voxpupuli / puppet-jail Goto Github PK

View Code? Open in Web Editor NEW

9.0 41.0 8.0 247 KB

FreeBSD Jails with Puppet

Home Page: https://forge.puppet.com/puppet/jail

License: Apache License 2.0

Ruby 95.87% Puppet 1.59% Shell 0.58% HTML 1.96%

iocage jail-management puppet jail freebsd-jails ruby hacktoberfest bsd-puppet-module freebsd-puppet-module

puppet-jail's Introduction

FreeBSD Jail management with Puppet

Manage FreeBSD jails with Puppet, leveraging iocage for jail management.

Setup

This module expects to be the only jail manager on a given system. Each system where jails will be managed needs to include the jail::setup class as well.

include jail::setup

This simply installs 'iocage' and removes '/etc/jail.conf'.

This allows the type to use the correct jail without having to specify the pool on each jail.

A simple jail

jail { 'myjail1':
  ensure    => present,
  state     => 'up',
  ip4_addr  => 'em0|10.0.0.10/24',
  ip6_addr  => 'em0|fc00::10/64',
  hostname  => 'myjail1.example.com',
  boot      => 'on',
  user_data => template('mysite/user_data.sh.erb'),
}

Note the ip4_addr and the ip6_addr properties take an interface name and an IP address separated by a pipe character. This value is passed directly to iocage(7). You may wish to read the man page.

puppet-jail's People

Contributors

Stargazers

Watchers

Forkers

danieldreier caius cloudxtreme bs-demon igalic rtyler rainbowhackerhorse bastelfreak

puppet-jail's Issues

iocage "service" does not start on boot

jail complains about changed properties vnet0_mac

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 6.26.0
Ruby: 2.7.6p219
Distribution: FreeBSD 12.1
Module version: ?

How to reproduce (e.g Puppet code you use)

jail { $jname:
  ensure     => present,
  state       => 'up',
  boot       => 'on',
  ip4_addr   => "vnet0|${ipv4addr}",
  name       => $jname,
  release    => $jrelease,
  properties => {
    vnet                             => '1',
    vnet_default_interface => $vif,
    defaultrouter               => $ipv4gw,
  },
}

What are you seeing

Every puppet run complains about changed properties (specific vnet0_mac).

What behaviour did you expect instead

I think it should ignore the vnet0_mac property if we don't include it in the properties list so it can use the automatically generated mac...

Output log

Notice: /Stage[main]/Fileserver::Sharing::Nextcloud/Jail[test2]/properties: properties changed {
'defaultrouter' => '130.236.8.65',
'vnet' => '1',
'vnet0_mac' => '3cfdfe4b483c 3cfdfe4b483d',
'vnet_default_interface' => 'vlan1601'
} to {
'defaultrouter' => '130.236.8.65',
'vnet' => '1',
'vnet0_mac' => undef,
'vnet_default_interface' => 'vlan1601'
}

Any additional information you'd like to impart

Only workaround I found was to include the vnet0_mac property.

ioc provider for libiocage

The demo I've seen this week on libiocage is compelling. Its unclear to me the future of the various projects, but libiocage might be a better place to integrate puppet.

Need more properties

For a postgres jail, the following is required.

iocage set allow_sysvipc=1 db1

Exposing an interface to this seems prudent.

support mounting of arbitrary filesystems into jails

the python version of supports configuring arbitrary filesystems

i'm not sure what the correct way of doing this is — an array to the jail type?
or perhaps the "easiest" way would be a mount provider?

add support for --pkglist

both versions of iocage support --pkglist
I propose adding a new property pkglist, which by default is [] and can be filled with an arbitrary number of package names.
This will generate a temporary file to create the jail with.
For py-iocage, that file needs to be json, with the format:

{
    "pkgs": [
    "foo",
    "bar"
    ]
}

note that jails created with pkglist will need an IP address from the very start.
Templates created with pkglist will at least need a temporary IP.

pdk convert

Maybe we should follow the new Puppet way of managing & building modules and PDK convert this module!

it would be most beneficial, as most IDE plugins already rely on a module using pdk

iocage package is deprecated

iocage is dead, long live py-iocage

we should change the install package to py27-iocage, as well as the binary referenced in the provider

the service name remains unchanged.

ensure => template

Allow creation of templates… this is usually done by setting the template property

iocage get template blag
no

i propose to pass this specific property (and only this) through ensure… given that the way to list templates is thru iocage list -t this strikes me as the correct design choice

Does not perform initial fetch.

The bottom falls out of there are non manage jails present

I noticed this during a poudriere run, where many jails were not under puppet management, duplicate jail names were created.