Skip to content

Instantly share code, notes, and snippets.

@dch
Last active May 14, 2021
Embed
What would you like to do?
see https://git.sr.ht/~dch/diy-jails/ for some background
function jz
# see https://git.io/JfHOu
set local
set DOMAIN skunkwerks.at
# find the zpool
set ZPOOL (zfs list -Ho name /jails | cut -f 1 -d /)
# grab the name
set JAIL $argv[1]
# create mountpoint if missing
zfs list -Ho name $ZPOOL/jails > /dev/null 2>&1 \
|| sudo zfs create -o mountpoint=/jails -p $ZPOOL/jails
# clone a template if missing
test -d /jails/$JAIL \
|| sudo zfs clone $ZPOOL/jails/templates/amd64-amd64-13.0-RELEASE@pristine $ZPOOL/jails/$JAIL
# mount devfs in jail if the path is missing
test -c /jails/$JAIL/dev/null \
|| sudo mount -t devfs devfs /jails/$JAIL/dev
# derive a hopefully non-clashing IP address
set IPA (echo -n $JAIL | sha512 | cut -c 1,2)
set IPB (echo -n $JAIL | sha512 | cut -c 3,4)
set IP6 $IPA$IPB
set IP (printf "%d.%d" 0x$IPA 0x$IPB)
# get the zt 6plane
set IFACE zt1flo98dm17np8
set SUBNET (ifconfig $IFACE inet6 | rg -Po 'fc\S+::' | uniq)
set ALIAS "$IFACE|$SUBNET$IP6"
# display config and try to start it
echo name=$JAIL ip=$IP ip6=$IP6 iface=$IFACE subnet=$SUBNET alias=$ALIAS
jls -j $JAIL > /dev/null 2>&1
if test $status = 0
sudo jexec $JAIL tmux -u new-session -DAs default
else
sudo jail -vcmr \
name=$JAIL \
path=/jails/$JAIL \
exec.created="zfs jail $JAIL $ZPOOL/jailed/$JAIL || true" \
exec.start="/bin/sh /etc/rc" \
exec.poststop="zfs unjail $JAIL embiggen/jailed/$JAIL || true" \
host.domainname=$DOMAIN \
host.hostid=0 \
host.hostname=$JAIL.$DOMAIN \
host.hostuuid=(cat /etc/hostid) \
ip4.addr="lo1|100.64.$IP" \
ip6.addr="$ALIAS" \
allow.mount.devfs \
allow.mount.nofdescfs \
allow.mount.nolinprocfs \
allow.mount.nonullfs \
allow.mount.noprocfs \
allow.mount.nozfs \
allow.mount.tmpfs \
allow.nochflags \
allow.nomlock \
allow.nomount \
allow.noquotas \
allow.noread_msgbuf \
allow.nosocket_af \
allow.nosysvipc \
allow.novmm \
allow.raw_sockets \
allow.reserved_ports \
allow.noset_hostname \
children.max=0 \
devfs_ruleset=4 \
enforce_statfs=2 \
osreldate=1300139 \
osrelease=13.0-RELEASE \
persist \
securelevel=3 \
sysvmsg=disable \
sysvsem=disable \
sysvshm=disable \
command=/bin/sh -c "env -i TERM=$TERM tmux -u new-session -DAs default"
end
# allow.nounprivileged_proc_debug \
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment