin/sh -c "env -i TERM=$TERM tmux -u new-session -DAs default"
98 97 end
98 + # command=/bin/sh
99 + # allow.nounprivileged_proc_debug \
100 + # allow.novmm \
99 101 end

dch's Avatar dch revised this gist 1747808158. Go to revision

No changes

dch's Avatar dch revised this gist 1747808116. Go to revision

4 files changed, 169 insertions

jc.fish(file created)

@@ -0,0 +1,37 @@
1 + function jc
2 + # see https://git.io/JfHOu
3 + set local
4 + set MACH (sysctl -n hw.machine)
5 + set ARCH (sysctl -n hw.machine_arch)
6 + set DOMAIN skunkwerks.at
7 + set RELEASE 14.0-RELEASE
8 + set RELDATE 1400097
9 + set FLAVOUR $RELEASE-$MACH-$ARCH
10 + # grab the name
11 + set JAIL $argv[1]
12 + # the container
13 + set TEMPLATE /jails/templates/$FLAVOUR
14 + set INSTANCE /jails/instances/$FLAVOUR/$JAIL
15 +
16 + # find the zpool for jails and jailed datasets
17 + set ZPOOL (zfs list -Ho name /jails | cut -f 1 -d /)
18 +
19 + # create a /jailed dataset to contain optional per-jail jailable datasets
20 + # this can be located on an alternative zpool but must not be mountable
21 + zfs list -Ho name -d1 |grep /jailed\$ > /dev/null 2>&1 \
22 + || doas zfs create -o mountpoint=none -o canmount=off $ZPOOL/jailed
23 + # re-fetch after possible creation
24 + set JAILED (zfs list -Ho name -d1 | grep /jailed\$)
25 +
26 + # derive a hopefully non-clashing IP address
27 + set IPA (echo -n $JAIL | sha512 | cut -c 1,2)
28 + set IPB (echo -n $JAIL | sha512 | cut -c 3,4)
29 + set IP6 $IPA$IPB
30 + set IP (printf "%d.%d" 0x$IPA 0x$IPB)
31 + # get the zt 6plane
32 + set IFACE (ifconfig | sort -r | /usr/bin/egrep -o '^zt[a-z0-9]+' | head -1)
33 + set SUBNET (ifconfig $IFACE inet6 | rg -Po 'fc\S+::' | uniq)
34 + set ALIAS "$IFACE|$SUBNET$IP6"
35 + # display config and try to start it
36 + echo name=$JAIL ip=$IP ip6=$IP6 iface=$IFACE subnet=$SUBNET alias=$ALIAS
37 + end

jd.fish(file created)

@@ -0,0 +1,8 @@
1 + function jd
2 + set local
3 + set JAIL $argv[1]
4 + doas sysrc jail_list-=$JAIL
5 + for f in (zfs list -Ho name -r zroot/jails/instances | grep /$JAIL\$)
6 + doas zfs destroy -Rvrf $f
7 + end
8 + end

jr.fish(file created)

@@ -0,0 +1,25 @@
1 + function jr
2 + set local
3 + set JAIL $argv[1]
4 + set INSTANCE (jls -dj $JAIL path)
5 + pkill -TERM -j $JAIL
6 + sleep 3
7 + doas jail -rv $JAIL
8 +
9 + set MOUNTS (mount -p | grep $INSTANCE/ | cut -wf 2 | grep dev/fd)
10 + for node in $MOUNTS
11 + doas umount -f $node
12 + end
13 + set MOUNTS (mount -p | grep $INSTANCE/ | cut -wf 2 | grep dev/)
14 + for node in $MOUNTS
15 + doas umount -f $node
16 + end
17 + set MOUNTS (mount -p | grep $INSTANCE/ | cut -wf 2 | grep tmp/)
18 + for node in $MOUNTS
19 + doas umount -f $node
20 + end
21 + set MOUNTS (mount -p | grep $INSTANCE/ | cut -wf 2 | grep dev/fd)
22 + for node in $MOUNTS
23 + doas umount -f $node
24 + end
25 + end

jz.fish(file created)

@@ -0,0 +1,99 @@
1 + function jz
2 + # see https://git.io/JfHOu
3 + set local
4 + set MACH (sysctl -n hw.machine)
5 + set ARCH (sysctl -n hw.machine_arch)
6 + set DOMAIN skunkwerks.at
7 + set RELEASE 14.2-RELEASE
8 + set RELDATE 1402000
9 + set FLAVOUR $RELEASE-$MACH-$ARCH
10 + # grab the name
11 + set JAIL $argv[1]
12 + # the container
13 + set TEMPLATE /jails/templates/$FLAVOUR
14 + set INSTANCE /jails/instances/$FLAVOUR/$JAIL
15 +
16 + # find the zpool for jails and jailed datasets
17 + set ZPOOL (zfs list -Ho name /jails | cut -f 1 -d /)
18 +
19 + # create a /jailed dataset to contain optional per-jail jailable datasets
20 + # this can be located on an alternative zpool but must not be mountable
21 + zfs list -Ho name -d1 |grep /jailed\$ > /dev/null 2>&1 \
22 + || doas zfs create -o mountpoint=none -o canmount=off $ZPOOL/jailed
23 + # re-fetch after possible creation
24 + set JAILED (zfs list -Ho name -d1 | grep /jailed\$)
25 +
26 + # create mountpoint if missing
27 + zfs list -Ho name $ZPOOL/jails > /dev/null 2>&1 \
28 + || doas zfs create -o mountpoint=/jails -p $ZPOOL/jails
29 +
30 + # clone a template if missing
31 + test -d $INSTANCE \
32 + || doas zfs clone $ZPOOL$TEMPLATE@ready $ZPOOL$INSTANCE \
33 + && doas zfs snapshot $ZPOOL$INSTANCE@ready
34 +
35 + # add a softlink if missing
36 + test -L /jails/tags/$JAIL || ln -s $INSTANCE /jails/tags/$JAIL
37 +
38 + # derive a hopefully non-clashing IP address
39 + set IPA (echo -n $JAIL | sha512 | cut -c 1,2)
40 + set IPB (echo -n $JAIL | sha512 | cut -c 3,4)
41 + set IP6 $IPA$IPB
42 + set IP (printf "%d.%d" 0x$IPA 0x$IPB)
43 + # get the zt 6plane
44 + set IFACE (ifconfig | sort -r | /usr/bin/egrep -o '^zt[a-z0-9]+' | head -1)
45 + set SUBNET (ifconfig $IFACE inet6 | rg -Po 'fc\S+::' | uniq)
46 + set ALIAS "$IFACE|$SUBNET$IP6"
47 + # display config and try to start it
48 + echo name=$JAIL ip=$IP ip6=$IP6 iface=$IFACE subnet=$SUBNET alias=$ALIAS
49 + jls -j $JAIL > /dev/null 2>&1
50 + if test $status = 0
51 + doas jexec $JAIL tmux -u new-session -DAs default
52 + else
53 + doas jail -vcmr \
54 + name=$JAIL \
55 + path=$INSTANCE \
56 + exec.created="zfs jail $JAIL $JAILED/$JAIL || true" \
57 + exec.created="test -c $INSTANCE/dev/null || mount -t devfs devfs $INSTANCE/dev" \
58 + exec.created="test -c $INSTANCE/tmp || mount -t tmpfs tmpfs $INSTANCE/tmp" \
59 + exec.start="/bin/sh /etc/rc" \
60 + exec.poststop="umount $INSTANCE/tmp" \
61 + exec.poststop="umount $INSTANCE/dev" \
62 + exec.poststop="logger -p info -t jz removed $JAIL" \
63 + host.domainname=$DOMAIN \
64 + host.hostid=0 \
65 + host.hostname=$JAIL.$DOMAIN \
66 + host.hostuuid=(uuidgen) \
67 + ip4.addr="lo1|100.64.$IP" \
68 + ip6.addr="$ALIAS" \
69 + allow.chflags \
70 + allow.mount \
71 + allow.mount.devfs \
72 + allow.mount.fdescfs \
73 + allow.mount.nolinprocfs \
74 + allow.mount.nullfs \
75 + allow.mount.procfs \
76 + allow.mount.tmpfs \
77 + allow.mount.zfs \
78 + allow.nomlock \
79 + allow.noquotas \
80 + allow.noread_msgbuf \
81 + allow.noset_hostname \
82 + allow.nosocket_af \
83 + allow.nosysvipc \
84 + allow.raw_sockets \
85 + allow.reserved_ports \
86 + allow.sysvipc=1 \
87 + allow.novmm \
88 + children.max=0 \
89 + devfs_ruleset=4 \
90 + enforce_statfs=1 \
91 + osreldate=$RELDATE \
92 + osrelease=$RELEASE \
93 + persist \
94 + securelevel=2 \
95 + sysvmsg=disable \
96 + sysvsem=disable \
97 + command=/bin/sh -c "env -i TERM=$TERM tmux -u new-session -DAs default"
98 + end
99 + end
Newer Older

Powered by Opengist Load: 84ms

English