diff options
Diffstat (limited to 'content-org/bsd.org')
| -rw-r--r-- | content-org/bsd.org | 176 |
1 files changed, 176 insertions, 0 deletions
diff --git a/content-org/bsd.org b/content-org/bsd.org index 22cc903..37cec90 100644 --- a/content-org/bsd.org +++ b/content-org/bsd.org @@ -1397,7 +1397,183 @@ Monkey Island 2 running on ScummVM #+end_image +** Homelab +:PROPERTIES: +:EXPORT_HUGO_MENU: :menu bsd :parent "freebsd-homelab" +:EXPORT_HUGO_SECTION: bsd/freebsd-homelab +:END: + +*** DONE Template for jail with external IP assigned via DHCP +CLOSED: [2024-10-27 Sun 20:11] +:PROPERTIES: +:EXPORT_FILE_NAME: dhcp-vnet-jail +:EXPORT_HUGO_CUSTOM_FRONT_MATTER+: :abstract Running old adventure games +:END: + +The idea behind FreeBSD homelab is simple: to utilize the Jail system. +Jails are great! + +What I want is to have jails with: +- dedicated, external IP +- IPs are assigned via DHCP server +- I am able to access files outside if the jails + +I was able to achieve most of this by following [[https://docs.freebsd.org/en/books/handbook/jails/][FreeBSD handbook]], [[https://rubenerd.com/starting-with-freebsd-jails/][Rubenerd's post]], and [[https://wiki.freebsd.org/Jails][FreeBSD Wiki]], but I also received some help from different indiduals whose names I can't recall. + +I use classic jails created from ZFS snapshots, but (as to the best of my knowledge), any jail will work with the following configuration. +Unless specified, all code here goes to =/etc/jails.conf=. + +Note, that any configuration outside jail definition, will also apply to all jails. +For example for this structure: + +#+begin_src shell + config1; + + jail1 { + config2; + } + + jail2 { + config3; + } +#+end_src + +jail1 gets configured with =config1= and =config2=, while jail2 gets =config1= and =config3=. + +**** Jail configuration + +First, we start with standard configuration regarding starting, stopping and logging. +Notice the =#{name}=. +It's a variable which fill be filled the name of the jail. +#+begin_src shell + # STARTUP/LOGGING + exec.clean; + exec.start = "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown"; + exec.consolelog = "/var/log/jail_console_${name}.log"; +#+end_src + +Then we add permissions which will allow for =vnet= - the system allowing for jail to have their own, (virtual) network stack. +Even though everything goes host's network, for all intends and purposes jails have their own NICs. + +#+begin_src shell + # PERMISSIONS + allow.raw_sockets; + exec.clean; + mount.devfs; + devfs_ruleset = 5; + vnet; +#+end_src + +Note, that we need to configure this ruleset. Create =etc/defvs.rules=: + +#+begin_src shell +[devfsrules_jails=5] +add include $devfsrules_hide_all +add include $devfsrules_unhide_basic +add include $devfsrules_unhide_login +add path 'bpf*' unhide +#+end_src + +back to =jail.conf=, we set hostname and path for the container. +Adjust to your liking. +#+begin_src shell + host.hostname = "${name}.dune.local"; + path = "/usr/local/jails/containers/${name}"; +#+end_src + +Now for the actual network configuration. +We will configure for the shell to: +- create an =epair(4)= and use for network communication +- destroy this =epair= upon stopping + +#+begin_src shell + $epair = "epair${id}"; + $bridge = "bridge0"; + vnet.interface = "${epair}b"; + exec.start += "dhclient ${epair}b"; + exec.prestart = "/sbin/ifconfig ${epair} create up"; + exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}"; + exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up"; + exec.prestart += "/sbin/ifconfig ${epair}b ether ${mac}"; + + exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a"; + exec.poststop += "/sbin/ifconfig ${epair}a destroy"; +#+end_src +For this to work, we need to create a =if_bridge(4)= on our host machine. +Make sure that your =rc.conf= has: + +#+begin_src shell +cloned_interfaces="bridge0" +ifconfig_bridge0="addm em0 up" +#+end_src + +(replace =em0= with appropriate device) + +Ok, now we just need to have our jail ready. +First, create it as it presented in the [[https://docs.freebsd.org/en/books/handbook/jails/][FreeBSD handbook]]. + +Then, configure the jail: +#+begin_src shell + jail { + $id=1; + $mac="2:bf:b9:4c:4f:0b"; + + exec.prestart += "mount -a -F /etc/fstab.$name"; + exec.poststop += "umount -a -F /etc/fstab.$name"; + } +#+end_src + +Explanations: +- =$id= will be used when creating matching =epair= +- =$mac= will force a given mac address for the virtual network card. + This will ensure that FreeBSD won't change it, and we can assign fixed =IP= on the router level +- This jail has attached network storage. + You don't want the jail itself to even know what it is, so we're forcing the host to execute =/etc/fstab.$name=, and mount the drives. + Note, that you need to mount the drives in directory relative to *host's* root, so something like: + +#+begin_src shell +10.0.1.200:/volume2/movies /usr/local/jails/containers/servarr/mnt/movies nfs rw 0 0 +#+end_src + +(this attaches an NFS share in read-write mode) + +**** Putting it all together + +The entire =jail.conf= here looks like: + +#+begin_src shell + exec.clean; + exec.start = "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown"; + exec.consolelog = "/var/log/jail_console_${name}.log"; + allow.raw_sockets; + exec.clean; + mount.devfs; + devfs_ruleset = 5; + vnet; + host.hostname = "${name}.dune.local"; + path = "/usr/local/jails/containers/${name}"; + $epair = "epair${id}"; + $bridge = "bridge0"; + vnet.interface = "${epair}b"; + exec.start += "dhclient ${epair}b"; + exec.prestart = "/sbin/ifconfig ${epair} create up"; + exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}"; + exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up"; + exec.prestart += "/sbin/ifconfig ${epair}b ether ${mac}"; + exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a"; + exec.poststop += "/sbin/ifconfig ${epair}a destroy"; + + jail { + $id=1; + $mac="2:bf:b9:4c:4f:0b"; + + exec.prestart += "mount -a -F /etc/fstab.$name"; + exec.poststop += "umount -a -F /etc/fstab.$name"; + } +#+end_src * WIP ** TODO OpenBSD: XMPP (Jabber) server /intro/ |