We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Managing Jails with Ansible

00:00

Formal Metadata

Title
Managing Jails with Ansible
Subtitle
A showcase for building a container infrastructure on FreeBSD
Title of Series
Number of Parts
34
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Nowadays container technologies like Docker are the first thing you here when the question on how to deploy and manage (micro) services. However, FreeBSD already has lots of features out of the box that can be used to implement lots of the wanted characteristics, but there is still a need for glue code to integrate it into a complete solution. Ansible is a powerful configuration automation and management system that has a relatively low set of initial requirements. It uses mostly python and ssh, of which the later is needed in most cases anyway to be able to remotely manage the systems. This means that not only the overhead is comperativly low, but also it does not have too many dependencies that will break over time with things like new software releases. Utilizing the flexible template engine and already available modules to manage features like ZFS, firewall and jails.conf, we will be able to automatically deploy a system that includes creating read only templates for service jails configuring the network configuring the firewall creating (multiple) running service jails from these templates duplicating jails scripting the upgrade & restart of the base and service jails With that the talk will show how host multiple managed, partly customized applications for multiple distinct user groups with minimal overhead for managing updates and setup of new instances.
BuildingFreewareSystem administratorBlock (periodic table)Modul <Datentyp>Template (C++)Cartesian coordinate systemInstallation artComputer fileData managementArithmetic meanVirtual machinePairwise comparisonPoint (geometry)Module (mathematics)Module (mathematics)Block (periodic table)Revision controlBuildingNP-hardElectric generatorOpen sourceError messageMereologyDynamical systemService (economics)BitNumberBenchmarkTask (computing)Contrast (vision)Series (mathematics)Multiplication signParameter (computer programming)Graph coloringFreewareIRIS-TShared memoryForm (programming)Insertion lossCASE <Informatik>Term (mathematics)WordChainFunction (mathematics)Arrow of timeInheritance (object-oriented programming)TowerHand fanTelecommunicationInternetworkingExecution unitComputer animationXML
Template (C++)Modul <Datentyp>BuildingBlock (periodic table)Interpreter (computing)Revision controlParameter (computer programming)Module (mathematics)RootInformation securityConfiguration spaceInstallation artSharewareLocal GroupPatch (Unix)BootingInclusion mapFreewareError messageRevision controlGastropod shellTemplate (C++)Set (mathematics)Information securityConfiguration spaceModule (mathematics)Projective planeSharewareBitJust-in-Time-CompilerComputer fileInstallation artMathematicsInterpreter (computing)Category of beingSoftwareComplex (psychology)Server (computing)AbstractionConnected spaceRootScripting languageCASE <Informatik>Variable (mathematics)Game theoryVirtual machineDifferential (mechanical device)BuildingChemical equationBarrelled spaceProcess (computing)DistanceDecimalSummierbarkeitArmText editorStress (mechanics)CommutatorSuite (music)Student's t-testSound effectOrder (biology)ResultantForcing (mathematics)Metropolitan area networkSinc functionComplete metric spaceIntercept theoremData structureCue sportsPhysicalismPoint (geometry)Event horizonTable (information)System callMultiplication signInsertion lossComputer animation
Installation artBootingRootExecution unitComputer-integrated manufacturingComputer networkNetwork socketClique-widthBitError messageLevel (video gaming)Projective planeOnline helpOrder (biology)Volume (thermodynamics)CASE <Informatik>Goodness of fitMereologyConnected spaceDirect numerical simulationMedical imagingOvalMathematicsPhysicalismAreaMetreMoment (mathematics)Electronic mailing listNear-ringSoftware testingProgrammschleifeParameter (computer programming)Configuration spaceSharewareModule (mathematics)Set (mathematics)Computer animation
Execution unitPasswordBitVirtual machineConnected spaceMultiplication signRule of inferenceCASE <Informatik>Source code
Modulo (jargon)Process (computing)Error messageFunction (mathematics)Message passingCodeMathematicsRevision controlInternet forumFingerprintMountain passVideo game consoleWeb pageTwin primeInterior (topology)Execution unitPermianBit error rateArrow of timeSharewareEvent horizonPeg solitaireInformation managementInstallation artCurve fittingChainRootPatch (Unix)BootingTerm (mathematics)Connected spaceInternetworkingMusical ensembleCASE <Informatik>Core dumpBitOcean currentSurgeryVirtual machineLocal ringMereologyDegree (graph theory)Software testingHydraulic motorProcess (computing)Limit (category theory)ResultantComputer chessMultiplication signClosed setDecision theorySuite (music)HypermediaRoundness (object)Form (programming)Natural numberRevision controlBuildingSystem callSurfaceTouch typingSet (mathematics)Service (economics)BootingConfiguration spaceCodeVirtualizationDefault (computer science)IP addressTheory of relativitySource codeComputer animation
BootingInfinityInvertible matrixRevision controlInclusion mapUniform resource locatorEmailPlug-in (computing)Server (computing)Connected spaceSystem callCollisionFamilyVideo gameNoise (electronics)Source code
EmailComputer networkSocket-SchnittstelleSharewareCloningRootConfiguration spaceData miningGame theoryUniform resource locatorVideo gamePoint (geometry)Medical imagingShift operatorEmailResultantGoodness of fit10 (number)WeightElectronic mailing listProduct (business)Gastropod shellCirclePhysicalismWeb applicationSet (mathematics)DatabaseCartesian coordinate systemSharewareConfiguration spaceCASE <Informatik>CodeModule (mathematics)MultiplicationBlock (periodic table)Disk read-and-write headComputer animation
Drill commandsCloningKerr-LösungHash functionChainMereologyDecision theoryMusical ensembleIntercept theoremPoint (geometry)CASE <Informatik>BitMathematicsEndliche ModelltheorieFreezingConfiguration spaceSet (mathematics)Information securitySpacetimeMiniDiscLoop (music)Scripting languageReading (process)2 (number)
SharewarePasswordConvex hullMountain passSet (mathematics)Computer animation
Limit (category theory)Menu (computing)Indian Remote SensingCloningMetreMountain passInstallation artRevision controlError messageFunction (mathematics)CodeDirectory serviceFormal languageSharewareFreewareOpen sourcePoint (geometry)Power (physics)PlastikkarteComputing platformVirtual machineError messageNetwork topologyTemplate (C++)Service (economics)Patch (Unix)Multiplication signGroup actionSlide ruleWindowPhysical systemMathematicsArithmetic meanPresentation of a groupCondition numberView (database)Different (Kate Ryan album)CausalityOperating systemMusical ensembleBitSuite (music)Position operatorRevision controlProper mapOperator (mathematics)Set (mathematics)Fluid staticsServer (computing)Medical imagingReading (process)CloningConfiguration managementVideoconferencingLocal ringElectric generatorData managementContext awarenessInterprozesskommunikationSoftware testingMoment (mathematics)
Physical systemSystem callLimit (category theory)HoaxProcess (computing)AreaElectronic mailing listLaceBridging (networking)Gastropod shellShared memoryMultiplication signLattice (order)Observational studyOperator (mathematics)Different (Kate Ryan album)Metropolitan area networkForcing (mathematics)Stack (abstract data type)Data managementTheory of relativityCASE <Informatik>Coma BerenicesTheoryRoutingProtein foldingSuite (music)Point (geometry)Universal product codeMoment (mathematics)Group actionSharewareView (database)Goodness of fitVirtual machineDefault (computer science)MultiplicationMathematicsComputer animation
Computer animation
Transcript: English(auto-generated)
As you've probably seen in the schedule, it's about managing jails with Ansible.
Hands up. Who of you does not know what jails are and what they're used for? Okay, so I'll leave. I'll not talk about that then. About me, I'm an assist admin. I've been using mostly Linux in the last 20-22 years, something like that.
So forgive me if some of the paths that I have been choosing for the demonstration part might be slightly strange for FreeBSD users. Please don't hang me or anything about it for that.
You can just recover it. That's fine. So I'm relatively new to FreeBSD compared. I mean, it's like about five years or something like that. I mean, it has been some time, but it's still compared. It's not that much.
So the first question that I got in the past is why the hell would you want to do the jail management bare metal with just Ansible? There are that many other ways to do that.
I mean, one of the things that I hear, yeah, there is tool X that can already do that for any number of tools X. Well, yes, they can do that. They might not always do what you want to do.
Yeah, so yes, of course, there is that argument. I hope it's not only not invented his syndrome that I tried to do that. One thing that I heard about from FreeBSD people against Ansible is that you suddenly have Python as a dependency.
Well, personally, I don't care because I'm using Ansible to manage most of my machines anyway, regardless of how I set up the jails first. So this dependency is already there for me. And if you're using IOKH, you also have Python as a dependency.
So I don't really see that as a problem. The other thing that you do here is that it's complicated. I've heard that when I started to use FreeBSD, don't try to do jails bare metal.
It's just much too complicated. Choose one of the benchmark tools that it will work. No, we're at the contrast. I'm not necessarily saying that's true. As you might see, it's not that complicated. I mean, yes, it gets complicated if you want to do more complex things at some point.
Having some management tool. You also hear other things. On the other hand, why am I going to do that? I'm already using Ansible to set up most of the other stuff, so I'm quite comfortable with it.
I already have all the dependencies that it brings with it. So it doesn't add extra dependencies, at least not for me. That might be different for other people. Just for that reason, I already have Python as a dependency. Also, I'm using quite a few other Python applications anyway.
So I don't see that as a negative thing. It's also Python has the advantage for me that I'm relatively fluent in it. So it's relatively easy for me to do stuff with it. And the last part is one of the important things for me, why I started that.
If you try really to put together all the stuff, you start at some point to get to know better what is actually going on. It doesn't mean that you have to do that always.
Personally, I also use Adokage for some installations. It's not bad, it works. I had some problems when upgrading to FreeBSD 12, but otherwise I'm quite comfortable with it. That's really not an issue, but I still wanted to do that.
Well, there are probably quite a few other things that you could say. So what building blocks do we have that we need for that? Well, obviously we're going to need FreeBSD, otherwise doing FreeBSD jails will be a bit hard.
Well, the jail command and its man page is a quite good source where you can actually find what can you actually configure in the jails conf. Sorry, jail conf, not jails conf. So you're going to need that.
I have been using quite a bit of the features of SetFS, actually. I mean, yes, you could probably do it without. For my use cases, I don't see why I should. I have enough resources on the machines that... Of course, if you have 128 MB of RAM, you probably won't do that, but otherwise...
Obviously, there is SSH, because Ansible uses that for remote communication. You have Python, and you have one dependency that's a bit strange to me. I didn't find out why yet, but for some reason Ansible insists of having GNU tar for extracting archives.
Don't expect exactly why. I was not able to go through the code, why they're insisting on it,
but it throws errors if you try to use the BSD tar, and it really complains about it. I have no idea. There are a few Ansible modules that are quite useful for that.
For bootstrapping the whole thing, you first... The thing is, if you start with Ansible on the target host, you will have to have Python installed there. The raw module lets you do that, so you can actually use Ansible to install Python on the target machine.
Yes, you could also do it by hand. I find it convenient if I can do it that way. Well, package-ng, zfs, the package-ng module zfs, get-url to get actually the files that we want to install,
and then unpacking it, some templating to generate conflict files, creating some empty files, controlling some services, and sometimes I need to run manual commands. For example, the service module is not completely up to the task yet.
I have to see if I can patch that. I'm also showing some trickery with dynamic inventory. There is also a nice thing.
There is actually a connection plugin, so that you can actually remotely manage the jails without having to have SSH in them. So it basically uses J-EXEC, but you don't have to script that by hand, which is quite useful. You just say, well, the connection is that, and then it's the same like with any other host you're going to use.
Sorry, any quick questions? Because I'm using the JIT connector, but you have to be root and you have to be on the same host. This one does SSH.
You could probably use the built-in JIT connector with delegates. I haven't tried that. I mean, it should be possible, but I think it gets messy. This one, I mean, it's a third party, but it seems to work quite fine. So that's the reason why I put it up there.
Yeah, putting it together, that's basically the configuration that I have for the first jail. I'll just cut it off a bit here, because the paths were getting too long, but it's just on the path to the Python interpreter.
And then there are some SHA-512 sums, because we're downloading stuff that we're actually afterwards installing. So I want to be sure that it's actually what I think I'm installing, but there has been no trickery.
And a relatively simple configuration for a jail, but as it is there, it doesn't really do that much. So the steps, I'll have a demonstration and then show you the code as well.
So in principle, the steps are quite simple. I mean, first you prepare the host. Then we're setting up a few CTFS data sets where we actually want to put the jails.
Download all the other versions of FreeBSD you want to install. To be fair, I've only tested 11.2 and 12.0. 11.2 for historical reasons, because I actually started the whole project before 12.0 was released.
So I didn't try any older versions. There might be some things I don't catch with them. It's quite simple, you just extract it. Next thing, you apply some configuration, so I also have it in there that I automatically call FreeBSD update,
because I'm building a new jail, so I actually want to have security updates applied. Create a few files that we need to create, and then call the template for our jailconf.
There is an error in the slides. Then afterwards, I'm going to start the jails, install Python in the jails so that we can actually manage the jails themselves afterwards.
I'm going to have a small demo. Yeah, is that better?
Yeah, I mean the shop for 12 subs can go up a bit now, but it's not really. So here you have the configuration. Yeah, the name server fits for the network where my test machine is there.
So just installing a few packages. I have htop in there, because I used it while debugging, grading, and that was what I said. I mean, slash srv is probably a bit Linux-y, but I don't care.
You can use everything else. I hardcoded these paths, because while for my use cases it was fine, and it just increases complexity if I add that there. Yeah, grading a few datasets.
Yeah, for the jails themselves, actually I also set quarters. You can set most zfs properties here. The module is quite flexible in that way. The disadvantage is it cannot really tell you before it tries to apply stuff if it's going to work or not,
because it just simply doesn't know. On the other hand, that way you can set whatever you want, and it doesn't have to know if it's zfs on Linux, if it's FreeBSD 8, if it's FreeBSD 12, what kind of features they have.
It's just a dictionary, and it just says, well, you're trying to apply this property with this value, and it sets it. Yeah, downloading, extracting.
I have a little template for ResolveConf that's not that interesting. Yeah, they're just creating empty files for now. Yeah, they're just calling FreeBSD update from the host,
because I actually want to do that before first actually starting the jail. Yeah, there. I tell it that, yeah, actually we should start jails on boot, and then I have this.
I'll show you the template. Interesting. That's the demo. It does the host.
That's one demo shell. It's a relatively simple playbook. That's also the reason why I put the configuration variables directly in the playbook. I wouldn't do that for a productive one. Obviously, I would probably put them in host bars, for example,
the configuration for the different jail hosts. I didn't do that here, because it's just simpler to show you if it's just one file. It's too abstract, right? Yeah, it's just, I took out the abstraction here, because it's just,
I thought it was a bit easier to show you. And then here we have some, well, it's as simple or not a change of template. That's probably up to the reader.
The disadvantage of doing it that way is that I'm mostly directly putting in the stuff, so it doesn't really check the values. The way I'm doing it here, it's really flexible, but it doesn't prevent you from shooting yourself in the foot.
That's just for the jails. You can have whatever settings. There is just, if you remember in the variables, there is this extra parameter. The parameters, it just directly puts them in there.
That's something I'll show you later. With the SSH jail connector, you don't need SSH in every jail? Yes. I don't have SSH enabled in the jails at the moment. It gets even more important, because the project I started is all for.
My idea is actually to not have IP connectivity in the jail. So SSH can be a bit of a problem if you don't have IP. You're not trying IP.
Yeah, I could probably do it, but you know. Just starting up the jails. Then I'm going to install Python. I did all my testings with Python 3.6. The SSH jail connector actually tells you to use Python 2.7.
I didn't run into any problems using 3.6, and I don't want to do any new projects with 2.7 anymore. And here I have a little trick. I'm collecting, because I didn't want to have two lists of jails.
I'm collecting all the jails I have in my list. In this case it's only one, but I'm collecting them and dynamically adding them to the inventory. And here you see the configuration for the SSH jail connector.
Where you basically have jail name, add, and then the SSH host. That's just the syntax they use. And then I set the Ansible connection module for that host.
Just as simple as that. And there I have a second playbook in there that afterwards does some changes in the jails. Obviously I could just do them, I mean it's mostly of that. It's file editing, I could have done that from the host as well, but it was just so I can show that.
It seems to be the nearest syntax with items. It just loops over the list.
Because if I go up here, as you can see, jails is a list. I mean it currently only has one entry because I thought that was enough for the demo. But if I'm going to run that...
So the other thing is I'm currently using SU here for become.
Most productive cases I actually use sudo because I think it's a bit more convenient. But otherwise it's probably, you can do a bit more with it.
I just, in this case, I really minimized what I needed to install. Where is the host that we're running this on? That's in Vienna in the data center. It's a virtual machine. So we have a bit of a downtime with the connections here.
So that should have been downloaded.
I can make sure I delete it. Well it has a gigabit connection to the internet because it's downloading it on the host. So I can do that for the fun of it, why not?
It's a test machine so I'm quite open to just stopping and deleting things.
So what I wanted to do in this case was really not having to copy the data from my local machine. That's the reason why I used the getul because it saves me from having to upload it from a DSL connection.
Or I mean, worst case, I'm on some mobile connection that's more or less... Now it's just, I have a slight idea.
Yeah, it's a virtual machine so the boot time is relative. Otherwise I wouldn't have typed reboot during a...
Destroy the whole data set so there will be nothing in there. Really will be downloading everything.
So it's also the machine, the virtualization host that I'm using is not the fastest one. So that also costs us some time here. It's only my personal machine.
Yes, yes, yes, of course. But I mean, Ansible does by default if you don't configure it otherwise. But I'm using it otherwise as well.
Okay, now I'm doing that with, what was it, 2.7 I think. So relatively recent. I found that it really pays to keep your playbooks comfortable with a current version because the improvements over time have been quite a bit.
So I think I started with 1.7 or something some years ago. But you see in the first data set it's not that bad. The download times. I'm not sure how much of that was actually checking the checksum.
So, I mean, I can also upload the test playbooks that I have. There's nothing secret in there.
So, yeah, that takes some time because this abuse of the test. While this is running, the reason I'm interested in this is I'm looking at getting away from the Lmanages altogether. At the moment, the way I solve my problems is I give everyone an SSH connection.
And I have a super user that can SSH in with studio access. If I can get it out through the host, that collapses a whole lot of stuff into one. Now that SSH is connected, you can also configure which users are involved there.
So, that's quite flexible. And, I mean, it somewhat solves some problems also. I mean, yes, because otherwise you have to configure chunk posts and stuff like that if you don't have the public IP for every jail. Which, well, I don't. At least not for me.
Yeah? Yeah, we have the same issue. And with a lot of jails on one host, you run out of ideas. And we just started deploying IPv6 for all the jails. That's not a bad idea anyway, but... Very convenient. And saved us a lot of headaches.
No, but in this case it's also, to some degree for me actually, to just also reduce the attack surface. Because, I mean, every service that's not running out there cannot be attacked. Yes, we firewall SSH anyway for all the noise.
It's just that it's a bit more convenient for me to use it there. I found, I was actually, a colleague actually mentioned that to me, that it's out there.
And I said, okay, yeah, that looks nice. Why not use that? As you can see, the 5 gigabytes of code are quite arbitrary. It's just... What I didn't pack in that tutorial here, what I didn't pack in here is
obviously, if you do it productively, you might want to do firewalling and stuff like that. I don't have that in here yet. I mean, it adds some configuration, but it's not that bad.
So also, for example, I mean things like, I don't want to run sendmailing on my gens. I don't really want to run sendmail anyway, but... If I can help it, I don't want to run an email server.
But I do anyway. So now it's done. One thing I've currently, you might have seen that my call is a bit longer. I so far didn't install the SSH jail connector globally.
That's the reason why I'm giving it here, I'm just giving the path. Because if I don't do that, it will just say, well, sorry, but I can't find the connection plug-in you're trying to use. It's not there, go away.
So, what was that in the demo? So some small things that I did.
As I said, in production it's probably a better idea to do that before starting the jail. So I can also show, it's quite easy to just run it from the host. So you don't have to necessarily SSH into your jail.
I'm not super clear on your first point there. I saw your block of code in the playbook to use add host module for adding the jails into the inventory. I'm not racking my head around what's going on there.
So if you executed Ansible, you were using the API host. What did I do? I only have four convenience reasons in this case. I only have my physical but virtual host in the host's inventory, in the fixed one.
Because I didn't want to have two places where I have to define my jails. So that's the reason why I dynamically add them. Obviously you could do that in your host's file or you could use some other dynamic inventory that does it via database or whatever you fancy.
Ansible is quite flexible in that way. That's just the reason why I collected them there. Was that I'd only have one place where I have to define them.
As simple as that. I collapsed these two demos. The other thing that I did, which I think is also quite useful and that's the end result that I'm also trying to use in production.
Is to configure my applications. I have a few use cases where I wanted to have multiple copies, tens and twenties and probably a hundred copies of the same web application running.
But for each customer having its own jail. Because I somewhat don't trust PHP applications if it comes to user isolation. I might be paranoid, I don't know.
So that's the reason why I chilled them off. The idea behind that is slightly more advanced. I say OK, I have my copy, I have my more or less preconfigured application jail.
I'll just do a set of SQL because we have it, why not use it. Then have for the application data create a data set.
Reason behind keeping that separate is that if I want to update the application, I just want to throw away the old jails. And then reattach the data to the new ones.
Yeah, re-create jailconf of course again. And then do some configuration in jail for example, setting a mount point for my data set. So I'll just have the demo 2.
So here we have a new point in the configuration where we have the old jails. That again says what do we want to clone.
I have for the second data set that has its own quota. Since it shouldn't change anything, I have a relatively low quota here. And some things that are, well of course the cloning, I'll have the data data set.
And here I'll just delegate, I'm going to delegate that to the jail so it can be managed within the jail. I can have some data sets and everything, I can do that in the jail.
Again, and then I'll show you in a minute the second part of the jailconf which is actually where that happens. Yeah, I mean that's the same as before. In this case, in the configuration I'm going to set for the data, for the initial data set, I'll set the mount point.
And then I'll just, for showing that it's possible, we're going to create a data set within the jail.
And here the second part, that's the second loop. So obviously if I want to mount a setfs in the jail, I have to relax a few security settings.
Because, well, otherwise it won't allow mounting. So I'm allowing this phrasing to be necessary for every documentation I've read. And then I'm just, I'm chailing the data set.
I'm running that here on created which is before the init script is going to be started.
Because obviously I want to have it mounted at that point. And here, yeah, it's the same as above. And this data set is just something for the user within there to do their own stuff?
Yeah, I mean my use case in this, my first use case for that is NextGoud. So they're going to put some data in there. And yeah, of course I could also malefice mount it into it, but I find it a bit more convenient because it's more flexible.
It's also a bit more convenient because it's actually possible within the jail to correctly guess how much space is actually left there. Which is a bit tricky with the malefice mount. It runs out of disk space without the user being warned about it, which is inconvenient.
Because they start complaining when it doesn't work. And I can't even say to them what they should have locked.
I should probably create the snapshot that it tries to clone.
Because I really deleted the whole, I really recursively deleted the whole data set before. So obviously the snapshot it tries to clone is not there.
Obviously I've been thinking about if I want to use ZFS send and receive. Probably somewhere, I'm not sure, but the clone works just fine for me at the moment.
It took some debugging and one problem is a bit that if you do more complex, my experience is that if you do more complex templates,
it sometimes is a bit hard to debug because the error messages that Ansible gives you if there is an error in your template are at least to me not always clear.
So if we go to, that's the test machine again. We now have two jails running, I have the test three jail and the clone one jail.
We go into the jail. You can also see the data set there. So that works reasonably well.
Obviously the more you want to do, the more work it is. One of the advantages for me of having less dependencies is also that you're not going to run into problems when upgrading or when you're using some strange platform,
because for example I'm also interested in Power9, so there is always, well no, the other stuff might not be that tested there. Also with iocage I ran into some serious trouble when upgrading,
because at the point I was upgrading to 12.0, shortly after the release the version in packages of iocage was not yet compatible to FreeBSD 12, which was inconvenient.
So, I'm a bit fast I think. So some further reading. The second entry is actually, it's a bit hard to read I think, but I'll upload the slides,
was actually the presentation that inspired me to try this. It was a presentation by a colleague in the local BSD user group in Austria, in Vienna, and he was just showing it to us.
I'll upload the slides, I think that's easier. So it showed us, it's a bit dated by now because it was done for 11.2. The first one is also a bit dated, so it still is valid,
but for a few things you have to look at it, because things like SYS5 IPC for example changed, as Michael Lucas already mentioned in his talk, so be careful with references, I usually try to also check in the main page,
if I find anything in an example, I usually look up in the main page and say, what is that actually supposed to do if that's still current? If you use it that way it's quite useful.
I've also linked the SSH jail connector there. So far, are there any questions?
I'm not sure, probably five years ago, it was one seven I think, please don't, I'm not completely sure, but it must have been something like that.
In your video work do you have to work about jails, or how did you start to learn this? To be fair, in my daily paid work at the moment, it's mostly Linux, and I also managed Windows machines with Ansible, even before they had proper Windows support,
because if you install an SSH server it was possible even before that. So we did that as well, I'm managing Raspberry Pis with it that run Linux, I'm also using it to adapt and generate SD card images for the Raspberry Pi,
so I'm starting up the Raspberry Pi image on the local machine with QAMO static emulation, running the operating system, and then adapting it and then putting everything together and producing an image and stuff like that.
So I do like it, I mean, yes Ansible, I'm aware it's probably not the fastest method from all the configuration management tools out there, it also has a bit of a disadvantage against things like
Puppet for example, because it doesn't really do transactions, so if any of the operations fail, it can't really do an automatic rollback, which you have to keep in mind.
It also has advantages though. Yeah, of course. For me, one of the advantages is that it's relatively fast to get going. It gets more complicated over time, but it doesn't have a really high entry barrier,
which I think is quite useful. Are there any issues managing users in groups on FreeBSD? I have not done that. The question was if I ran into any issues managing users in groups on FreeBSD. Not so far, but there might be use cases where I have,
I mean, to be fair, most of my experience is on Linux, so... I'm doing small to BSD machines. Okay, so... I'm just wondering how it leads,
because I know it doesn't get as much exposure from Linux. Yeah, all right. A lot of it is actually shell damages, where we want to set it to full shell and then be able to do overrides. We've turned it on open a million times out of ten,
but it doesn't do what we think it should be doing. I'm not sure, still, if there's data that we've screwed it up, or it's just buggy code, or... To be fair, I don't usually, for most systems,
I don't explicitly set a shell for the user, I just leave the defaults for the system. Reason behind that, in my case, is that I'm sometimes using the same definitions across multiple systems, and since the paths between Linux and BSDs are different, I'll just leave the defaults and tell the users,
if you want to change it, change it. And they just have to change the shells themselves, if they want to. That's the lazy way I'm doing it, because I just didn't want to have this list with,
well, if it's just this operating system, please use that path, and if it's that operating system, please use that path. And then I also have to keep a list of which user wants to use which shell, because I have users with different preferences. So I just told them, well, it's going to be BNSH, and if you don't like that,
which most users as an interactive shell probably don't, please change it. Not yet, but I can publish it, it's not a problem.
Because I've got to find a better way of the jail management, not just the jail internals. At the moment, I'm only managing the jail internals, treating it as a host, not as a jail. That's the most point of view.
I looked at BSD Deploy, or something like that, a few inches ago, but didn't do anything with it, and I don't recall why. I'm not sure, I looked at it also some time ago, but I'm not sure why I didn't do that. I don't know either.
I'm not completely sure, it has been some time ago, and it slipped my mind. Olivier is keen on it, I'm keen on it, and I'm sure we'll get other people to help I can publish what I have, it's not that sophisticated yet, because I didn't get around to actually finishing
the productive code that I want to use, so I mostly have demos at the moment. I'm sure you'll get contributors quickly. I think BSD Deploy has a dependency on easy jail, and it didn't work with anything else. Yeah, it seems difficult, something like that,
and I won't go outside in jail, because it's not maintained anymore. It is maintained, but not as people might wish, I think. It doesn't support jail.com, but that wasn't an issue, because the whole jail.com is mandatory thing
was all that, right? Confirmed, I found easy jail engine obvious. Yes, there are core strengths. And that's what I want to get away from, is a jail manager, and that's why I'm keen on your stuff. For me, the first reason why I started it
was actually to learn how it internally works, but it seems to be quite useful. It's really not that hard. Yes, you should know what you're doing, but I found over the years that it's usually a good idea anyway.
There is quite a nice tool called jail manage. It's a shell script, but it just wraps around previously update, and j-access, and things like that. Is it online? We're in jail manage? Jail manage. It's by a guy named Matt Syverson.
Yeah, I found it. First hit on Google. Okay. Any other questions, comments? I don't see any hands.