Last active
September 27, 2023 17:44
-
-
Save dch/f7ba04a57f3bfca68e77e37e81bff1d1 to your computer and use it in GitHub Desktop.
see https://git.sr.ht/~dch/diy-jails/ for some background
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function jr | |
set local | |
set JAIL $argv[1] | |
set INSTANCE (jls -j $JAIL path) | |
pkill -TERM -j $JAIL | |
sleep 3 | |
doas jail -rv $JAIL | |
doas umount -f $INSTANCE/tmp | |
doas umount -f $INSTANCE/dev | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function jz | |
# see https://git.io/JfHOu | |
set local | |
set MACH (sysctl -n hw.machine) | |
set ARCH (sysctl -n hw.machine_arch) | |
set DOMAIN skunkwerks.at | |
set RELEASE 13.2-RELEASE | |
set RELDATE 1302001 | |
set FLAVOUR $RELEASE-$MACH-$ARCH | |
# grab the name | |
set JAIL $argv[1] | |
# the container | |
set TEMPLATE /jails/templates/$FLAVOUR | |
set INSTANCE /jails/instances/$FLAVOUR/$JAIL | |
# find the zpool for jails and jailed datasets | |
set ZPOOL (zfs list -Ho name /jails | cut -f 1 -d /) | |
# create a /jailed dataset to contain optional per-jail jailable datasets | |
# this can be located on an alternative zpool but must not be mountable | |
zfs list -Ho name -d1 |grep /jailed\$ > /dev/null 2>&1 \ | |
|| doas zfs create -o mountpoint=none -o canmount=off $ZPOOL/jailed | |
# re-fetch after possible creation | |
set JAILED (zfs list -Ho name -d1 | grep /jailed\$) | |
# create mountpoint if missing | |
zfs list -Ho name $ZPOOL/jails > /dev/null 2>&1 \ | |
|| doas zfs create -o mountpoint=/jails -p $ZPOOL/jails | |
# clone a template if missing | |
test -d $INSTANCE \ | |
|| doas zfs clone $ZPOOL$TEMPLATE@ready $ZPOOL$INSTANCE | |
# add a softlink if missing | |
test -L /jails/tags/$JAIL || ln -s $INSTANCE /jails/tags/$JAIL | |
# derive a hopefully non-clashing IP address | |
set IPA (echo -n $JAIL | sha512 | cut -c 1,2) | |
set IPB (echo -n $JAIL | sha512 | cut -c 3,4) | |
set IP6 $IPA$IPB | |
set IP (printf "%d.%d" 0x$IPA 0x$IPB) | |
# get the zt 6plane | |
set IFACE (ifconfig | sort -r | egrep -o '^zt[a-z0-9]+' | head -1) | |
set SUBNET (ifconfig $IFACE inet6 | rg -Po 'fc\S+::' | uniq) | |
set ALIAS "$IFACE|$SUBNET$IP6" | |
# display config and try to start it | |
echo name=$JAIL ip=$IP ip6=$IP6 iface=$IFACE subnet=$SUBNET alias=$ALIAS | |
jls -j $JAIL > /dev/null 2>&1 | |
if test $status = 0 | |
doas jexec $JAIL tmux -u new-session -DAs default | |
else | |
doas jail -vcmr \ | |
name=$JAIL \ | |
path=$INSTANCE \ | |
exec.created="zfs jail $JAIL $JAILED/$JAIL || true" \ | |
exec.created="test -c $INSTANCE/dev/null || mount -t devfs devfs $INSTANCE/dev" \ | |
exec.created="test -c $INSTANCE/tmp || mount -t tmpfs tmpfs $INSTANCE/tmp" \ | |
exec.start="/bin/sh /etc/rc" \ | |
exec.poststop="umount $INSTANCE/tmp" \ | |
exec.poststop="umount $INSTANCE/dev" \ | |
exec.poststop="logger -p info -t jz removed $JAIL" \ | |
host.domainname=$DOMAIN \ | |
host.hostid=0 \ | |
host.hostname=$JAIL.$DOMAIN \ | |
host.hostuuid=(uuidgen) \ | |
linux.osname="tag=www" \ | |
ip4.addr="lo1|100.64.$IP" \ | |
ip6.addr="$ALIAS" \ | |
allow.mount.nodevfs \ | |
allow.mount.nofdescfs \ | |
allow.mount.nolinprocfs \ | |
allow.mount.nonullfs \ | |
allow.mount.noprocfs \ | |
allow.mount.notmpfs \ | |
allow.nochflags \ | |
allow.nomlock \ | |
allow.noquotas \ | |
allow.noread_msgbuf \ | |
allow.nosocket_af \ | |
allow.nosysvipc \ | |
allow.raw_sockets \ | |
allow.reserved_ports \ | |
allow.sysvipc=1 \ | |
allow.noset_hostname \ | |
children.max=0 \ | |
osreldate=$RELDATE \ | |
osrelease=$RELEASE \ | |
persist \ | |
sysvmsg=disable \ | |
sysvsem=disable \ | |
devfs_ruleset=4 \ | |
enforce_statfs=1 \ | |
securelevel=2 \ | |
allow.mount.zfs \ | |
allow.mount \ | |
command=/bin/sh -c "env -i TERM=$TERM tmux -u new-session -DAs default" | |
end | |
# command=/bin/sh | |
# allow.nounprivileged_proc_debug \ | |
# allow.novmm \ | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
post jails call