1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
+++
title = "FreeBSD: examples of Jail usage"
author = ["Michał Sapka"]
date = 2023-12-01T21:29:00+01:00
categories = ["bsd"]
draft = false
weight = 2001
primary_menu = "bsd"
abstract = "How can we use FreeBSD Jails?"
[menu]
[menu.bsd]
weight = 2001
identifier = "freebsd-examples-of-jail-usage"
parent = "freebsd"
name = "Some examples of using Jails"
+++
Creating Jails in FreeBSD is very easy.
It takes few minutes to follow the [official handbook](https://docs.freebsd.org/en/books/handbook/jails/) and voilà!
We've a dedicated container.
But what can we do with it?
A very common use pattern on FreeBSD desktop is to use Jails to encapsulate dependencies, so they don't pollute the main OS.
Don't want that pesky Pyton? Straight to Jail.
Java? Straight to jail!
## Simple jail - Ltex-Ls {#simple-jail-ltex-ls}
I am not a native speaker, so my English skills are far from perfect.
My terrible typing skills don't add anything good into the mix.
Therefore, I am in need of a good grammar and spell checker.
There is Grammarly, but it's closed source and cloud based.
We don't want that.
Luckily an alternative exist - [LanguageTool](https://languagetool.org/).
It is quite good and can run locally!
I use it via an LSP - [Ltex-Ls](https://valentjn.github.io/ltex/ltex-ls/installation.html).
Technically it's aimed at Latex, but it can work with any filetype.
The problem with ltex-ls is that is runs on JVM.
I really don't need that on my system.
Let's lock it in a jail and allow our NeoVim[^lsp] to use it.
[^lsp]: I can, of course, run in any other editor which supports the LSP standard, be it Emacs or some bad one.
First, let's create a Jail and call it \`ltex\`.
For now we can allow it access to the internet, as we will download some files.
```shell
ltex {
ip4 = inherit;
interface = em0;
}
```
We will remove network access after we are done with the setup.
We don't want any of our writings to leak to the web.
Then, let's log into the jail
```shell
doas jexec ltex /bin/sh
```
and add the dreaded java
```shell
pkg install openjdk-jre
```
then, let's fetch our latex-ls
```shell
cd /root
wget https://github.com/valentjn/ltex-ls/releases/download/16.0.0/ltex-ls-16.0.0.tar.gz
tar -xvf ltex-ls-16.0.0.tar.gz
```
for ease of use, let's remove the version number from the directory
```shell
mv ltex-ls-16.0.0/ ltex
```
And our jail is ready, so let's leave it (either \`exit\` or the good, old Ctrl+d).
We can now open our nvim config file.
This is not a guide about this part, so let's just assume you have LSP and LSP-Config intalled.
Our config will look like this:
```lua
lspconfig.ltex.setup{
on_attach = on_attach,
cmd = { "doas",
"jexec",
"ltex",
"/root/ltex/bin/ltex-ls" },
-- rest of config omitted
}
```
Notice, that we now run the command as root inside the Jail.
It would make sense to allow passwordless-doas to our user due to \`doas\`.
I will update this guide if I figure out if we can commit this security nightmare here.
But let's go a step further.
Ltex-Ls allows to use machine learning based grammar check based on ngram data.
We can add it to our jail.
Let's log back in
```shell
doas jexec ltex /bin/sh
```
Next we need to fetch the ngram data (you can find it on [LanguageTool website](https://dev.languagetool.org/finding-errors-using-n-gram-data.html).
We need to have a \`ngrams\` folder which contains \`en\` (as the language shortcut).
The ngrams should be inside the \`en\`.
I propose you move the files to \`/var/ngrams/en\` inside the Jail.
We can now tell \`NeoVim\` to inform the \`ltex-ls\` runtime to use the ngrams.
```lua
-- our old config
lspconfig.ltex.setup{
on_attach = on_attach,
cmd = { "doas",
"jexec",
"ltex",
"/root/ltex/bin/ltex-ls" },
-- ngram settings added
settings = {
ltex = {
additionalRules = {
languageModel = '/var/ngrams/',
},
},
},
-- rest of config still omitted
```
Note that we instructed the LSP to use `/var/ngrams` folder.
For program running inside a Jail, the Jail is full system.
Even though we can access the ngram data on the host OS under `/jail/containers/ltex/var/ngrams` (depending on your config), for Jail, the `/jail/containers/ltex/` prefix doesn't exist as it points to root for the jail.
We can now remove networking from the jail, so our Jail config just defines the existence of the jail
```shell
ltex {
}
```
And boom. We've got machine language grammar checking which is completely offline and does not pollute our primary system.
Our tinfoil friends will be proud of us.
[this article will be expanded with more examples in the near future]
|
