New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jail role #21
Jail role #21
Conversation
The jails will be configured via Ansible so minimal configuration needs to happen from the flavour.
Note: this role needs to update |
It seems like it's beyond lineinfile's capabilities. Could we write an Ansible module that can parse, update, and re-write the file? Or maybe I don't understand the difficulty.. |
|
||
NO_DOCS=yes | ||
NOPORTDOCS=yes | ||
NOPORTEXAMPLES=yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OPTIONS_UNSET=DOCS EXAMPLES
Thea above is the correct way to do this for FreeBSD 10. The old configs were for when we used 9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes, OPTIONS. I've seen stuff about that in UPDATING, but I forgot about it otherwise. Thanks for noting what needed to be changed.
The primary difficulty is the config is multiple lines. However, the man pages mention it's vaguely like C, so I'm wondering if it could all be on a single line. If not, then we would want an Ansible module. |
Making a module might be required anyway if we want to do anything more complex than just add jails. This role can't delete jails for instance |
LGTM to the extent I understand what happens. I think the best is to add some playbook to create a jail, so we could see it action (it actually creates a jail, and it creates a useful jail :)). |
Agreed - I think @verm knows the most about jails, at least in FreeBSD 10, and has indicated there are some tricky bits, so I'd like to try this out and experience those tricky bits for myself. You can only learn to fall off a horse by falling off a horse, after all. But this functionality is a prerequisite for doing a lot of other stuff (and for a much easier kind of local testing: repeat([delete jail, run Ansible])) |
Conveniently I have a jail playbook. |
- name: Jail test | ||
hosts: servicehosts | ||
roles: | ||
- { role: jail, name: jailtest.buildbot.net, ip_address: ['vtnet0|192.168.122.16'] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we will also need to specify the interface as well?
I'm a bit concerned about this since some of our jails have only internal addresses and some have both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe so, yes. The jail can have addresses on any number of interfaces. Testing on a VM indicates the interface needs to be included.
To make the example more specific, let's create a jail for TRAC-3068 |
Further experimenting shows the jail configuration in |
I think we should start with the |
djmitche@c5649d6 was necessary for me to get this working (still playing with it) |
Oh, yeah, need to install it. Not sure how I missed that. |
This is the safe name that is used to identify it in /etc/jail.conf.
The config file is created in /usr/local/etc/ezjail and uses the jail's safe name.
I think I got everything now. |
--- | ||
- name: Install ezjail | ||
pkgng: | ||
name: ezjail |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like thing explicit: state: present
?
Updated. |
hosts: servicehosts | ||
roles: | ||
- role: jail | ||
name: jailtest.buildbot.net |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we actually just put real jail here, for example, I suggested pgsql.int
.
LGTM |
Unsure whether this should go in the docs or the directory of the role. I opted for the latter thinking if someone wanted to learn how to use the role, they would be more likely to look in the role's directory.
Done I think. Moved the example playbook to a README in the jail directory. |
ezjail_jailtemplate="${ezjail_jaildir}/newjail" | ||
ezjail_jailbase="${ezjail_jaildir}/base" | ||
ezjail_sourcetree=/usr/src | ||
ezjail_ftphost=freebsd.isc.org |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@seankelly any reason you used freebsd.isc.org
here? it fails for me, while ftp.freebsd.org
gets me further...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's what the service hosts have in their ezjail.conf
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going through ftp1..14.us.freebsd.org
indicates freebsd.isc.org
is the closest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, the ezjail.conf
that comes with 10.1 seems to have ftp.freebsd.org
...
Other roles would depend on the
jail
role and pass the parameters (currentlyname
andip_address
) for the jail to it. Note this does not start the jail.