feat: ruben & jail

4 files changed, 259 insertions, 22 deletions

diff --git a/content-org/blog.org b/content-org/blog.org
index b8df87c..8596c37 100644
--- a/content-org/blog.org
+++ b/content-org/blog.org
@@ -8,7 +8,7 @@
 #+HUGO_SECTION: blog
 
 
-* 2024  [87/90]                                                       :@blog:
+* 2024  [88/90]                                                       :@blog:
 :PROPERTIES:
 :EXPORT_HUGO_SECTION: blog/2024
 :EXPORT_HUGO_CUSTOM_FRONT_MATTER+: :image_dir "blog/images" :image_max_width 600
@@ -122,7 +122,8 @@ It's small annoyance, but it shows the general direction.
 Microsoft GitHub is still not near the biggest sin an Open Source can commit when it comes to cooperation (that crown still goes to using Discord), but it's far from being "Open".
 
 
-** TODO RE: Michał Sapka’s new home
+** DONE RE: Michał Sapka’s new home
+CLOSED: [2024-10-29 Tue 21:13]
 :PROPERTIES:
 :EXPORT_FILE_NAME: re-michal-sapkas-new-home
 :EXPORT_HUGO_CUSTOM_FRONT_MATTER+: :Abstract Reply to Ruben's post
@@ -132,21 +133,21 @@ Microsoft GitHub is still not near the biggest sin an Open Source can commit whe
 If you read this site regularly, you may have noticed that I mention Rubenerd from time to time.
 Actually, I do it all the time.
 
-But this time, Ruben made me a bday surpriday and [[https://rubenerd.com/michal-sapkas-new-home/][wrote about me]].
+But this time, Ruben made me a bday surprise and [[https://rubenerd.com/michal-sapkas-new-home/][wrote about me]].
 This post is a small reply.
 
 Yes, I am merging all my sites into one, once again.
 While it was cool to have 6 pages, the real question was: do I want multiple mediocre ones, or one ok-ish?
-Looking at this from this point, it makes sense.
+Looking at this from this point, reunification makes sense.
 
-I changed the domains becasue I moves the site to my homelab and having DDNS on my mail domain seemed scary.
-Most likely nothing bad woudld happen, but better safe then sorry.
+I changed the domains because I moved the site to my homelab and having DDNS on my mail domain seemed scary.
+Most likely nothing bad would happen, but better safe then sorry.
 Plus, "Crys Site" is a wordplay and no one has yet guessed it.
 
 The merging project is still in progress, as I am fixing some outstanding bugs.
 I love toying with this site, even if no one cares ;-)
 
-Ruben, you are a wonderful human being and creator of my favorite blog out there.
+Ruben, you are a wonderful human being and the creator of my favorite blog out there.
 
 ** DONE Bezos's fortune is too big to care about you
 CLOSED: [2024-10-26 Sat 21:17]
diff --git a/content-org/bsd.org b/content-org/bsd.org
index 37cec90..379391f 100644
--- a/content-org/bsd.org
+++ b/content-org/bsd.org
@@ -1403,8 +1403,8 @@ Monkey Island 2 running on ScummVM
 :EXPORT_HUGO_SECTION: bsd/freebsd-homelab
 :END:
 
-*** DONE Template for jail with external IP assigned via DHCP
-CLOSED: [2024-10-27 Sun 20:11]
+*** DONE Template for jail with an external IP assigned via DHCP
+CLOSED: [2024-10-29 Tue 22:03]
 :PROPERTIES:
 :EXPORT_FILE_NAME: dhcp-vnet-jail
 :EXPORT_HUGO_CUSTOM_FRONT_MATTER+: :abstract Running old adventure games
@@ -1418,17 +1418,14 @@ What I want is to have jails with:
 - IPs are assigned via DHCP server
 - I am able to access files outside if the jails
 
-I was able to achieve most of this by following [[https://docs.freebsd.org/en/books/handbook/jails/][FreeBSD handbook]], [[https://rubenerd.com/starting-with-freebsd-jails/][Rubenerd's post]], and [[https://wiki.freebsd.org/Jails][FreeBSD Wiki]], but I also received some help from different indiduals whose names I can't recall.
+I was able to achieve most of this by following [[https://docs.freebsd.org/en/books/handbook/jails/][FreeBSD handbook]], [[https://rubenerd.com/starting-with-freebsd-jails/][Rubenerd's post]], and [[https://wiki.freebsd.org/Jails][FreeBSD Wiki]], but I also received some help from different individuals whose names I can't recall.
 
 I use classic jails created from ZFS snapshots, but (as to the best of my knowledge), any jail will work with the following configuration.
 Unless specified, all code here goes to =/etc/jails.conf=.
 
-Note, that any configuration outside jail definition, will also apply to all jails.
-For example for this structure:
-
 #+begin_src  shell
   config1;
-
+   
   jail1 {
       config2;
   }
@@ -1444,7 +1441,7 @@ jail1 gets configured with =config1= and =config2=, while jail2 gets =config1= a
 
 First, we start with standard configuration regarding starting, stopping and logging.
 Notice the =#{name}=.
-It's a variable which fill be filled the name of the jail.
+It's a variable which fill be filled with the name of the jail.
 #+begin_src shell
   # STARTUP/LOGGING
   exec.clean;
@@ -1453,8 +1450,8 @@ It's a variable which fill be filled the name of the jail.
   exec.consolelog = "/var/log/jail_console_${name}.log";
 #+end_src
 
-Then we add permissions which will allow for =vnet= - the system allowing for jail to have their own, (virtual) network stack.
-Even though everything goes host's network, for all intends and purposes jails have their own NICs.
+Then we add permissions which will enable =vnet= - the system allowing for jail to have their own, (virtual) network stack.
+Even though everything goes through host's network stack, for all intends and purposes we can pretend that each jail has it's own (virtual) NIC.
 
 #+begin_src shell
   # PERMISSIONS
@@ -1465,7 +1462,7 @@ Even though everything goes host's network, for all intends and purposes jails h
   vnet;
 #+end_src
 
-Note, that we need to configure this ruleset. Create =etc/defvs.rules=:
+Note, that we need to configure this =devfs_ruleset=. Create =etc/defvs.rules=:
 
 #+begin_src shell
 [devfsrules_jails=5]
@@ -1477,15 +1474,16 @@ add path 'bpf*' unhide
 
 back to =jail.conf=, we set hostname and path for the container.
 Adjust to your liking.
+
 #+begin_src shell
   host.hostname = "${name}.dune.local";
   path = "/usr/local/jails/containers/${name}";
 #+end_src
 
 Now for the actual network configuration.
-We will configure for the shell to:
+We will configure for the jail system to:
 - create an =epair(4)= and use for network communication
-- destroy this =epair= upon stopping
+- destroy this =epair= upon stopping a jail
 
 #+begin_src shell
   $epair = "epair${id}";
@@ -1530,7 +1528,7 @@ Explanations:
 - =$mac= will force a given mac address for the virtual network card.
   This will ensure that FreeBSD won't change it, and we can assign fixed =IP= on the router level
 - This jail has attached network storage.
-  You don't want the jail itself to even know what it is, so we're forcing the host to execute =/etc/fstab.$name=, and mount the drives.
+  You don't want the jail itself to even know what it is, so we're forcing the host to execute =/etc/fstab.$name=, and mount the shares.
   Note, that you need to mount the drives in directory relative to *host's* root, so something like:
 
 #+begin_src shell
@@ -1541,7 +1539,7 @@ Explanations:
 
 **** Putting it all together
 
-The entire =jail.conf= here looks like:
+The entire =jail.conf= looks like:
 
 #+begin_src shell
     exec.clean;
@@ -1574,6 +1572,14 @@ The entire =jail.conf= here looks like:
         exec.poststop += "umount -a -F /etc/fstab.$name";
     }
 #+end_src
+
+**** Improve me
+
+Is this perfect?
+No!
+There are people doing magical things with jails.
+If this makes no sense to you, or if you've done it better - make sure to [[/contact][contact me]].
+
 * WIP
 ** TODO OpenBSD: XMPP (Jabber) server
 /intro/
diff --git a/content/blog/2024/re-michal-sapkas-new-home.md b/content/blog/2024/re-michal-sapkas-new-home.md
new file mode 100644
index 0000000..d3eba32
--- /dev/null
+++ b/content/blog/2024/re-michal-sapkas-new-home.md
@@ -0,0 +1,31 @@
++++
+title = "RE: Michał Sapka’s new home"
+author = ["Michał Sapka"]
+date = 2024-10-29T21:13:00+01:00
+categories = ["blog"]
+draft = false
+weight = 2001
+image_dir = "blog/images"
+image_max_width = 600
+Abstract = "Reply to Ruben's post"
+Listening = "Metallica - Garage, Inc."
++++
+
+If you read this site regularly, you may have noticed that I mention Rubenerd from time to time.
+Actually, I do it all the time.
+
+But this time, Ruben made me a bday surprise and [wrote about me](https://rubenerd.com/michal-sapkas-new-home/).
+This post is a small reply.
+
+Yes, I am merging all my sites into one, once again.
+While it was cool to have 6 pages, the real question was: do I want multiple mediocre ones, or one ok-ish?
+Looking at this from this point, reunification makes sense.
+
+I changed the domains because I moved the site to my homelab and having DDNS on my mail domain seemed scary.
+Most likely nothing bad would happen, but better safe then sorry.
+Plus, "Crys Site" is a wordplay and no one has yet guessed it.
+
+The merging project is still in progress, as I am fixing some outstanding bugs.
+I love toying with this site, even if no one cares ;-)
+
+Ruben, you are a wonderful human being and the creator of my favorite blog out there.
diff --git a/content/bsd/freebsd-homelab/dhcp-vnet-jail.md b/content/bsd/freebsd-homelab/dhcp-vnet-jail.md
new file mode 100644
index 0000000..1a47279
--- /dev/null
+++ b/content/bsd/freebsd-homelab/dhcp-vnet-jail.md
@@ -0,0 +1,199 @@
++++
+title = "Template for jail with an external IP assigned via DHCP"
+author = ["Michał Sapka"]
+date = 2024-10-29T22:03:00+01:00
+categories = ["bsd"]
+draft = false
+weight = 3001
+primary_menu = "bsd"
+image_dir = "bsd"
+image_max_width = 600
+abstract = "Running old adventure games"
+[menu]
+  [menu.bsd]
+    weight = 3001
+    identifier = "template-for-jail-with-an-external-ip-assigned-via-dhcp"
+    parent = "freebsd-homelab"
++++
+
+The idea behind FreeBSD homelab is simple: to utilize the Jail system.
+Jails are great!
+
+What I want is to have jails with:
+
+-   dedicated, external IP
+-   IPs are assigned via DHCP server
+-   I am able to access files outside if the jails
+
+I was able to achieve most of this by following [FreeBSD handbook](https://docs.freebsd.org/en/books/handbook/jails/), [Rubenerd's post](https://rubenerd.com/starting-with-freebsd-jails/), and [FreeBSD Wiki](https://wiki.freebsd.org/Jails), but I also received some help from different individuals whose names I can't recall.
+
+I use classic jails created from ZFS snapshots, but (as to the best of my knowledge), any jail will work with the following configuration.
+Unless specified, all code here goes to `/etc/jails.conf`.
+
+```shell
+config1;
+
+jail1 {
+    config2;
+}
+
+jail2 {
+    config3;
+}
+```
+
+jail1 gets configured with `config1` and `config2`, while jail2 gets `config1` and `config3`.
+
+
+## Jail configuration {#jail-configuration}
+
+First, we start with standard configuration regarding starting, stopping and logging.
+Notice the `#{name}`.
+It's a variable which fill be filled with the name of the jail.
+
+```shell
+# STARTUP/LOGGING
+exec.clean;
+exec.start = "/bin/sh /etc/rc";
+exec.stop = "/bin/sh /etc/rc.shutdown";
+exec.consolelog = "/var/log/jail_console_${name}.log";
+```
+
+Then we add permissions which will enable `vnet` - the system allowing for jail to have their own, (virtual) network stack.
+Even though everything goes through host's network stack, for all intends and purposes we can pretend that each jail has it's own (virtual) NIC.
+
+```shell
+# PERMISSIONS
+allow.raw_sockets;
+exec.clean;
+mount.devfs;
+devfs_ruleset = 5;
+vnet;
+```
+
+Note, that we need to configure this `devfs_ruleset`. Create `etc/defvs.rules`:
+
+```shell
+[devfsrules_jails=5]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'bpf*' unhide
+```
+
+back to `jail.conf`, we set hostname and path for the container.
+Adjust to your liking.
+
+```shell
+host.hostname = "${name}.dune.local";
+path = "/usr/local/jails/containers/${name}";
+```
+
+Now for the actual network configuration.
+We will configure for the jail system to:
+
+-   create an `epair(4)` and use for network communication
+-   destroy this `epair` upon stopping a jail
+
+<!--listend-->
+
+```shell
+$epair = "epair${id}";
+$bridge = "bridge0";
+vnet.interface = "${epair}b";
+exec.start += "dhclient ${epair}b";
+exec.prestart  = "/sbin/ifconfig ${epair} create up";
+exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}";
+exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up";
+exec.prestart += "/sbin/ifconfig ${epair}b ether ${mac}";
+
+exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a";
+exec.poststop += "/sbin/ifconfig ${epair}a destroy";
+```
+
+For this to work, we need to create a `if_bridge(4)` on our host machine.
+Make sure that your `rc.conf` has:
+
+```shell
+cloned_interfaces="bridge0"
+ifconfig_bridge0="addm em0 up"
+```
+
+(replace `em0` with appropriate device)
+
+Ok, now we just need to have our jail ready.
+First, create it as it presented in the [FreeBSD handbook](https://docs.freebsd.org/en/books/handbook/jails/).
+
+Then, configure the jail:
+
+```shell
+jail {
+    $id=1;
+    $mac="2:bf:b9:4c:4f:0b";
+
+    exec.prestart += "mount -a -F /etc/fstab.$name";
+    exec.poststop += "umount -a -F /etc/fstab.$name";
+}
+```
+
+Explanations:
+
+-   `$id` will be used when creating matching `epair`
+-   `$mac` will force a given mac address for the virtual network card.
+    This will ensure that FreeBSD won't change it, and we can assign fixed `IP` on the router level
+-   This jail has attached network storage.
+    You don't want the jail itself to even know what it is, so we're forcing the host to execute `/etc/fstab.$name`, and mount the shares.
+    Note, that you need to mount the drives in directory relative to **host's** root, so something like:
+
+<!--listend-->
+
+```shell
+10.0.1.200:/volume2/movies /usr/local/jails/containers/servarr/mnt/movies nfs rw 0 0
+```
+
+(this attaches an NFS share in read-write mode)
+
+
+## Putting it all together {#putting-it-all-together}
+
+The entire `jail.conf` looks like:
+
+```shell
+exec.clean;
+exec.start = "/bin/sh /etc/rc";
+exec.stop = "/bin/sh /etc/rc.shutdown";
+exec.consolelog = "/var/log/jail_console_${name}.log";
+allow.raw_sockets;
+exec.clean;
+mount.devfs;
+devfs_ruleset = 5;
+vnet;
+host.hostname = "${name}.dune.local";
+path = "/usr/local/jails/containers/${name}";
+$epair = "epair${id}";
+$bridge = "bridge0";
+vnet.interface = "${epair}b";
+exec.start += "dhclient ${epair}b";
+exec.prestart  = "/sbin/ifconfig ${epair} create up";
+exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}";
+exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up";
+exec.prestart += "/sbin/ifconfig ${epair}b ether ${mac}";
+exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a";
+exec.poststop += "/sbin/ifconfig ${epair}a destroy";
+
+jail {
+    $id=1;
+    $mac="2:bf:b9:4c:4f:0b";
+
+    exec.prestart += "mount -a -F /etc/fstab.$name";
+    exec.poststop += "umount -a -F /etc/fstab.$name";
+}
+```
+
+
+## Improve me {#improve-me}
+
+Is this perfect?
+No!
+There are people doing magical things with jails.
+If this makes no sense to you, or if you've done it better - make sure to [contact me](/contact).