Run salt-minion in a Jailed Boot Environment on FreeBSD

be-minion-jail.sh

#!/bin/sh

# Usage:

# First create a boot-environment with bectl:
#   bectl create NAME

# Then run this script:
#   be-minion-jail.sh BE-NAME

if [ -z "$1" ]; then
  echo "BE NAME required"
  exit 1
fi

# Stop the salt-minion service on host.
service salt_minion stop

# Build paths for the jail directory and conf file.
JAIL_PATH="/tmp/salt/$1"
CONF_PATH="/tmp/salt/$1.conf"

# Mount the boot-environment 
mkdir -p "$JAIL_PATH"
bectl mount "$1" "$JAIL_PATH"

# Create a temporary `jail.conf`
cat > "$CONF_PATH" <<EOF
$1 {
  exec.clean;
  mount.devfs; # ensure that `ps` and `service salt_minion status` work
  ip4=inherit; # allow minion to connect to master running on localhost
  persist;
  host.hostname="$1";
  path="$JAIL_PATH";
}
EOF

# Create the jail from mounted BE
jail -c -f "$CONF_PATH"

# Start salt-minion inside the jail
jexec -n "$1" service salt_minion start

# All jobs performed by the minion will only affect 
# the boot-environment.

# Once salt finishes, run the accompanying script
#   be-minion-unjail.sh NAME

be-minion-unjail.sh

#!/bin/sh

# Usage:
# be-minion-unjail.sh BE-NAME

if [ -z "$1" ]; then
  echo "BE NAME required"
  exit 1
fi

# Stop the salt-minion running inside 
# the jailed boot-environment
jexec -n "$1" service salt_minion stop

# Stop the jail
jail -r "$1"

# Unmount the boot-environment
# Using "-f" for now as unmount complains
# that the device is busy.
umount -f "/tmp/salt/$1"

# Start the salt-minion service on host
service salt_minion start

# We are back to usual working environment

# Now you can run `bectl activate -t NAME`
# If everything worked and the system booted fine, run 
#   bectl activate NAME
# to make the change permanent.

# If things went sideways, reboot the system and it 
# will boot back into the previous working environment.
# Now you can dissect the BE or destroy it and start over.