Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jail role #21

Merged
merged 19 commits into from Dec 5, 2014
Merged

Jail role #21

merged 19 commits into from Dec 5, 2014

Conversation

seankelly
Copy link
Member

Other roles would depend on the jail role and pass the parameters (currently name and ip_address) for the jail to it. Note this does not start the jail.

@seankelly
Copy link
Member Author

Note: this role needs to update /etc/jail.conf still. I think this is the reason why it's annoying to automate.

@djmitche
Copy link
Member

It seems like it's beyond lineinfile's capabilities. Could we write an Ansible module that can parse, update, and re-write the file? Or maybe I don't understand the difficulty..

verm
verm reviewed Nov 26, 2014
View reviewed changes
roles/jail/files/flavours/base/etc/make.conf

NO_DOCS=yes
NOPORTDOCS=yes
NOPORTEXAMPLES=yes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OPTIONS_UNSET=DOCS EXAMPLES

Thea above is the correct way to do this for FreeBSD 10. The old configs were for when we used 9

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, OPTIONS. I've seen stuff about that in UPDATING, but I forgot about it otherwise. Thanks for noting what needed to be changed.

@seankelly
Copy link
Member Author

The primary difficulty is the config is multiple lines. However, the man pages mention it's vaguely like C, so I'm wondering if it could all be on a single line. If not, then we would want an Ansible module.

@seankelly
Copy link
Member Author

Making a module might be required anyway if we want to do anything more complex than just add jails. This role can't delete jails for instance

@sa2ajj
Copy link

sa2ajj commented Nov 26, 2014

LGTM to the extent I understand what happens.

I think the best is to add some playbook to create a jail, so we could see it action (it actually creates a jail, and it creates a useful jail :)).

@djmitche
Copy link
Member

Agreed - I think @verm knows the most about jails, at least in FreeBSD 10, and has indicated there are some tricky bits, so I'd like to try this out and experience those tricky bits for myself. You can only learn to fall off a horse by falling off a horse, after all. But this functionality is a prerequisite for doing a lot of other stuff (and for a much easier kind of local testing: repeat([delete jail, run Ansible]))

@seankelly
Copy link
Member Author

Conveniently I have a jail playbook.

sa2ajj
sa2ajj reviewed Nov 27, 2014
View reviewed changes
jail.yml
- name: Jail test
hosts: servicehosts
roles:
- { role: jail, name: jailtest.buildbot.net, ip_address: ['vtnet0|192.168.122.16'] }
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we will also need to specify the interface as well?

I'm a bit concerned about this since some of our jails have only internal addresses and some have both.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe so, yes. The jail can have addresses on any number of interfaces. Testing on a VM indicates the interface needs to be included.

@sa2ajj
Copy link

sa2ajj commented Nov 27, 2014

To make the example more specific, let's create a jail for TRAC-3068

@seankelly
Copy link
Member Author

Further experimenting shows the jail configuration in /etc/jail.conf can be on a single line. If all of the jails do not need additional options beyond what any other jail requires, then the lineinfile module might be good enough.

@sa2ajj
Copy link

sa2ajj commented Dec 2, 2014

I think we should start with the lineinfile module and see if it's sufficient. It might well be that if we need something "sophisticated", we actually do something wrong :)

@djmitche
Copy link
Member

djmitche commented Dec 2, 2014

djmitche@c5649d6 was necessary for me to get this working (still playing with it)

@seankelly
Copy link
Member Author

Oh, yeah, need to install it. Not sure how I missed that.

@seankelly
never changed rebase onto safename
d573b2b
@seankelly
Fix creates for ezjail-admin install
e35736e 
The config file is created in /usr/local/etc/ezjail and uses the jail's
safe name.
@seankelly
Copy link
Member Author

I think I got everything now.

sa2ajj
sa2ajj reviewed Dec 3, 2014
View reviewed changes
roles/jail/tasks/main.yml
---
- name: Install ezjail
pkgng:
name: ezjail
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like thing explicit: state: present?

@seankelly
Copy link
Member Author

Updated.

sa2ajj
sa2ajj reviewed Dec 4, 2014
View reviewed changes
jail.yml
hosts: servicehosts
roles:
- role: jail
name: jailtest.buildbot.net
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we actually just put real jail here, for example, I suggested pgsql.int.

@sa2ajj
Copy link

sa2ajj commented Dec 4, 2014

LGTM

@seankelly seankelly changed the title [DO NOT MERGE] Jail role Jail role Dec 5, 2014
@seankelly
Add a README describing briefly how to use the jail role
2f453df 
Unsure whether this should go in the docs or the directory of the role.
I opted for the latter thinking if someone wanted to learn how to use
the role, they would be more likely to look in the role's directory.
@seankelly
Copy link
Member Author

Done I think. Moved the example playbook to a README in the jail directory.

sa2ajj pushed a commit that referenced this pull request Dec 5, 2014
Merge pull request #21 from seankelly/jail-role
6dc4a0d 
Jail role
@sa2ajj sa2ajj merged commit 6dc4a0d into buildbot:master Dec 5, 2014
@seankelly seankelly deleted the jail-role branch December 6, 2014 02:36
sa2ajj
sa2ajj reviewed Dec 14, 2014
View reviewed changes
roles/jail/templates/ezjail.conf
ezjail_jailtemplate="${ezjail_jaildir}/newjail"
ezjail_jailbase="${ezjail_jaildir}/base"
ezjail_sourcetree=/usr/src
ezjail_ftphost=freebsd.isc.org
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seankelly any reason you used freebsd.isc.org here? it fails for me, while ftp.freebsd.org gets me further...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's what the service hosts have in their ezjail.conf.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going through ftp1..14.us.freebsd.org indicates freebsd.isc.org is the closest.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, the ezjail.conf that comes with 10.1 seems to have ftp.freebsd.org...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs more review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@seankelly @djmitche @sa2ajj @verm