Jekyll2023-12-31T18:05:56+01:00/feed.xmleoli3nA blog that talks about Linux, BSD, Pizza, DevOps and more.Stop battery draining by Syncthing on Android2021-12-29T00:00:00+01:002021-12-29T00:00:00+01:00/2021/12/29/syncthing-battery-draining<p>In <a href="/2021/12/21/degoogling-android.html">degoogling</a> post, I explained how I switch to CalyxOS. One great relief is that, as most google services are not running, I should expect a lower battery consumption and so, a longer battery life.<br />
It was true, until I install Syncthing to sync my data between my devices instead of using centralized Google Drive.The service was draining my whole battery, beeing the only app which eat it.<br />
As I rarely use Wifi networks, I need Syncthing to run over mobile data. The problem is that it runs in background, constantly checking for new data.</p>
<p><img src="/assets/images/easer/before.png" alt="before" width="300" /></p>
<p>The main <a href="https://f-droid.org/en/packages/com.nutomic.syncthingandroid/">Syncthing</a> app from f-droid, doesn’t provide much battery saving options.</p>
<ul>
<li><code class="language-bash highlighter-rouge">Syncthing Options / Disable RestartOnWakeUp</code> : It is supposed to save battery, tried it without success.</li>
<li><code class="language-bash highlighter-rouge">Running conditions / Disable run on battery</code> : It would be a good solution if I could be able to force a run, even on battery, in emergency case.</li>
</ul>
<p><a href="https://f-droid.org/en/packages/com.github.catfriend1.syncthingandroid/">Syncthing fork</a> is supposed to be a better solution.</p>
<p>The <a href="https://github.com/Catfriend1/syncthing-android/tree/ed83b22596eb0b575cda7b3fd5b9a1c5704def14#readme">README</a> says that “Battery eater problem is fixed.”, so I <a href="https://github.com/Catfriend1/syncthing-android/issues/870">asked the dev</a> for more explainations, his answer was a bit light.<br />
Despite the fact that the fork gives some finer options to deal with battery consumption, it allowed me to save no more than 2 or 3 battery hours.</p>
<p>The solution would be to sync only on specific conditions, to reduce the running syncing window. Luckily, Syncthing has an option to <code class="language-bash highlighter-rouge">Respect Android parameter about Data Syncing</code>, and some automation tools exists.</p>
<h3 id="easer-automation-tool">Easer automation tool</h3>
<p><a href="https://f-droid.org/fr/packages/ryey.easer/">Easer</a> is an Android event driven automation tool.<br />
I want my sync to be disabled when the screen is locked. When the screen is unlocked, I want to limit sync to 1 min.<br />
As my main concern is battery consumption, I want to always sync when battery is charging.<br />
I usually charge at home, which is the only place where I use Wifi, lets trigger it then.</p>
<p>Here’s my configuration.</p>
<h4 id="conditions">Conditions</h4>
<p>Conditions are long time events, based on states. I used it to check if the screen is unlocked or the battery is discharging.</p>
<p><img src="/assets/images/easer/conditions.png" alt="conditions" width="300" /> <img src="/assets/images/easer/unlocked.png" alt="unlocked" width="300" /> <img src="/assets/images/easer/charging.png" alt="charging" width="300" /></p>
<h4 id="events">Events</h4>
<p>Events are what they are, short time changing states, used for exemple for timing.</p>
<p><img src="/assets/images/easer/events.png" alt="events" width="300" /> <img src="/assets/images/easer/timing.png" alt="timing" width="300" /></p>
<h4 id="profils">Profils</h4>
<p>Profils are set of actions.</p>
<p><img src="/assets/images/easer/profils.png" alt="profils" width="300" /> <img src="/assets/images/easer/enable_sync.png" alt="enable_sync" width="300" /> <img src="/assets/images/easer/disable_wifi.png" alt="disable_wifi" width="300" /> <img src="/assets/images/easer/enable_sync_and_wifi.png" alt="enable_sync_and_wifi" width="300" /> <img src="/assets/images/easer/disable_sync.png" alt="disable_sync" width="300" /></p>
<h4 id="scripts">Scripts</h4>
<p>Scripts link events and conditions to profils.</p>
<p><img src="/assets/images/easer/scripts.png" alt="scripts" width="300" /> <img src="/assets/images/easer/when_charging.png" alt="when_charging" width="300" /> <img src="/assets/images/easer/when_not_charging.png" alt="when_not_charging" width="300" /> <img src="/assets/images/easer/when_unlocked.png" alt="when_unlocked" width="300" /> <img src="/assets/images/easer/disable_sync_when_locked.png" alt="disable_sync_when_locked" width="300" /> <img src="/assets/images/easer/disable_sync_1min.png" alt="disable_sync_1min" width="300" /></p>
<h4 id="pivot">Pivot</h4>
<p>This is the global algorithm.</p>
<p><img src="/assets/images/easer/pivot.png" alt="pivot" width="600" /></p>
<h3 id="for-24-hours-to--5-days">For 24 hours to … 5 days</h3>
<p>After one night, here’s the estimated battery duration time. Syncthing doesn’t even appear in the list, which is normal because it was not syncing at all.</p>
<p><img src="/assets/images/easer/after.png" alt="after" width="300" /></p>In degoogling post, I explained how I switch to CalyxOS. One great relief is that, as most google services are not running, I should expect a lower battery consumption and so, a longer battery life. It was true, until I install Syncthing to sync my data between my devices instead of using centralized Google Drive.The service was draining my whole battery, beeing the only app which eat it. As I rarely use Wifi networks, I need Syncthing to run over mobile data. The problem is that it runs in background, constantly checking for new data.Degoogling2021-12-21T00:00:00+01:002021-12-21T00:00:00+01:00/2021/12/21/degoogling-android<ul id="markdown-toc">
<li><a href="#apps" id="markdown-toc-apps">Apps</a></li>
<li><a href="#data" id="markdown-toc-data">Data</a></li>
<li><a href="#emails-contacts-and-agenda" id="markdown-toc-emails-contacts-and-agenda">Emails, contacts, and agenda</a></li>
<li><a href="#maps-and-navigation" id="markdown-toc-maps-and-navigation">Maps and navigation</a></li>
<li><a href="#os" id="markdown-toc-os">OS</a></li>
<li><a href="#hardware" id="markdown-toc-hardware">Hardware</a></li>
<li><a href="#calyxos-installation" id="markdown-toc-calyxos-installation">CalyxOS installation</a></li>
<li><a href="#security-configurations" id="markdown-toc-security-configurations">Security configurations</a> <ul>
<li><a href="#aurora-store" id="markdown-toc-aurora-store">Aurora store</a></li>
<li><a href="#shelter-isolation" id="markdown-toc-shelter-isolation">Shelter isolation</a></li>
<li><a href="#datura-firewall" id="markdown-toc-datura-firewall">Datura firewall</a></li>
<li><a href="#seedvault-backups" id="markdown-toc-seedvault-backups">SeedVault backups</a></li>
</ul>
</li>
<li><a href="#a-good-move" id="markdown-toc-a-good-move">A good move</a></li>
</ul>
<p>As many users, Google trapped me many years ago, with my first Android smartphone. Google services are like cotton candy, sweet, colorful, comfortable, but abuse it and you ruin you health. Before even thinking about privacy, I want to be able to choose what services I run on my smartphone. Android version upgrades and the overlay of the manufacturer android rom is heavy and it makes any mid-range smartphone unusable in less than 2 years.<br />
Another problem is that you can’t use Android without a google account.</p>
<p>So I started degoogling, step by step, which was a one year trip…</p>
<h3 id="apps">Apps</h3>
<p>I started by trying to find FOSS alternatives for each apps I use.<br />
<a href="https://f-droid.org/">F-droid</a> is a application store for FOSS on Android and you can find some alternative on <a href="https://degoogle.jmoore.dev/">Degoogle</a>.</p>
<p>Here’s a cool app list :</p>
<ul>
<li><a href="https://f-droid.org/en/packages/com.github.axet.bookreader/">Book Reader</a> : Simple book reader</li>
<li><a href="https://f-droid.org/en/packages/me.hackerchick.catima/">Catima</a> : Loyalty Card Wallet</li>
<li><a href="https://f-droid.org/en/packages/ws.xsoh.etar/">Etar Calendar</a> : Agenda app which supports CalDav</li>
<li><a href="https://f-droid.org/en/packages/eu.faircode.email/">FairEmail</a> : Fully featured email client. Neat, intuitive user interface. Privacy friendly</li>
<li><a href="https://f-droid.org/en/packages/ml.docilealligator.infinityforreddit/">Infinity</a> : A beautiful, feature-rich Reddit client.</li>
<li><a href="https://f-droid.org/en/packages/org.documentfoundation.libreoffice/">LibreOffice Viewer</a></li>
<li><a href="https://f-droid.org/en/packages/net.gsantner.markor/">Markor</a> : Lightweight text editor, Markdown Notes & ToDo.</li>
<li><a href="https://f-droid.org/en/packages/com.artifex.mupdf.viewer.app/">MuPDF</a> : Minimalist PDF viewer</li>
<li><a href="https://f-droid.org/en/packages/org.schabi.newpipe/">NewPipe</a> : Lightweight YouTube frontend</li>
<li><a href="https://f-droid.org/fr/packages/org.dslul.openboard.inputmethod.latin/">OpenBoard</a> : Look and feel of Gboard without the tracking</li>
<li><a href="https://f-droid.org/en/packages/org.sufficientlysecure.keychain/">OpenKeychain</a> : GPG key manager</li>
<li><a href="https://f-droid.org/en/packages/net.osmand.plus/">OsmAnd</a> : Map Viewing & Navigation for Offline and Online OSM Maps</li>
<li><a href="https://f-droid.org/en/packages/dev.msfjarvis.aps/">Password Store</a> : Password Manager</li>
<li><a href="https://f-droid.org/en/packages/net.typeblog.shelter/">Shelter</a> : Provides an isolated space that you can install or clone apps into</li>
<li><a href="https://f-droid.org/en/packages/com.simplemobiletools.notes.pro/">Simple Notes</a> : Notes app with a clean widget</li>
<li><a href="https://f-droid.org/en/packages/com.termux/">Termux</a> : Terminal emulator with packages</li>
<li><a href="https://f-droid.org/en/packages/de.ph1b.audiobook/">Voice</a> : Simple audiobook reader</li>
</ul>
<h3 id="data">Data</h3>
<p>Google Drive allows you to access data on the cloud from any device. I used <a href="https://rclone.org/">rclone</a> to be able to sync my data to a local storage. But Google still owns it too and its security is dependant to my Google account.</p>
<p><a href="https://syncthing.net/">Syncthing</a> is a open, trustworthy and decentralized file synchronization. You can install it on any OS, it’s easy to configure and fast.</p>
<p>As you can sync any directory, I use it to sync my pictures to my nas and backup it.</p>
<p><img src="/assets/images/degoogling/syncthing.png" alt="syncthing" /></p>
<h3 id="emails-contacts-and-agenda">Emails, contacts, and agenda</h3>
<p>Fashion is to end-to-end encryption services, like <a href="https://protonmail.com/">Protonmail</a>, or <a href="https://tutanota.com">Tutanota</a>.<br />
Both of them are known backdoored, you can share encrypted mails only with users of the same service (if you don’t use gpg manually) and on Android, you need to use specific apps to access your synced contacts and agendas.<br />
Some workaround are one the road, but I prefer more open solutions, because I don’t need that level of security.</p>
<p>For mail hosting, I chose <a href="runbox.com">runbox.com</a>. The <a href="https://github.com/runbox/runbox7">last version</a> of the web app si open-source. It is hosted in Norway, which has a respectful privacy legislation, servers are powered with green energy, and it provides caldav sync for contacts and agendas.</p>
<p>I use the f-droid app <a href="https://f-droid.org/fr/packages/at.bitfire.davdroid/">Davx5</a> as Cal/Card Dav sync client.</p>
<h3 id="maps-and-navigation">Maps and navigation</h3>
<p>FOSS alternative for Google Maps is OsmAnd. I tried to switch for my daily use, and I quickly realized that google maps was not only a simple navigation service. I use it to find opening hours of shops, phone numbers, shop based on a “meta” search… OsmAnd is based on <a href="https://www.openstreetmap.org/">openstreetmap</a> which is a great service, if you know the full (and well typed) address. Another problem is that route calculation is done on the device, so it doesn’t know for the traffic, accidents, etc. To be honest, I think Google Maps as I use it, cannot be replaced for now by a FOSS app, so I would continue to use it.</p>
<h3 id="os">OS</h3>
<p>The main alternative OS is <a href="https://lineageos.org/">LineageOS</a>. It is shipped defaultly without Google services.<br />
Google services has been reimplemented open-source by the <a href="https://github.com/microg">MicroG</a> project.</p>
<p>Many apps and features depends on Google services : mainly push notifications with GCM.<br />
Sadly, I still need those services, to be able to use any app from the regular store.<br />
You can check compatibility of apps without Google services with <a href="https://plexus.techlore.tech/">Plexus</a>.</p>
<p>LineageOS is great, but you need to find the right hardware to run it, and the hardware support is community-driven.<br />
The flash process could be tricky, with a significant risk to brick your device.</p>
<p>Here comes the funny part : The only choice that allows you to unlock the bootloader and install a custom ROM without too much effort/risk are Google phones because those are designed for developpers !</p>
<p>Choosing a Google smartphone like a Pixel or a Nexus opens your choices to <a href="https://grapheneos.org/">GrapheneOS</a> or <a href="https://calyxos.org/">CalyxOS</a>. Both of them as based on <a href="https://source.android.com/">Android Open Source Project</a>, which is Android without the Google commercial overlay.</p>
<p>I will not compare those 2 here, but I chose CalyxOS for those features :</p>
<ul>
<li>Project driven by <a href="https://calyxinstitute.org/">Calyx Institute</a></li>
<li>MicroG included (and can be disabled)</li>
<li>Focused on privacy</li>
<li>Security with <a href="https://calyxos.org/docs/tech/datura-details/">Datura</a> per app firewall</li>
<li>Auto backup with <a href="https://calyxinstitute.org/projects/seedvault-encrypted-backup-for-android">Seedvault</a></li>
</ul>
<p>To go further : <a href="https://privacyguides.org/android/#aosp-derivatives">privacyguides.org/android</a></p>
<h3 id="hardware">Hardware</h3>
<p>I just switch to a 5G subscription, so the choice is pretty limited.<br />
Despite the fact that the Google Pixel 6 is out since 4 month, I went for a Google Pixel 4a 5g, because it’s cheaper, the screen is smaller and it stills have a minijack :) I also wanted to be able to directly install CalyxOs without beeing stuck on the Google Pixel ROM. When I write those lines, CalyxOS doesn’t support Google Pixel 6 still.</p>
<h3 id="calyxos-installation">CalyxOS installation</h3>
<p>As said, a benefit for using a developer phone is that the flash procedure is pretty simple, and stressless.<br />
You just need to download the flasher binary and the OS archive.<br />
See <a href="https://calyxos.org/install/devices/bramble/linux/">Install on a Pixel 4a (5G)</a>.</p>
<p>On void linux, I needed to install some packages.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>xbps-install <span class="nt">-S</span> android-tools android-udev-rules
</code></pre></div></div>
<p>At first, <code class="language-bash highlighter-rouge">device-flasher</code> didn’t detect the smartphone.<br />
I got help on IRC <code class="language-bash highlighter-rouge">libera.chat <span class="c">#calyxos</span></code>, the community has been nice and helpful.<br />
They adviced me to <a href="https://calyxos.org/install/fastboot/">boot it in fastboot mode</a> and to run <code class="language-bash highlighter-rouge">device-flasher</code> with sudo. It worked like a charm, 5 min and the phone rebooter under CalyxOS.</p>
<h3 id="security-configurations">Security configurations</h3>
<h4 id="aurora-store">Aurora store</h4>
<p>After the first boot, a configuration menu let you enable <code class="language-bash highlighter-rouge">microG</code> and it doesn’t ask you to attach a google account. To be able to install Play Store apps without account, it uses <a href="https://aurora-store.fr.uptodown.com/android">Aurora Store</a>. It supports anonymous apk downloads and installations, and can silently auto upgrade for apps in background.</p>
<h4 id="shelter-isolation">Shelter isolation</h4>
<p>Those untrustable applications doesn’t need for the most part to be able to access my data, or network.<br />
<a href="https://f-droid.org/fr/packages/net.typeblog.shelter/">Shelter</a> use the Android work profile feature to allow you to isolate apps from your data, disabling the ability to use or leak you contacts, for exemple.</p>
<p>To configure it, install <code class="language-bash highlighter-rouge">shelter</code>, and use it to activate your work profile. Then you can clone <code class="language-bash highlighter-rouge">Aurora</code> to the work profile, and use it from here to install untrusted apps.</p>
<p><img src="/assets/images/degoogling/shelter_clone_aurora.png" alt="shelter" width="300" /> <img src="/assets/images/degoogling/work_profile.png" alt="work" width="300" /></p>
<h4 id="datura-firewall">Datura firewall</h4>
<p>To isolate an app from network with <code class="language-bash highlighter-rouge">datura</code>, start the app <code class="language-bash highlighter-rouge">firewall</code> from the main profile.</p>
<p><img src="/assets/images/degoogling/datura_firewall.png" alt="firewall" width="300" /></p>
<h4 id="seedvault-backups">SeedVault backups</h4>
<p>Start <code class="language-bash highlighter-rouge">Backup</code> app and configure it to backup apps and its configurations on the local storage.<br />
Encrypted backups will be stored in <code class="language-bash highlighter-rouge">~/.SeedVaultAndroidBackup</code>.<br />
Then I use <code class="language-bash highlighter-rouge">Syncthing</code> to spread it on my nas which snapshots it on ZFS.</p>
<p><img src="/assets/images/degoogling/backup.png" alt="backup" width="300" /> <img src="/assets/images/degoogling/backup_syncthing.png" alt="backup_syncthing" width="300" /></p>
<h3 id="a-good-move">A good move</h3>
<p>For now, I didn’t face any issue, let’s see in daily use.<br />
I still have many things to test :</p>
<ul>
<li>CalyxOS provides two free VPNs by default, <a href="https://calyxinstitute.org/projects/digital-services/vpn">CalyxVPN</a> and <a href="https://calyxos.org/docs/guide/apps/riseup-vpn/">Rise Up VPN</a>.</li>
<li>A default offline map app : <a href="https://f-droid.org/fr/packages/app.organicmaps/">Organic Maps</a></li>
<li>How <a href="https://calyxos.org/docs/guide/security/location/">location privacy</a> works</li>
</ul>
<p>Over The Air upgrade to Android 12 is coming soon.</p>
<p>For sure, it is a one way trip, may CalyxOS have a long life !</p>Monitoring2021-12-10T00:00:00+01:002021-12-10T00:00:00+01:00/2021/12/10/monitoring<ul id="markdown-toc">
<li><a href="#turnkey-solution--netdata" id="markdown-toc-turnkey-solution--netdata">Turnkey solution : Netdata</a></li>
<li><a href="#declarative-and-lightweight-solution--monit" id="markdown-toc-declarative-and-lightweight-solution--monit">Declarative and lightweight solution : Monit</a></li>
<li><a href="#web-server-monitoring" id="markdown-toc-web-server-monitoring">Web server monitoring</a></li>
</ul>
<p>I was searching for a lightweight monitoring solution for my single freebsd home server.<br />
It should be able to get storage, cpu and memory metrics, look at file changes, check up my services and send alerts.</p>
<p>I took a look at monitoring stacks like <a href="https://play.grafana.org/d/000000029/prometheus-demo-dashboard?orgId=1&refresh=5m">Prometheus-Node_exporter-Grafana</a> or <a href="https://www.influxdata.com/blog/introduction-to-influxdatas-influxdb-and-tick-stack/">Telegraf-InfluxDB-Chronograf-Kapacitor</a>. It looked like to me a rabbit hole, grafana dashboard is pretty, it does tons of things, but it can’t handle simplest of my needs. You still need <a href="https://www.prometheus.io/docs/alerting/latest/alertmanager/">AlertManager</a> to send mails with your prometheus stack. Endless microservices chain…<br />
Those are great solutions when managing large node/service farms.</p>
<h3 id="turnkey-solution--netdata">Turnkey solution : Netdata</h3>
<p><a href="https://www.netdata.cloud/">Netdata</a> provides a nice dashboard with realtime metrics, and it supervises system health. It can raise a lot of alerts by default and mail it.</p>
<p><img src="/assets/images/server/netdata.png" alt="netdata" /></p>
<p>I had to configure <a href="https://github.com/corecode/dma">DragonFly Mail Agent</a> which is a small Mail Transfert Agent with SMTP authentication over TLS/SSL.</p>
<p><code class="language-bash highlighter-rouge">/etc/dma/dma.conf</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SMARTHOST smtp.domain.com
PORT 587
AUTHPATH /etc/dma/auth.conf
SECURETRANSFER
STARTTLS
MAILNAME eoli3n.eu.org
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">/etc/dma/auth.conf</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mail@domain.com|smtp.domain.com:P@ssw0rd!
</code></pre></div></div>
<p>Let’s configure mail forwarding from root to external email</p>
<p><code class="language-bash highlighter-rouge">/etc/aliases</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root: jonathan.kirszling@runbox.com
</code></pre></div></div>
<p>I can now test netdata mail transfert by running a test script.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>/usr/local/libexec/netdata/plugins.d/alarm-notify.sh <span class="nb">test</span>
</code></pre></div></div>
<p>Out of the box, netdata checks metrics every seconds, and stores it to RAM with 2 days of retention. With htop, I have noticed 1.7% of CPU and 0.7% of RAM.<br />
Following <a href="https://learn.netdata.cloud/guides/configure/performance">recommendations for performance</a>, netdata dropped to 0.0% of CPU, 0.4% of RAM, with 2 weeks of metrics retention.</p>
<p><code class="language-bash highlighter-rouge">/usr/local/etc/netdata/netdata.conf</code></p>
<div class="language-diff highlighter-rouge"><div class="highlight"><pre class="highlight"><code> [global]
<span class="gi">+ memory mode = dbengine
+ page cache size = 32
+ dbengine multihost disk space = 256
</span><span class="gd">- history = 86400
</span><span class="gi">+ update every = 5
+ debug log = none
+ error log = none
+ access log = none
</span>
[plugins]
freebsd = yes
[web]
respect do not track policy = yes
disconnect idle clients after seconds = 3600
bind to = 127.0.0.1
web files owner = netdata
web files group = netdata
</code></pre></div></div>
<p>Netdata seems to be clever, it checks a lots of things, but I would like a more declarative solution, to check and alert anything I need.</p>
<h3 id="declarative-and-lightweight-solution--monit">Declarative and lightweight solution : Monit</h3>
<p><a href="https://mmonit.com/monit/">Monit</a> is a small utility for managing and monitoring processes, files, directories, filesystems, programs, scripts, hosts, system metrics… It conducts automatic maintenance and repair if you ask it to. It also embeed a clean WebUI to keep an eye on all monitored services.</p>
<p>Simply install <code class="language-bash highlighter-rouge">monit</code> through your package manager and start writing your <code class="language-bash highlighter-rouge">monitrc</code> file.<br />
Here the jinja template I wrote for my server, explained in comments. I don’t even need to over-comment it, because the <a href="https://www.mmonit.com/monit/documentation/monit.html#THE-MONIT-CONTROL-FILE">DSL syntax</a> is human readable.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">set </span>log /var/log/monit.log
<span class="c"># Check every 30 seconds and delay 120s at start</span>
<span class="nb">set </span>daemon 30
with start delay 120
<span class="c"># Enable WebUI and configure it</span>
<span class="nb">set </span>httpd
port 8080
use address 127.0.0.1
allow localhost
signature disable
<span class="c"># Recipient email for alerts</span>
<span class="nb">set </span>alert
<span class="c"># Configure SMTP server to use to send alert.</span>
<span class="c"># Monit doesn't use system sendmail command.</span>
<span class="nb">set </span>mailserver port
username <span class="s2">""</span> password <span class="s2">""</span> using ssl
<span class="nb">set </span>mail-format <span class="o">{</span>
from: Monit <monit@>
reply-to: noreply@
subject: <span class="nv">$ACTION</span> <span class="nv">$SERVICE</span>
message:
Date: <span class="nv">$DATE</span>
Service: <span class="nv">$SERVICE</span>
Event: <span class="nv">$EVENT</span>
Action: <span class="nv">$ACTION</span>
Description: <span class="nv">$DESCRIPTION</span><span class="nb">.</span>
<span class="o">}</span>
<span class="c"># Zpool health</span>
check program zpool-status with path <span class="s2">"/sbin/zpool status -x"</span>
<span class="k">if </span>status <span class="o">!=</span> 0 <span class="k">then </span>alert
<span class="c"># Check zpool usage with a custom script</span>
check program usage-zroot with path <span class="s2">"/tmp/zpool_usage.sh zroot"</span>
<span class="k">if </span>status <span class="o">!=</span> 0 <span class="k">then </span>alert
check program usage-dpool with path <span class="s2">"/tmp/zpool_usage.sh dpool"</span>
<span class="k">if </span>status <span class="o">!=</span> 0 <span class="k">then </span>alert
check program scrub-zroot with path <span class="s2">"/tmp/zpool_scrub.sh zroot"</span>
<span class="k">if </span>status <span class="o">!=</span> 0 <span class="k">then </span>alert
check program scrub-dpool with path <span class="s2">"/tmp/zpool_scrub.sh dpool"</span>
<span class="k">if </span>status <span class="o">!=</span> 0 <span class="k">then </span>alert
<span class="c"># Resources</span>
check system localhost
<span class="k">if </span>memory usage <span class="o">></span> 85% <span class="k">for </span>3 cycles <span class="k">then </span>alert
<span class="k">if </span>loadavg <span class="o">(</span>15min<span class="o">)</span> <span class="o">></span> 4 <span class="k">then </span>alert
<span class="k">if </span>cpu usage <span class="o">></span> 85% <span class="k">for </span>3 cycles <span class="k">then </span>alert
<span class="k">if </span>swap usage <span class="o">></span> 25% <span class="k">for </span>3 cycles <span class="k">then </span>alert
<span class="c"># SSHD</span>
check process sshd with pidfile /var/run/sshd.pid
start program <span class="o">=</span> <span class="s2">"/usr/sbin/service sshd start"</span>
stop program <span class="o">=</span> <span class="s2">"/usr/sbin/service sshd stop"</span>
<span class="k">if </span>failed port protocol ssh <span class="k">then </span>restart
<span class="k">if </span>changed pid <span class="k">then </span>alert
check file sshd_config path /etc/ssh/sshd_config
<span class="k">if </span>changed md5 checksum <span class="k">then </span>alert
check file passwd path /etc/passwd
<span class="k">if </span>changed md5 checksum <span class="k">then </span>alert
<span class="c"># Jails</span>
check program jails with path <span class="s2">"/usr/local/bin/bastille list -a"</span>
<span class="k">if </span>content <span class="o">==</span> <span class="s2">"Down"</span> <span class="k">then </span>alert
<span class="c"># Updates</span>
check program updates with path <span class="s2">"/usr/bin/awk '/packages to be upgraded/ {v+=</span><span class="nv">$NF</span><span class="s2">}END{print v;if (v>=5) exit 1}' /tmp/check-updates"</span>
<span class="k">if </span>status <span class="o">==</span> 1 <span class="k">then </span>alert
<span class="c"># Audit</span>
check program audit with path <span class="s2">"/usr/bin/awk '/found/ {v+=</span><span class="nv">$1</span><span class="s2">}END{print v;if (v>=5) exit 1}' /tmp/bastille-audit"</span>
<span class="k">if </span>status <span class="o">==</span> 1 <span class="k">then </span>alert
<span class="c"># Web</span>
check process nginx with pidfile /usr/local/bastille/jails/nginx/root/var/run/nginx.pid
start program <span class="o">=</span> <span class="s2">"/usr/local/bin/bastille start nginx"</span>
stop program <span class="o">=</span> <span class="s2">"/usr/local/bin/bastille stop nginx"</span>
<span class="k">if </span>failed host photos.eoli3n.eu.org port 443 protocol https content <span class="o">=</span> <span class="s2">"Photos"</span> <span class="k">then </span>alert
<span class="k">if </span>failed host eoli3n.eu.org port 443 protocol https content <span class="o">=</span> <span class="s2">"… Blog …"</span> <span class="k">then </span>alert
<span class="c"># DNS</span>
check process nsd with pidfile /usr/local/bastille/jails/nsd/root/var/run/nsd/nsd.pid
start program <span class="o">=</span> <span class="s2">"/usr/local/bin/bastille start nsd"</span>
stop program <span class="o">=</span> <span class="s2">"/usr/local/bin/bastille stop nsd"</span>
<span class="k">if </span>failed host port 53 use <span class="nb">type </span>udp protocol dns <span class="k">then </span>restart
<span class="k">if </span>changed pid <span class="k">then </span>alert
<span class="c"># Syncthing</span>
check process syncthing with pidfile /usr/local/bastille/jails/syncthing/root/var/run/syncthing.pid
start program <span class="o">=</span> <span class="s2">"/usr/local/bin/bastille start syncthing"</span>
stop program <span class="o">=</span> <span class="s2">"/usr/local/bin/bastille stop syncthing"</span>
<span class="k">if </span>changed pid <span class="k">then </span>alert
<span class="c"># Backups</span>
check directory backup-host1 path /data/zfs/backups/host1
<span class="k">if </span>timestamp <span class="o">></span> 24 hour <span class="k">then </span>alert
check directory backup-host2 path /data/zfs/backups/host2
<span class="k">if </span>timestamp <span class="o">></span> 24 hour <span class="k">then </span>alert
<span class="c"># Snapshots</span>
check directory zfs-snapshots-slash path /.zfs/snapshot
<span class="k">if </span>timestamp <span class="o">></span> 2 hours <span class="k">then </span>alert
<span class="c"># Sigal</span>
check file sigal-check path /tmp/sigal-check
<span class="k">if </span>changed md5 checksum <span class="k">then </span>alert
<span class="c"># Jekyll</span>
check directory jekyll path /data/zfs/www/blog
<span class="k">if </span>changed timestamp <span class="k">then </span>alert
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">zpool_usage.sh</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/sh</span>
<span class="nb">echo</span> <span class="s2">"cap: </span><span class="si">$(</span>zpool list <span class="nt">-o</span> cap <span class="nt">-H</span> <span class="nv">$1</span><span class="si">)</span><span class="s2"> used: </span><span class="si">$(</span>zpool list <span class="nt">-o</span> alloc <span class="nt">-H</span> <span class="nv">$1</span><span class="si">)</span><span class="s2"> free: </span><span class="si">$(</span>zpool list <span class="nt">-o</span> free <span class="nt">-H</span> <span class="nv">$1</span><span class="si">)</span><span class="s2"> size: </span><span class="si">$(</span>zpool list <span class="nt">-o</span> size <span class="nt">-H</span> <span class="nv">$1</span><span class="si">)</span><span class="s2">"</span>
<span class="nv">cap</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>zpool list <span class="nt">-o</span> cap <span class="nt">-H</span> <span class="nv">$1</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'%'</span><span class="si">)</span><span class="s2">"</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$cap</span><span class="s2">"</span> <span class="nt">-gt</span> 90 <span class="o">]</span>
<span class="k">then
</span><span class="nb">exit </span>1
<span class="k">fi</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">zpool_scrub.sh</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/sh</span>
<span class="nv">scrub_expire</span><span class="o">=</span><span class="s2">"3110400"</span> <span class="c"># 36days * 24hours * 60minutes * 60seconds</span>
<span class="nv">current_date</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>/bin/date +%s<span class="si">)</span><span class="s2">"</span>
<span class="nv">scrub</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>/sbin/zpool status <span class="nv">$1</span> | <span class="nb">grep </span>scrub | <span class="nb">awk</span> <span class="s1">'{print $15 $12 $13}'</span><span class="si">)</span><span class="s2">"</span>
<span class="nv">scrub_date</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> <span class="nt">-j</span> <span class="nt">-f</span> <span class="s1">'%Y%b%e-%H%M%S'</span> <span class="nv">$scrub</span><span class="s1">'-000000'</span> +%s<span class="si">)</span><span class="s2">"</span>
<span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span>/sbin/zpool status <span class="nv">$1</span> | <span class="nb">grep </span>scrub<span class="si">)</span><span class="s2">"</span>
<span class="k">if</span> <span class="o">[</span> <span class="k">$((</span><span class="nv">$current_date</span> <span class="o">-</span> <span class="nv">$scrub_date</span><span class="k">))</span> <span class="nt">-ge</span> <span class="nv">$scrub_expire</span> <span class="o">]</span>
<span class="k">then
</span><span class="nb">exit </span>1
<span class="k">fi</span>
</code></pre></div></div>
<p>Then run <code class="language-bash highlighter-rouge">monit</code>, and check http://localhost:8080. You will now receive a mail when a test fails !</p>
<p><img src="/assets/images/server/monit.png" alt="monit" /></p>
<h3 id="web-server-monitoring">Web server monitoring</h3>
<p>Next step is to monitor my web server. Netdata provides a way to <a href="https://learn.netdata.cloud/docs/agent/collectors/quickstart/#configure-your-application-or-service-for-monitoring">get real-time stats</a> from <code class="language-bash highlighter-rouge">/nginx_status</code>.<br />
If you don’t use Netdata, <a href="https://www.monitorix.org/">monitorix</a> could be a good alternative.</p>
<p>Both of those are realtime, I prefer a solution with historization, which would parse <code class="language-bash highlighter-rouge">access.log</code> to produce some graphs.</p>
<p><a href="https://goaccess.io/">GoAccess</a> can parse logs and do it realtime though its own websocket server, developed by the same guy. The tool is impressive, it can be used cli or generate a html report !</p>
<script id="asciicast-455413" src="https://asciinema.org/a/455413.js" async=""></script>
<p>To be able to consult the html report, I choose to generate it statically everyday with a cron and spread it with <code class="language-bash highlighter-rouge">Syncthing</code>.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">generate reports everyday at midnight</span>
<span class="na">cron</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">goaccess report</span>
<span class="na">job</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/usr/local/bin/goaccess</span><span class="nv"> </span><span class="s">/usr/local/bastille/jails/nginx/root/var/log/nginx/access.log</span><span class="nv"> </span><span class="s">--log-format=COMBINED</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">/data/zfs/sync/docs/reports/nginx-goaccess.html'</span>
<span class="na">hour</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0'</span>
<span class="na">minute</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0'</span>
<span class="na">user</span><span class="pi">:</span> <span class="s">root</span>
</code></pre></div></div>
<p>From any client which has the file synced.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>firefox ~/share/docs/reports/nginx-goaccess.html
</code></pre></div></div>
<p><img src="/assets/images/server/goaccess.png" alt="goaccess" /></p>
<p>The site is responsive, I can also consult it with my smartphone.<br />
To finish, let’s add a <code class="language-bash highlighter-rouge">monit</code> service to check that the report is well generated everyday.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># GoAccess</span>
check file goaccess path /data/zfs/sync/docs/reports/nginx-goaccess.html
<span class="k">if </span>timestamp <span class="o">></span> 24 hours <span class="k">then </span>alert
</code></pre></div></div>
<p>The loop is closed.</p>Managing FreeBSD Jails with Ansible - part 32021-06-14T00:00:00+02:002021-06-14T00:00:00+02:00/2021/06/14/jails-part-3<ul id="markdown-toc">
<li><a href="#network-role" id="markdown-toc-network-role">Network role</a></li>
<li><a href="#firewall-role" id="markdown-toc-firewall-role">Firewall role</a></li>
<li><a href="#jails-role" id="markdown-toc-jails-role">Jails role</a> <ul>
<li><a href="#install-and-configure-bastille" id="markdown-toc-install-and-configure-bastille">Install and configure Bastille</a></li>
<li><a href="#bootstrap-a-release" id="markdown-toc-bootstrap-a-release">Bootstrap a release</a></li>
</ul>
</li>
<li><a href="#web-role" id="markdown-toc-web-role">Web role</a> <ul>
<li><a href="#prepare-the-nginx-template" id="markdown-toc-prepare-the-nginx-template">Prepare the nginx template</a></li>
<li><a href="#create-a-nginx-jail" id="markdown-toc-create-a-nginx-jail">Create a nginx jail</a></li>
<li><a href="#template-the-nginx-jail" id="markdown-toc-template-the-nginx-jail">Template the nginx jail</a></li>
</ul>
</li>
<li><a href="#run-the-playbook" id="markdown-toc-run-the-playbook">Run the playbook</a></li>
<li><a href="#test-the-service" id="markdown-toc-test-the-service">Test the service</a></li>
</ul>
<p>In the <a href="/2021/06/09/jails-part-2.html">second part</a>, we adapted our Ansible project to manage Jails with vnet.<br />
The two first posts was useful to understand basic Jail creation, let’s now wrap it with <a href="https://github.com/BastilleBSD/bastille">Bastille</a>.<br />
Bastille is the BSD Docker-like toolset for managing containers.<br />
That solution has many advantages, it wraps useful <a href="https://github.com/BastilleBSD/bastille#basic-usage">commands</a> to manage Jails without having to rewrite it with Ansible.<br />
It also has a <a href="https://github.com/BastilleBSD/bastille#bastille-template">template</a> feature to automate Jail provisionning.<br />
The <code class="language-bash highlighter-rouge">template</code> automate Jails creation with a <code class="language-bash highlighter-rouge">Bastillefile</code>. Note the docker reference, even the syntax looks similar.</p>
<blockquote>
<p>So why wrapping Bastille with Ansible ?</p>
</blockquote>
<p>Using Bastille let you provision a Jail easily, but it does not wrap Jails creation nor automate the configuration of your services. My goal is that Ansible manages automatically everything related to your service, if you need to update a config file or anything, just do it in your project and run <em>ansible-playbook</em>, to deploy and restart everything properly.</p>
<p>Following Bastille documentation, we will configure the server as if it was in DMZ, using <a href="https://www.openbsd.org/faq/pf/">pf</a> as firewall to expose containers ports.</p>
<p>Clean all roles in the Ansible project, and configurations on the server, from previous parts.<br />
By the way, this post shows how Ansible is kind of auto documented, as each tasks has a name, the Ansible code is pretty clean to read, even if you don’t know the tool.</p>
<h3 id="network-role">Network role</h3>
<p>We need to match <a href="https://github.com/BastilleBSD/bastille#network-requirements">network requirements</a>.<br />
Create a <em>network</em> role.<br />
<code class="language-bash highlighter-rouge">meta: flush_handlers</code> task triggers handlers without waiting the end of the play.</p>
<p><code class="language-bash highlighter-rouge">roles/network/tasks/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add lo1 interface</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">cloned_interfaces</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">value_present</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">lo1"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Name lo1 interface bastille0</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ifconfig_lo1_name</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille0"</span>
<span class="na">notify</span><span class="pi">:</span> <span class="s">netif cloneup</span>
<span class="pi">-</span> <span class="na">meta</span><span class="pi">:</span> <span class="s">flush_handlers</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">roles/network/handlers/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">netif cloneup</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s">service netif cloneup</span>
</code></pre></div></div>
<h3 id="firewall-role">Firewall role</h3>
<p>Create a <em>firewall</em> role.<br />
<code class="language-bash highlighter-rouge">roles/firewall/tasks/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">enable pf</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">pf_enable</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YES"</span>
<span class="na">notify</span><span class="pi">:</span> <span class="s">start pf</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">enable pflog</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">pflog_enable</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YES"</span>
<span class="na">notify</span><span class="pi">:</span> <span class="s">start pflog</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">template pf.conf</span>
<span class="na">template</span><span class="pi">:</span>
<span class="na">src</span><span class="pi">:</span> <span class="s">pf.conf.j2</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s">/etc/pf.conf</span>
<span class="na">notify</span><span class="pi">:</span> <span class="s">reload pf</span>
<span class="pi">-</span> <span class="na">meta</span><span class="pi">:</span> <span class="s">flush_handlers</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">roles/firewall/templates/pf.conf.j2</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">ext_if</span><span class="o">=</span><span class="s2">"{{ ansible_default_ipv4.interface }}"</span>
<span class="c">### Default block policy is to return a reset packet</span>
<span class="nb">set </span>block-policy <span class="k">return</span>
<span class="c">### Reassemble fragmented packets</span>
scrub <span class="k">in </span>on <span class="nv">$ext_if</span> all fragment reassemble
<span class="c">### Ignore loopback interface</span>
<span class="nb">set </span>skip on lo
<span class="c">### Allow empty table to exist</span>
table <jails> persist
<span class="c">### Nat in jails table</span>
nat on <span class="nv">$ext_if</span> from <jails> to any -> <span class="o">(</span><span class="nv">$ext_if</span>:0<span class="o">)</span>
<span class="c">### Static rdr</span>
<span class="c"># rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45</span>
<span class="c">### Enable dynamic rdr (see below)</span>
rdr-anchor <span class="s2">"rdr/*"</span>
<span class="c">### Block on incoming traffic</span>
block <span class="k">in </span>all
<span class="c">### Allow outgoing, skip others rules if match, and track connections</span>
pass out quick keep state
<span class="c">### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface</span>
<span class="c">### And block incoming traffic from $ext_if IP on $ext_if interface</span>
antispoof <span class="k">for</span> <span class="nv">$ext_if</span> inet
<span class="c">### Allow SSH</span>
pass <span class="k">in </span>inet proto tcp from any to any port ssh flags S/SA keep state
</code></pre></div></div>
<p>We use <code class="language-bash highlighter-rouge">async</code> on <code class="language-bash highlighter-rouge">pf start</code> handler to <a href="https://docs.ansible.com/ansible/latest/user_guide/playbooks_async.html#avoid-connection-timeouts-poll-0">keep ansible connection</a> up.<br />
For the <code class="language-bash highlighter-rouge">reload pf</code> handler, we first test that the config file is valid with <code class="language-bash highlighter-rouge"><span class="nt">-n</span></code> and apply the configuration only if it succeed.<br />
<code class="language-bash highlighter-rouge">roles/firewall/handlers/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">start pf</span>
<span class="na">service</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">pf</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">started</span>
<span class="na">async</span><span class="pi">:</span> <span class="m">45</span>
<span class="na">poll</span><span class="pi">:</span> <span class="m">5</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">start pflog</span>
<span class="na">service</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">pflog</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">started</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">reload pf</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s">pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf</span>
</code></pre></div></div>
<h3 id="jails-role">Jails role</h3>
<h4 id="install-and-configure-bastille">Install and configure Bastille</h4>
<p>Create a role <code class="language-bash highlighter-rouge">jails</code>.<br />
Bastille will be configured to use ZFS.</p>
<p><code class="language-bash highlighter-rouge">roles/jails/tasks/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">install bastille</span>
<span class="na">pkgng</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">bastille</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">enable bastille</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">bastille_enable</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YES"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">add bastille devfs rule</span>
<span class="na">blockinfile</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s">/etc/devfs.rules</span>
<span class="na">marker</span><span class="pi">:</span> <span class="s2">"</span><span class="s"><!--</span><span class="nv"> </span><span class="s">{mark}</span><span class="nv"> </span><span class="s">ANSIBLE</span><span class="nv"> </span><span class="s">MANAGED</span><span class="nv"> </span><span class="s">vnet</span><span class="nv"> </span><span class="s">-->"</span>
<span class="na">create</span><span class="pi">:</span> <span class="s">yes</span>
<span class="na">block</span><span class="pi">:</span> <span class="pi">|</span>
<span class="s">[bastille_vnet=13]</span>
<span class="s">add path 'bpf*' unhide</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">enable zfs for bastille</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.name</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.value</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">path</span><span class="pi">:</span> <span class="s">/usr/local/etc/bastille/bastille.conf</span>
<span class="na">loop</span><span class="pi">:</span>
<span class="pi">-</span> <span class="pi">{</span> <span class="nv">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille_zfs_enable"</span><span class="pi">,</span> <span class="nv">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YES"</span> <span class="pi">}</span>
<span class="pi">-</span> <span class="pi">{</span> <span class="nv">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille_zfs_zpool"</span><span class="pi">,</span> <span class="nv">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">zroot"</span> <span class="pi">}</span>
</code></pre></div></div>
<h4 id="bootstrap-a-release">Bootstrap a release</h4>
<p>Bootstrap the latest realease and configure it to use latest pkgs.<br />
<em>Releases</em> in Bastille is the template which will be use to layer up your jails.<br />
So each configuration made to a release will be applied to all new jails created from this release.</p>
<p>Add a var to <code class="language-bash highlighter-rouge">group_vars/all.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">release</span><span class="pi">:</span> <span class="s">13.0-RELEASE</span>
</code></pre></div></div>
<p>Then, add tasks to bootstrap the release from that var.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bootstrap {{ release }} release</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille</span><span class="nv"> </span><span class="s">bootstrap</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">release</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">args</span><span class="pi">:</span> <span class="s">creates="/usr/local/bastille/releases/{{ release }}"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">configure bootstrap to use latest pkgs</span>
<span class="na">replace</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/bastille/releases/{{</span><span class="nv"> </span><span class="s">release</span><span class="nv"> </span><span class="s">}}/etc/pkg/FreeBSD.conf"</span>
<span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^(.*)quarterly(.*)$'</span>
<span class="na">replace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">\1latest\2'</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">update bootstrap</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille</span><span class="nv"> </span><span class="s">update</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">release</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<h3 id="web-role">Web role</h3>
<h4 id="prepare-the-nginx-template">Prepare the nginx template</h4>
<p>Create a role <em>nginx</em>.</p>
<p>Here’s the interesting part. With a <code class="language-bash highlighter-rouge">Bastillefile</code>, you automate your service provisionning.<br />
Here we tell the template to install <code class="language-bash highlighter-rouge">nginx</code> and enable it. Then we create our <code class="language-bash highlighter-rouge">/data/www</code> dir in the jail, to bind the one from the host in it. We also overlay the nginx config file with <code class="language-bash highlighter-rouge">CP usr .</code>. Finally we check if the config file is valid and then restart the service.<br />
The <code class="language-bash highlighter-rouge">RDR</code> line dynamically generate a rule for pf to redirect the http port from the host to the jail.</p>
<p><code class="language-bash highlighter-rouge">roles/nginx/files/Bastillefile</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>PKG nginx
SYSRC <span class="nv">nginx_enable</span><span class="o">=</span>YES
CMD <span class="nb">mkdir</span> <span class="nt">-p</span> /data/www
CP usr <span class="nb">.</span>
CMD nginx <span class="nt">-t</span>
SERVICE nginx restart
FSTAB /data/www data/www nullfs ro 0 0
RDR tcp 80 80
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">roles/nginx/tasks/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create services template dir</span>
<span class="na">file</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/bastille/templates/services/{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">directory</span>
<span class="na">recurse</span><span class="pi">:</span> <span class="s">yes</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">copy template config files</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">src</span><span class="pi">:</span> <span class="s">Bastillefile</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/bastille/templates/services/{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}/"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create config path</span>
<span class="na">file</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/bastille/templates/services/{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}/usr/local/etc/nginx/"</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">directory</span>
<span class="na">recurse</span><span class="pi">:</span> <span class="s">yes</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">copy config file</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">src</span><span class="pi">:</span> <span class="s">nginx.conf</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/bastille/templates/services/{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}/usr/local/etc/nginx/"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create data/www dataset</span>
<span class="s">community.general.zfs</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">zroot/www</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">present</span>
<span class="na">extra_zfs_properties</span><span class="pi">:</span>
<span class="na">mountpoint</span><span class="pi">:</span> <span class="s">/data/www</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">roles/nginx/files/nginx.conf</code></p>
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">http</span> {
<span class="n">server</span> {
<span class="n">listen</span> <span class="m">80</span>;
<span class="n">server_name</span> <span class="n">localhost</span>;
<span class="n">location</span> / {
<span class="n">root</span> /<span class="n">data</span>/<span class="n">www</span>;
<span class="n">index</span> <span class="n">index</span>.<span class="n">html</span> <span class="n">index</span>.<span class="n">htm</span>;
}
}
}
</code></pre></div></div>
<p>Add the task to copy the website to the host dir, mounted in the jail.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">copy index.html</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">src</span><span class="pi">:</span> <span class="s">index.html</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s">/data/www/</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">roles/nginx/files/index.html</code></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><html></span>
<span class="nt"><p></span>A website without any JS !<span class="nt"></p></span>
<span class="nt"></html></span>
</code></pre></div></div>
<h4 id="create-a-nginx-jail">Create a nginx jail</h4>
<p>We set, at jail creation, its static IP in any private subnet which differs from your gateway one, following the advice of the Bastille <a href="https://github.com/BastilleBSD/bastille#tip-3">README.md</a>.</p>
<blockquote>
<p>Pick any private address and be done with it. These are all isolated networks. In the end, what matters is you can map host:port to container:port reliably, and we can.</p>
</blockquote>
<p>Add your Jail IP to <code class="language-bash highlighter-rouge">group_vars/all.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">jails</span><span class="pi">:</span>
<span class="na">nginx</span><span class="pi">:</span> <span class="s">10.0.0.1</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">roles/nginx/tasks/main.yml</code></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create jail</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille</span><span class="nv"> </span><span class="s">create</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">release</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">jails[role_name]</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">args</span><span class="pi">:</span>
<span class="na">creates</span><span class="pi">:</span> <span class="s">/usr/local/bastille/jails/{{ role_name }}</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">start jail</span>
<span class="c1"># https://github.com/BastilleBSD/bastille/issues/342</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s">bastille start {{ role_name }} || </span><span class="no">true</span>
</code></pre></div></div>
<h4 id="template-the-nginx-jail">Template the nginx jail</h4>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">template jail</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bastille</span><span class="nv"> </span><span class="s">template</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">services/{{</span><span class="nv"> </span><span class="s">role_name</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<h3 id="run-the-playbook">Run the playbook</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible-playbook playbook.yml <span class="nt">-t</span> network,firewall,jails,nginx
PLAY <span class="o">[</span>host-test] <span class="k">***************************************************************************************************</span>
TASK <span class="o">[</span>Gathering Facts] <span class="k">*********************************************************************************************</span>
ok: <span class="o">[</span>host-test]
TASK <span class="o">[</span>network : Add lo1 interface] <span class="k">*********************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>network : Name lo1 interface bastille0] <span class="k">**********************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>network : meta] <span class="k">**********************************************************************************************</span>
RUNNING HANDLER <span class="o">[</span>network : netif cloneup] <span class="k">**************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>firewall : <span class="nb">enable </span>pf] <span class="k">****************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>firewall : <span class="nb">enable </span>pflog] <span class="k">*************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>firewall : template pf.conf] <span class="k">*********************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>firewall : meta] <span class="k">*********************************************************************************************</span>
RUNNING HANDLER <span class="o">[</span>firewall : start pf] <span class="k">******************************************************************************</span>
changed: <span class="o">[</span>host-test]
RUNNING HANDLER <span class="o">[</span>firewall : start pflog] <span class="k">***************************************************************************</span>
changed: <span class="o">[</span>host-test]
RUNNING HANDLER <span class="o">[</span>firewall : reload pf] <span class="k">*****************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : <span class="nb">install </span>bastille] <span class="k">************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : <span class="nb">enable </span>bastille] <span class="k">*************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : add bastille devfs rule] <span class="k">*****************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : <span class="nb">enable </span>zfs <span class="k">for </span>bastille] <span class="k">*****************************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">={</span><span class="s1">'name'</span>: <span class="s1">'bastille_zfs_enable'</span>, <span class="s1">'value'</span>: <span class="s1">'YES'</span><span class="o">})</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">={</span><span class="s1">'name'</span>: <span class="s1">'bastille_zfs_zpool'</span>, <span class="s1">'value'</span>: <span class="s1">'zroot'</span><span class="o">})</span>
TASK <span class="o">[</span>jails : bootstrap 13.0-RELEASE release] <span class="k">**********************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : configure bootstrap to use latest pkgs] <span class="k">**************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : update bootstrap] <span class="k">************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : create services template <span class="nb">dir</span><span class="o">]</span> <span class="k">************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : copy template config files] <span class="k">**************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : create config path] <span class="k">**********************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : copy config file] <span class="k">************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : create data/www <span class="nb">dir</span><span class="o">]</span> <span class="k">*********************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : copy index.html] <span class="k">*************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : create jail] <span class="k">*****************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : start jail] <span class="k">******************************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>nginx : template jail] <span class="k">***************************************************************************************</span>
changed: <span class="o">[</span>host-test]
PLAY RECAP <span class="k">*********************************************************************************************************</span>
host-test : <span class="nv">ok</span><span class="o">=</span>26 <span class="nv">changed</span><span class="o">=</span>25 <span class="nv">unreachable</span><span class="o">=</span>0 <span class="nv">failed</span><span class="o">=</span>0 <span class="nv">skipped</span><span class="o">=</span>0 <span class="nv">rescued</span><span class="o">=</span>0 <span class="nv">ignored</span><span class="o">=</span>0
</code></pre></div></div>
<h3 id="test-the-service">Test the service</h3>
<p>From the server.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>curl http://10.0.0.1
<html>
<p>A website without any JS <span class="o">!</span></p>
</html>
</code></pre></div></div>
<p>From a client in the gateway subnet, if the <em>dynamic RDR</em> worked, it should be reachable.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>curl http://192.168.0.100
<html>
<p>A website without any JS <span class="o">!</span></p>
</html>
</code></pre></div></div>
<p>If your server is in your <em>DMZ</em>, then your service in reachable from internet too.<br />
You can now easily add new services by creating one role per service and use the nginx one as exemple.</p>Managing FreeBSD Jails with Ansible - part 22021-06-09T00:00:00+02:002021-06-09T00:00:00+02:00/2021/06/09/jails-part-2<ul id="markdown-toc">
<li><a href="#clean-environment" id="markdown-toc-clean-environment">Clean environment</a></li>
<li><a href="#install-jib-script" id="markdown-toc-install-jib-script">Install jib script</a></li>
<li><a href="#configure-network-stack-in-jails" id="markdown-toc-configure-network-stack-in-jails">Configure network stack in jails</a></li>
<li><a href="#configure-epair-interface-in-jails-template" id="markdown-toc-configure-epair-interface-in-jails-template">Configure epair interface in jails template</a></li>
<li><a href="#run-the-playbook-and-test-connectivity" id="markdown-toc-run-the-playbook-and-test-connectivity">Run the playbook and test connectivity</a></li>
</ul>
<p>In the <a href="/2021/06/08/jails-part-1.html">first part</a>, we created the Ansible project to manage Jails with shared IP. In this post, we will adapt our playbook to create <a href="https://www.unix.com/man-page/freebsd/9/vimage/">vnet</a> jails.</p>
<p><code class="language-bash highlighter-rouge">vnet</code> gives to jails their own network stacks. Each Jail will have a specific network interface with <a href="https://www.freebsd.org/cgi/man.cgi?query=epair&sektion=4&manpath=freebsd-release-ports">epair</a> connected to a <a href="https://www.freebsd.org/cgi/man.cgi?query=bridge&sektion=4&manpath=freebsd-release-ports">bridge</a>. Let’s quote something I read in a forum which resume well how it works:</p>
<blockquote>
<p>Analogous to a physical network, a bridge interface works like a software switch, an epair works like a virtual network cable and a jail acts as a virtual computer.</p>
</blockquote>
<p>The bridge creation will be automated with <a href="https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a51307f9f2e/share/examples/jails/jib">jib</a> script.<br />
Let’s adapt our playbook to create that kind of jail networking.</p>
<p>There is only few steps, but before all, reset our first configurations.</p>
<h3 id="clean-environment">Clean environment</h3>
<p>Remove the task which creates aliases, and remove them from your system.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"service jail stop bind && service jail stop nginx"</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> lineinfile <span class="nt">-a</span> <span class="s1">'path=/etc/rc.conf regexp=".*alias.*" state=absent'</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> file <span class="nt">-a</span> <span class="s1">'path=/etc/jail.conf state=absent'</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> zfs <span class="nt">-a</span> <span class="s1">'name=zroot/jails/bind state=absent'</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> zfs <span class="nt">-a</span> <span class="s1">'name=zroot/jails/nginx state=absent'</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> raw <span class="nt">-a</span> <span class="s2">"service netif restart"</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> raw <span class="nt">-a</span> <span class="s2">"service routing restart"</span>
</code></pre></div></div>
<h3 id="install-jib-script">Install jib script</h3>
<p>Add a task to copy the script in your <code class="language-bash highlighter-rouge"><span class="nv">$path</span></code> with execution perms.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">install jib script</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">src</span><span class="pi">:</span> <span class="s">/usr/share/examples/jails/jib</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s">/usr/local/bin/</span>
<span class="na">remote_src</span><span class="pi">:</span> <span class="s">yes</span>
<span class="na">mode</span><span class="pi">:</span> <span class="m">0755</span>
</code></pre></div></div>
<h3 id="configure-network-stack-in-jails">Configure network stack in jails</h3>
<p>At jail startup, <code class="language-bash highlighter-rouge">jib</code> will create a bridge if non existent, create epairs and automatically attach them to the bridge. Stopping the jail will destroy interfaces but not the bridge.<br />
Let’s change our task to declare to use that script in <code class="language-bash highlighter-rouge">exec.prestart</code> and <code class="language-bash highlighter-rouge">exec.poststop</code>.</p>
<div class="language-diff highlighter-rouge"><div class="highlight"><pre class="highlight"><code> - name: declare jails
<span class="gd">- vars:
- alias_ip: "{{ inet | ipmath(ansible_loop.index) }}"
</span> blockinfile:
path: /etc/jail.conf
marker: "# {mark} ANSIBLE MANAGED: {{ item }}"
block: |
{{ item }} {
host.hostname = "{{ item }}.domain.local";
path = "/usr/local/jails/{{ item }}";
exec.consolelog = "/var/log/jail_{{ item }}.log";
<span class="gd">- ip4.addr = {{ alias_ip }};
</span><span class="gi">+ vnet;
+ vnet.interface = "e0b_{{ item }}";
+ exec.prestart += "jib addm {{ item }} {{ ansible_default_ipv4.interface }}";
+ exec.poststop += "jib destroy {{ item }}";
</span> }
loop: "{{ jails | sort | flatten(levels=1) }}"
<span class="gd">- loop_control:
- extended: yes
</span></code></pre></div></div>
<h3 id="configure-epair-interface-in-jails-template">Configure epair interface in jails template</h3>
<p>Edit the bsdinstall template to add epair interface configuration and default gateway.</p>
<div class="language-diff highlighter-rouge"><div class="highlight"><pre class="highlight"><code> - name: template bsdinstall script
<span class="gi">+ vars:
+ jail_ip: "{{ inet | ipmath(ansible_loop.index) }}"
</span> copy:
dest: "/usr/local/jails/{{ item }}.template"
content: |
DISTRIBUTIONS="base.txz"
export nonInteractive="YES"
#!/bin/sh
sysrc sshd_enable="YES"
<span class="gi">+ sysrc ifconfig_e0b_{{ item }}="inet {{ jail_ip }} netmask 255.255.255.0"
+ sysrc defaultrouter="{{ gateway }}"
</span> pkg install -y python37
mkdir /root/.ssh
chmod 600 /root/.ssh
loop: "{{ jails | sort | flatten(levels=1) }}"
<span class="gi">+ loop_control:
+ extended: yes
</span></code></pre></div></div>
<h3 id="run-the-playbook-and-test-connectivity">Run the playbook and test connectivity</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible-playbook playbook.yml
<span class="o">[</span>...]
TASK <span class="o">[</span>jails : create zfs per jail dataset] <span class="k">***************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : template bsdinstall script] <span class="k">****************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : bsdinstall jails] <span class="k">**************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : authorize your ssh key] <span class="k">********************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : permit root login] <span class="k">*************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : <span class="nb">set </span>default jails config] <span class="k">******************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : <span class="nb">declare </span>jails] <span class="k">*****************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : start jails at startup] <span class="k">********************************************</span>
ok: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : start jails] <span class="k">*******************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
PLAY RECAP <span class="k">***********************************************************************</span>
host-test : <span class="nv">ok</span><span class="o">=</span>11 <span class="nv">changed</span><span class="o">=</span>8 <span class="nv">unreachable</span><span class="o">=</span>0 <span class="nv">failed</span><span class="o">=</span>0 <span class="nv">skipped</span><span class="o">=</span>0 <span class="nv">rescued</span><span class="o">=</span>0 <span class="nv">ignored</span><span class="o">=</span>0
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">jib</code> created a bridge and attached jails interfaces in it.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"ifconfig vtnet0bridge | grep member"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
member: e0a_nginx <span class="nv">flags</span><span class="o">=</span>143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: e0a_bind <span class="nv">flags</span><span class="o">=</span>143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: vtnet0 <span class="nv">flags</span><span class="o">=</span>143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
</code></pre></div></div>
<p>Let’s check if jails are running.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"jls"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
JID IP Address Hostname Path
3 bind.domain.local /usr/local/jails/bind
4 nginx.domain.local /usr/local/jails/nginx
</code></pre></div></div>
<p>As IP is configured in the Jail, host doesn’t know which one it is.<br />
<code class="language-bash highlighter-rouge">e0b_<span class="k">*</span></code> interfaces are attached to jails.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"jexec bind ifconfig | grep e0b"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
e0b_bind: <span class="nv">flags</span><span class="o">=</span>8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"jexec nginx ifconfig | grep e0b"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
e0b_nginx: <span class="nv">flags</span><span class="o">=</span>8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible <span class="nb">bind</span>:nginx <span class="nt">-m</span> ping
nginx | SUCCESS <span class="o">=></span> <span class="o">{</span>
<span class="s2">"ansible_facts"</span>: <span class="o">{</span>
<span class="s2">"discovered_interpreter_python"</span>: <span class="s2">"/usr/local/bin/python3.7"</span>
<span class="o">}</span>,
<span class="s2">"changed"</span>: <span class="nb">false</span>,
<span class="s2">"ping"</span>: <span class="s2">"pong"</span>
<span class="o">}</span>
<span class="nb">bind</span> | SUCCESS <span class="o">=></span> <span class="o">{</span>
<span class="s2">"ansible_facts"</span>: <span class="o">{</span>
<span class="s2">"discovered_interpreter_python"</span>: <span class="s2">"/usr/local/bin/python3.7"</span>
<span class="o">}</span>,
<span class="s2">"changed"</span>: <span class="nb">false</span>,
<span class="s2">"ping"</span>: <span class="s2">"pong"</span>
<span class="o">}</span>
</code></pre></div></div>
<p>Jails are now exposed on my private subnet with their own network stack and reachable by Ansible.</p>
<p>We learned how to automate shared IP and vnet Jails provisionning with Ansible.<br />
Managing Jails is more than just provision it, you’ll need to maintain it, by upgrading packages or releases.<br />
In the network side, you would use a private subnet to isolate your jails from your local private subnet, and NAT to have the abilitiy to allow/deny access, or forward a port to the right Jail.</p>
<p>Full raw Ansible management is possible, but there already exists some clever wrapper with great features, like <a href="https://github.com/cbsd/cbsd">cbsd</a>, <a href="https://github.com/iocage/iocage">iocage</a>, or <a href="https://github.com/BastilleBSD/bastille">bastille</a>.<br />
In the <a href="/2021/06/14/jails-part-3.html">next part</a>, I’ll focus on <code class="language-bash highlighter-rouge">bastille</code> and how to automate our jails management with it, still wrapped by Ansible.</p>Managing FreeBSD Jails with Ansible - part 12021-06-08T00:00:00+02:002021-06-08T00:00:00+02:00/2021/06/08/jails-part-1<ul id="markdown-toc">
<li><a href="#init-ansible" id="markdown-toc-init-ansible">Init Ansible</a> <ul>
<li><a href="#create-project-and-configure" id="markdown-toc-create-project-and-configure">Create project and configure</a></li>
<li><a href="#make-your-project-configurable" id="markdown-toc-make-your-project-configurable">Make your project configurable</a></li>
<li><a href="#prepare-the-jails-host" id="markdown-toc-prepare-the-jails-host">Prepare the jails host</a></li>
</ul>
</li>
<li><a href="#shared-ip-jail" id="markdown-toc-shared-ip-jail">Shared IP Jail</a> <ul>
<li><a href="#configure-ip-aliases" id="markdown-toc-configure-ip-aliases">Configure IP aliases</a></li>
<li><a href="#provision-jails-environments" id="markdown-toc-provision-jails-environments">Provision jails environments</a></li>
<li><a href="#declare-your-jails" id="markdown-toc-declare-your-jails">Declare your jails</a></li>
<li><a href="#run-and-test" id="markdown-toc-run-and-test">Run and test</a></li>
</ul>
</li>
</ul>
<p>When it comes to manage an OS configuration, I always fully automate the process, it is a oneshot work, you write it, test it, forget it, until you need to modify the process. I kind of use Ansible to make the work concrete as I use my blog to clarify my ideas.</p>
<p><a href="https://docs.freebsd.org/en/books/handbook/jails/">Jails</a> are like containers for FreeBSD, it lets you isolate your services from each others. Each Jail has its own IP, there are different ways to manage networking, let’s explore automation for each.</p>
<h3 id="init-ansible">Init Ansible</h3>
<h4 id="create-project-and-configure">Create project and configure</h4>
<p>Create your Ansible project root and git it.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">mkdir </span>jails <span class="o">&&</span> <span class="nb">cd </span>jails
<span class="nv">$ </span>git init
<span class="nv">$ </span><span class="nb">mkdir </span>roles group_vars
</code></pre></div></div>
<p>Create inventory, if your host is configured with DHCP, check its IP.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"host-test ansible_host=192.168.0.44"</span> <span class="o">></span> hosts
</code></pre></div></div>
<p>Configure Ansible.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="o"><<</span> <span class="no">EOF</span><span class="sh"> > ansible.cfg
[defaults]
stdout_callback = yaml
inventory = hosts
remote_user = root
interpreter_python = auto_silent
</span><span class="no">EOF
</span></code></pre></div></div>
<p>And create the playbook, with a role <code class="language-bash highlighter-rouge">jails</code>.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="o"><<</span> <span class="no">EOF</span><span class="sh"> > playbook.yml
---
- hosts: host-test
roles:
- { role: jails, tags: jails }
</span><span class="no">EOF
</span><span class="nv">$ </span><span class="nb">mkdir</span> <span class="nt">-p</span> roles/jails/tasks
</code></pre></div></div>
<p>Install <code class="language-bash highlighter-rouge">community.general</code> collection, it contains <a href="https://docs.ansible.com/ansible/latest/collections/community/general/sysrc_module.html">sysrc</a> ansible module to safely edit <code class="language-bash highlighter-rouge">rc.conf</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible-galaxy collection <span class="nb">install </span>community.general
</code></pre></div></div>
<h4 id="make-your-project-configurable">Make your project configurable</h4>
<p>Add a configuration file as <code class="language-bash highlighter-rouge">group_vars/all.yml</code>, with 3 vars. We will increment the static IP of the host in tasks, so choose an IP which can be incremented as many time as you have jails.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">inet</span><span class="pi">:</span> <span class="s">192.168.0.100</span>
<span class="na">netmask</span><span class="pi">:</span> <span class="s">255.255.255.0</span>
<span class="na">gateway</span><span class="pi">:</span> <span class="s">192.168.0.254</span>
</code></pre></div></div>
<h4 id="prepare-the-jails-host">Prepare the jails host</h4>
<p>Bootstrap <a href="https://docs.ansible.com/ansible/latest/user_guide/intro_bsd.html#bootstrapping-bsd">FreeBSD for Ansible</a>.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> raw <span class="nt">-a</span> <span class="s2">"pkg install -y python37"</span>
</code></pre></div></div>
<p>Configure your default network interface.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> sysrc <span class="nt">-a</span> <span class="s1">'name="ifconfig_{{ ansible_default_ipv4.interface }}" value="inet {{ inet }} netmask {{ netmask }}"'</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> sysrc <span class="nt">-a</span> <span class="s1">'name="defaultrouter" value="{{ gateway }}"'</span>
</code></pre></div></div>
<p>Restart <code class="language-bash highlighter-rouge">netif</code> and <code class="language-bash highlighter-rouge">routing</code> services to read you network configuration for <code class="language-bash highlighter-rouge">rc.conf</code>.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> raw <span class="nt">-a</span> <span class="s2">"service netif restart"</span>
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> raw <span class="nt">-a</span> <span class="s2">"service routing restart"</span>
</code></pre></div></div>
<p>Adapt your inventory with the new static IP and you’re ready.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"host-test ansible_host=192.168.0.100"</span> <span class="o">></span> hosts
</code></pre></div></div>
<h3 id="shared-ip-jail">Shared IP Jail</h3>
<p>The simpler way to create a Jail is to add IP alias to you network interface and then bind that IP to your Jail.<br />
For the exemple, let’s create 2 jails, <code class="language-bash highlighter-rouge"><span class="nb">bind</span></code> and <code class="language-bash highlighter-rouge">nginx</code>.<br />
First we need to create two IP aliases, default IP is incremented with <code class="language-bash highlighter-rouge">ipmath</code> which needs <code class="language-bash highlighter-rouge">netaddr</code> python package installed on the controller.</p>
<p>Let’s declare our jails in a list in <code class="language-bash highlighter-rouge">group_vars/all.yml</code>.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">jails</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">bind</span>
<span class="pi">-</span> <span class="s">nginx</span>
</code></pre></div></div>
<h4 id="configure-ip-aliases">Configure IP aliases</h4>
<p>We use <a href="https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html#extended-loop-variables">extended loop vars</a> to increment <code class="language-bash highlighter-rouge">inet</code> IP with <code class="language-bash highlighter-rouge">ipmath</code> which needs <code class="language-bash highlighter-rouge">netaddr</code> python package installed on the controller. <code class="language-bash highlighter-rouge">ansible_loop.index0</code> starts index at <code class="language-bash highlighter-rouge">0</code> instead of <code class="language-bash highlighter-rouge">1</code>.<br />
To be sure that the list will always be processed in the same order, it needs to be explicitly sorted.</p>
<p>In <code class="language-bash highlighter-rouge">roles/jails/tasks/main.yml</code>.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create IP aliases for jails</span>
<span class="na">vars</span><span class="pi">:</span>
<span class="na">alias_ip</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">inet</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">ipmath(ansible_loop.index)</span><span class="nv"> </span><span class="s">}}"</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ifconfig_{{</span><span class="nv"> </span><span class="s">ansible_default_ipv4.interface</span><span class="nv"> </span><span class="s">}}_alias{{</span><span class="nv"> </span><span class="s">ansible_loop.index0</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">inet</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">alias_ip</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">netmask</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">netmask</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">loop_control</span><span class="pi">:</span>
<span class="na">extended</span><span class="pi">:</span> <span class="s">yes</span>
<span class="na">notify</span><span class="pi">:</span> <span class="s">restart netif</span>
</code></pre></div></div>
<p>You need a handler to trigger the <code class="language-bash highlighter-rouge">netif</code> service restart on configuration update.</p>
<p>In <code class="language-bash highlighter-rouge">roles/jails/handlers/main.yml</code>.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">restart netif</span>
<span class="na">service</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">netif</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">restarted</span>
</code></pre></div></div>
<p>Run your playbook, and test.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible-playbook playbook.yml
PLAY <span class="o">[</span>host-test] <span class="k">***************************************************************************************************</span>
TASK <span class="o">[</span>Gathering Facts] <span class="k">*********************************************************************************************</span>
ok: <span class="o">[</span>host-test]
TASK <span class="o">[</span>network : create IP aliases <span class="k">for </span>jails] <span class="k">***********************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
RUNNING HANDLER <span class="o">[</span>network : restart netif] <span class="k">**************************************************************************</span>
changed: <span class="o">[</span>host-test]
PLAY RECAP <span class="k">*********************************************************************************************************</span>
host-test : <span class="nv">ok</span><span class="o">=</span>3 <span class="nv">changed</span><span class="o">=</span>2 <span class="nv">unreachable</span><span class="o">=</span>0 <span class="nv">failed</span><span class="o">=</span>0 <span class="nv">skipped</span><span class="o">=</span>0 <span class="nv">rescued</span><span class="o">=</span>0 <span class="nv">ignored</span><span class="o">=</span>0
</code></pre></div></div>
<p>Your host now has two aliases configured.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"ifconfig vtnet0 | grep inet"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.101 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.102 netmask 0xffffff00 broadcast 192.168.0.255
</code></pre></div></div>
<h4 id="provision-jails-environments">Provision jails environments</h4>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create zfs jails dataset</span>
<span class="s">community.general.zfs</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">zroot/jails</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">present</span>
<span class="na">extra_zfs_properties</span><span class="pi">:</span>
<span class="na">mountpoint</span><span class="pi">:</span> <span class="s">/usr/local/jails</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create zfs per jail dataset</span>
<span class="s">community.general.zfs</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">zroot/jails/{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">state</span><span class="pi">:</span> <span class="s">present</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<p>Install FreeBSD on the jails with a custom <code class="language-bash highlighter-rouge">bsdinstall</code> script.<br />
I faced an issue here, <code class="language-bash highlighter-rouge">bsdinstall</code> uses its <code class="language-bash highlighter-rouge">jail</code> argument to target the specific environment, and its <code class="language-bash highlighter-rouge">script</code> argument to automate the process. Using both make it ignore the second one.</p>
<p>I improved the <code class="language-bash highlighter-rouge">jail</code> script to be able to use a <code class="language-bash highlighter-rouge">SCRIPT</code> env var with the script path, to automate in jail provisionning and <a href="https://github.com/freebsd/freebsd-src/pull/473">created a PR</a>.</p>
<p>Now let’s create templates for automated provisionning.<br />
Let’s install python3 and enable <code class="language-bash highlighter-rouge">sshd</code> to be able to use Ansible on our jails.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">template bsdinstall script</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/jails/{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}.template"</span>
<span class="na">content</span><span class="pi">:</span> <span class="pi">|</span>
<span class="s">DISTRIBUTIONS="base.txz"</span>
<span class="s">export nonInteractive="YES"</span>
<span class="s">#!/bin/sh</span>
<span class="s">pkg install -y python37</span>
<span class="s">sysrc sshd_enable="YES"</span>
<span class="s">mkdir /root/.ssh</span>
<span class="s">chmod 600 /root/.ssh</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<p>Trigger the provisionning with the <code class="language-bash highlighter-rouge">shell</code> module and <code class="language-bash highlighter-rouge">args: creates:</code> to make it idempotent.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bsdinstall jails</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s">bsdinstall jail /usr/local/jails/"{{ item }}"</span>
<span class="na">environment</span><span class="pi">:</span>
<span class="na">SCRIPT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/jails/{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}.template"</span>
<span class="na">args</span><span class="pi">:</span>
<span class="na">creates</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/jails/{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}/bin"</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<p>Authorize your ssh public key in jails.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">authorize your ssh key</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">src</span><span class="pi">:</span> <span class="s">~/.ssh/id_rsa.pub</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/jails/{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}/root/.ssh/authorized_keys"</span>
<span class="na">mode</span><span class="pi">:</span> <span class="m">0600</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<p>We finally need to permit root login.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">permit root login</span>
<span class="na">replace</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/local/jails/{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}/etc/ssh/sshd_config"</span>
<span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#(PermitRootLogin).*'</span>
<span class="na">replace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">\1</span><span class="nv"> </span><span class="s">yes'</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<h4 id="declare-your-jails">Declare your jails</h4>
<p>Last thing we need is to declare jails in <code class="language-bash highlighter-rouge">/etc/jail.conf</code>.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">set default jails config</span>
<span class="na">blockinfile</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s">/etc/jail.conf</span>
<span class="na">create</span><span class="pi">:</span> <span class="s">yes</span>
<span class="na">marker</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">{mark}</span><span class="nv"> </span><span class="s">ANSIBLE</span><span class="nv"> </span><span class="s">MANAGED:</span><span class="nv"> </span><span class="s">default"</span>
<span class="na">block</span><span class="pi">:</span> <span class="pi">|</span>
<span class="s">exec.start = "/bin/sh /etc/rc";</span>
<span class="s">exec.stop = "/bin/sh /etc/rc.shutdown";</span>
<span class="s">exec.clean;</span>
<span class="s">mount.devfs;</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">declare jails</span>
<span class="na">vars</span><span class="pi">:</span>
<span class="na">alias_ip</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">inet</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">ipmath(ansible_loop.index)</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">blockinfile</span><span class="pi">:</span>
<span class="na">path</span><span class="pi">:</span> <span class="s">/etc/jail.conf</span>
<span class="na">marker</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">{mark}</span><span class="nv"> </span><span class="s">ANSIBLE</span><span class="nv"> </span><span class="s">MANAGED:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">block</span><span class="pi">:</span> <span class="pi">|</span>
<span class="s">{{ item }} {</span>
<span class="s">host.hostname = "{{ item }}.domain.local";</span>
<span class="s">path = "/usr/local/jails/{{ item }}";</span>
<span class="s">exec.consolelog = "/var/log/jail_{{ item }}.log";</span>
<span class="s">ip4.addr = {{ alias_ip }};</span>
<span class="s">}</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">loop_control</span><span class="pi">:</span>
<span class="na">extended</span><span class="pi">:</span> <span class="s">yes</span>
</code></pre></div></div>
<p>Let’s tell <code class="language-bash highlighter-rouge">rc.conf</code> to run jails at startup.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">start jails at startup</span>
<span class="s">community.general.sysrc</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">jail_enable"</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YES"</span>
</code></pre></div></div>
<p>Finally, add the tasks to start the jails now. We can’t use <code class="language-bash highlighter-rouge">service</code> module here, because <code class="language-bash highlighter-rouge">args</code> argument don’t pass its value to <code class="language-bash highlighter-rouge">service jail <span class="nv">$action</span></code>. The <code class="language-bash highlighter-rouge">service</code> has a rc of <code class="language-bash highlighter-rouge">0</code> if the service is already running, so it’s not a problem to trigger the start at each playbook run.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">start jails</span>
<span class="na">shell</span><span class="pi">:</span> <span class="s">service jail start "{{ item }}"</span>
<span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">jails</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">flatten(levels=1)</span><span class="nv"> </span><span class="s">}}"</span>
</code></pre></div></div>
<h4 id="run-and-test">Run and test</h4>
<p>Run the playbook to provision jails.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible-playbook playbook.yml
<span class="o">[</span>...]
TASK <span class="o">[</span>jails : create zfs jails dataset] <span class="k">****************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : create zfs per jail dataset] <span class="k">*************************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : template bsdinstall script] <span class="k">**************************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : bsdinstall jails] <span class="k">************************************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : authorize your ssh key] <span class="k">********************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : permit root login] <span class="k">*************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : <span class="nb">set </span>default jails config] <span class="k">****************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : <span class="nb">declare </span>jails] <span class="k">***************************************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
TASK <span class="o">[</span>jails : start jails at startup] <span class="k">******************************************************************************</span>
changed: <span class="o">[</span>host-test]
TASK <span class="o">[</span>jails : start jails] <span class="k">*****************************************************************************************</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span><span class="nb">bind</span><span class="o">)</span>
changed: <span class="o">[</span>host-test] <span class="o">=></span> <span class="o">(</span><span class="nv">item</span><span class="o">=</span>nginx<span class="o">)</span>
PLAY RECAP <span class="k">*********************************************************************************************************</span>
host-test : <span class="nv">ok</span><span class="o">=</span>4 <span class="nv">changed</span><span class="o">=</span>10 <span class="nv">unreachable</span><span class="o">=</span>0 <span class="nv">failed</span><span class="o">=</span>0 <span class="nv">skipped</span><span class="o">=</span>0 <span class="nv">rescued</span><span class="o">=</span>0 <span class="nv">ignored</span><span class="o">=</span>0
</code></pre></div></div>
<p>List your running jails and check their IP.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"jls"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
JID IP Address Hostname Path
1 192.168.0.101 bind.domain.local /usr/local/jails/bind
2 192.168.0.102 nginx.domain.local /usr/local/jails/nginx
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"jexec bind ifconfig | grep inet"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
inet 192.168.0.101 netmask 0xffffff00 broadcast 192.168.0.255
<span class="nv">$ </span>ansible host-test <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s2">"jexec nginx ifconfig | grep inet"</span>
host-test | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">>></span>
inet 192.168.0.102 netmask 0xffffff00 broadcast 192.168.0.255
</code></pre></div></div>
<p>You can now reach your jails with Ansible, just add their entries in your inventory.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="o"><<</span> <span class="no">EOF</span><span class="sh"> >> hosts
bind ansible_host=192.168.0.101
nginx ansible_host=192.168.0.102
</span><span class="no">EOF
</span><span class="nv">$ </span>ansible nginx:bind <span class="nt">-m</span> ping
<span class="nb">bind</span> | SUCCESS <span class="o">=></span> <span class="o">{</span>
<span class="s2">"ansible_facts"</span>: <span class="o">{</span>
<span class="s2">"discovered_interpreter_python"</span>: <span class="s2">"/usr/local/bin/python3.7"</span>
<span class="o">}</span>,
<span class="s2">"changed"</span>: <span class="nb">false</span>,
<span class="s2">"ping"</span>: <span class="s2">"pong"</span>
<span class="o">}</span>
nginx | SUCCESS <span class="o">=></span> <span class="o">{</span>
<span class="s2">"ansible_facts"</span>: <span class="o">{</span>
<span class="s2">"discovered_interpreter_python"</span>: <span class="s2">"/usr/local/bin/python3.7"</span>
<span class="o">}</span>,
<span class="s2">"changed"</span>: <span class="nb">false</span>,
<span class="s2">"ping"</span>: <span class="s2">"pong"</span>
<span class="o">}</span>
</code></pre></div></div>
<p>In the <a href="/2021/06/09/jails-part-2.html">next part</a>, we will see how to provision <code class="language-bash highlighter-rouge">vnet</code> jails.</p>Git pre commit hooks2021-06-02T00:00:00+02:002021-06-02T00:00:00+02:00/2021/06/02/git-pre-commit<p><a href="https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks">Git Hooks</a> are shell scripts integrated to your git directory. They are triggered before: <code class="language-bash highlighter-rouge">pre-</code> or after: <code class="language-bash highlighter-rouge">post-</code> some actions, <code class="language-bash highlighter-rouge">commit</code>, <code class="language-bash highlighter-rouge">push</code>, <code class="language-bash highlighter-rouge">checkout</code> and run locally. The most useful function is <code class="language-bash highlighter-rouge">pre-commit</code> which can check your code syntax, lint to improve the code quality, or trigger any local test.</p>
<p>Hooks are mostly always the same, users share them on github and <a href="https://pre-commit.com/hooks.html">pre-commit</a> tool automates hooks deployment.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>pip <span class="nb">install </span>pre-commit
</code></pre></div></div>
<h3 id="deploy-a-hook">Deploy a hook</h3>
<p>Create a test directory and git it.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">mkdir </span>git-commit-test <span class="o">&&</span> <span class="nb">cd </span>git-commit-test
<span class="nv">$ </span>git init
Initialized empty Git repository <span class="k">in</span> /home/user/dev/git-commit-test/.git/
</code></pre></div></div>
<p>Choose hooks projects you want to use in <a href="https://pre-commit.com/hooks.html">pre-commit hooks list</a>.<br />
For this exemple, we will use yaml and shell checkers.</p>
<ul>
<li><a href="">https://github.com/pre-commit/pre-commit-hooks</a> : check-yaml and trailing-whitespace</li>
<li><a href="">https://github.com/shellcheck-py/shellcheck-py</a> : shellcheck</li>
</ul>
<p>Pre-commit configuration file is <code class="language-bash highlighter-rouge">.pre-commit-config.yaml</code>, create it at the project root.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">repos</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/pre-commit/pre-commit-hooks</span>
<span class="na">rev</span><span class="pi">:</span> <span class="s">v4.0.1</span>
<span class="na">hooks</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">check-yaml</span>
<span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">trailing-whitespace</span>
<span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/shellcheck-py/shellcheck-py</span>
<span class="na">rev</span><span class="pi">:</span> <span class="s">v0.7.2.1</span>
<span class="na">hooks</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">shellcheck</span>
</code></pre></div></div>
<p>To init hook deployment, use <code class="language-bash highlighter-rouge"><span class="nb">install</span></code> subcommand.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>pre-commit <span class="nb">install
</span>pre-commit installed at .git/hooks/pre-commit
</code></pre></div></div>
<h3 id="test-it">Test it</h3>
<p>Let’s add a shell script to the project and a yaml file with some errors.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="o"><<</span> <span class="no">EOF</span><span class="sh"> > test.sh
#!/bin/bash
var=1
echo </span><span class="nv">$var</span><span class="sh">
</span><span class="no">EOF
</span><span class="nv">$ </span><span class="nb">cat</span> <span class="o"><<</span> <span class="no">EOF</span><span class="sh"> > test.yml
- key1
key2:
</span><span class="no">EOF
</span></code></pre></div></div>
<p>Add those files to the index, <code class="language-bash highlighter-rouge">pre-commit</code> defaulty ignore files outside the index.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>git add <span class="nb">.</span>
<span class="nv">$ </span>git status
On branch main
No commits yet
Changes to be committed:
<span class="o">(</span>use <span class="s2">"git rm --cached <file>..."</span> to unstage<span class="o">)</span>
new file: .pre-commit-config.yaml
new file: test.sh
new file: test.yml
</code></pre></div></div>
<p>And just commit to fire your hooks !</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>git commit <span class="nt">-m</span> <span class="s2">"added a great shell script and his yaml file"</span>
Check Yaml...............................................................Failed
- hook <span class="nb">id</span>: check-yaml
- <span class="nb">exit </span>code: 1
mapping values are not allowed <span class="k">in </span>this context
<span class="k">in</span> <span class="s2">"test.yml"</span>, line 2, column 6
Trim Trailing Whitespace.................................................Failed
- hook <span class="nb">id</span>: trailing-whitespace
- <span class="nb">exit </span>code: 1
- files were modified by this hook
Fixing test.sh
shellcheck...............................................................Failed
- hook <span class="nb">id</span>: shellcheck
- <span class="nb">exit </span>code: 1
In test.sh line 2:
<span class="nv">var</span><span class="o">=</span>1
^-^ SC2034: var appears unused. Verify use <span class="o">(</span>or <span class="nb">export </span><span class="k">if </span>used externally<span class="o">)</span><span class="nb">.</span>
For more information:
https://www.shellcheck.net/wiki/SC2034 <span class="nt">--</span> var appears unused. Verify use <span class="o">(</span>o...
</code></pre></div></div>
<p>As pre-commit hooks failed, the commit was not created.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>git log
fatal: your current branch <span class="s1">'main'</span> does not have any commits yet
</code></pre></div></div>
<p>Trailing whitespace hooks automatically fixed his errors.<br />
If you fix your shell script and yaml file, your commit will be ok.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/$var/\"$var\"/'</span> test.sh
<span class="nv">$ </span><span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/key1/key1:/'</span> test.yml
<span class="nv">$ </span>git add test.<span class="k">*</span>
<span class="nv">$ </span>git commit <span class="nt">-m</span> <span class="s2">"first sane commit"</span>
Check Yaml...............................................................Passed
Trim Trailing Whitespace.................................................Passed
shellcheck...............................................................Passed
<span class="o">[</span>main <span class="o">(</span>root-commit<span class="o">)</span> c689536] first sane commit
3 files changed, 15 insertions<span class="o">(</span>+<span class="o">)</span>
create mode 100644 .pre-commit-config.yaml
create mode 100644 test.sh
create mode 100644 test.yml
</code></pre></div></div>
<h3 id="custom-ansible-hook">Custom Ansible Hook</h3>
<p>I wanted to be able to check ansible syntax before.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">local</span>
<span class="na">hooks</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">ansible-syntax-check</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">Ansible syntax check</span>
<span class="na">entry</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ansible-playbook</span><span class="nv"> </span><span class="s">--syntax-check</span><span class="nv"> </span><span class="s">playbook.yml"</span>
<span class="na">pass_filenames</span><span class="pi">:</span> <span class="s">no</span>
<span class="na">types_or</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">yaml</span><span class="pi">,</span> <span class="nv">jinja</span><span class="pi">]</span>
<span class="na">language</span><span class="pi">:</span> <span class="s">system</span>
</code></pre></div></div>
<p>Create the playbook.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o"><<</span> <span class="no">EOF</span><span class="sh"> > playbook.yml
- hosts: test
tasks:
- name: copy test.sh
copyy:
src: ./test.sh
dest: dir
</span><span class="no">EOF
</span></code></pre></div></div>
<p>Then try to commit it.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>git add <span class="nb">.</span>
<span class="nv">$ </span>git commit <span class="nt">-m</span> <span class="s2">"added an insane playbook"</span>
<span class="o">[</span>user@osz git-commit-test]<span class="nv">$ </span>git commit <span class="nt">-m</span> <span class="s2">"added an insane playbook"</span>
Check Yaml...............................................................Passed
Trim Trailing Whitespace.................................................Passed
shellcheck...........................................<span class="o">(</span>no files to check<span class="o">)</span>Skipped
Ansible syntax check.....................................................Failed
- hook <span class="nb">id</span>: ansible-syntax-check
- <span class="nb">exit </span>code: 4
<span class="o">[</span>WARNING]: No inventory was parsed, only implicit localhost is available
<span class="o">[</span>WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match <span class="s1">'all'</span>
ERROR! couldn<span class="s1">'t resolve module/action '</span>copyy<span class="s1">'. This often indicates a misspelling, missing collection, or incorrect module path.
The error appears to be in '</span>/home/user/dev/git-commit-test/playbook.yml<span class="s1">': line 3, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
tasks:
- name: copy test.sh
^ here
</span></code></pre></div></div>
<p>As no shell script was in the index, <code class="language-bash highlighter-rouge">shellcheck</code> was skipped, but pre-commit detected our mispelled <code class="language-bash highlighter-rouge">copy</code> ansible module.</p>Git Hooks are shell scripts integrated to your git directory. They are triggered before: pre- or after: post- some actions, commit, push, checkout and run locally. The most useful function is pre-commit which can check your code syntax, lint to improve the code quality, or trigger any local test.Nas project - part 32021-05-30T00:00:00+02:002021-05-30T00:00:00+02:00/2021/05/30/nas-part-3<p>In <a href="/2021/05/21/nas-part-2.html">part 2</a>, I setup my nas, but I didn’t notice that I created ZFS pool without mirroring.</p>
<p>Let’s try to fix this.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>zpool remove dpool sdc
<span class="nv">$ </span>zpool status
pool: dpool
state: ONLINE
remove: Evacuation of /dev/sdc1 <span class="k">in </span>progress since Sun May 30 08:51:38 2021
4.23G copied out of 202G at 80.1M/s, 2.10% <span class="k">done</span>, 0h42m to go
566K memory used <span class="k">for </span>removed device mappings
config:
NAME STATE READ WRITE CKSUM
dpool ONLINE 0 0 0
sdb ONLINE 0 0 0
sdc ONLINE 0 0 0
errors: No known data errors
</code></pre></div></div>
<p>After it completes, I attach now the newly free disk to mirror the first one.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>zpool attach dpool sdb sdc
<span class="nv">$ </span>zpool status
pool: dpool
state: ONLINE
status: One or more devices is currently being resilvered. The pool will
<span class="k">continue </span>to <span class="k">function</span>, possibly <span class="k">in </span>a degraded state.
action: Wait <span class="k">for </span>the resilver to complete.
scan: resilver <span class="k">in </span>progress since Sun May 30 09:38:12 2021
404G scanned at 2.43G/s, 1.52G issued at 9.41M/s, 404G total
1.53G resilvered, 0.38% <span class="k">done</span>, no estimated completion <span class="nb">time
</span>remove: Removal of vdev 1 copied 202G <span class="k">in </span>0h44m, completed on Sun May 30 09:36:27 2021
566K memory used <span class="k">for </span>removed device mappings
config:
NAME STATE READ WRITE CKSUM
dpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
sdb ONLINE 0 0 0
sdc ONLINE 0 0 0 <span class="o">(</span>resilvering<span class="o">)</span>
errors: No known data errors
</code></pre></div></div>
<p>It ended without any stress/warning/error… how much do <strong>I love ZFS</strong> !</p>
<h3 id="dns-day">DNS day</h3>
<p>I want to configure a authoritative DNS for my <code class="language-bash highlighter-rouge">eoli3n.eu.org</code> domain.<br />
This DNS server will not be used as a recursive one, even locally, I just want it to resolv <code class="language-bash highlighter-rouge"><span class="k">*</span>.eoli3n.eu.org</code>.<br />
Following <a href="https://wiki.debian.org/Bind9#Debian_Jessie_and_later">bind9 debian wiki page</a>, I setup a bind authoritative server in a chroot. Here’s the bind config</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> /etc/bind/named.conf.options
options <span class="o">{</span>
directory <span class="s2">"/var/cache/bind"</span><span class="p">;</span>
// Listen on ipv4 interfaces only
listen-on <span class="o">{</span>
127.0.0.1<span class="p">;</span>
192.168.0.253<span class="p">;</span>
<span class="o">}</span><span class="p">;</span>
listen-on-v6 <span class="o">{</span> none<span class="p">;</span> <span class="o">}</span><span class="p">;</span>
// Hide version
version <span class="s2">"[SECURED]"</span><span class="p">;</span>
// disable zone transfert
allow-transfer <span class="o">{</span><span class="s2">"none"</span><span class="p">;</span><span class="o">}</span><span class="p">;</span>
// disable recursion
recursion no<span class="p">;</span>
// allow query
allow-query <span class="o">{</span> any<span class="p">;</span> <span class="o">}</span><span class="p">;</span>
allow-query-cache <span class="o">{</span> any<span class="p">;</span> <span class="o">}</span><span class="p">;</span>
<span class="o">}</span><span class="p">;</span>
<span class="nv">$ </span><span class="nb">cat</span> /etc/bind/named.conf.local
// https://serverfault.com/a/306109/339917
include <span class="s2">"/etc/bind/zones.rfc1918"</span><span class="p">;</span>
zone <span class="s2">"eoli3n.eu.org."</span> IN <span class="o">{</span>
<span class="nb">type </span>master<span class="p">;</span>
file <span class="s2">"selfhost.zone"</span><span class="p">;</span>
<span class="o">}</span><span class="p">;</span>
<span class="nv">$ </span><span class="nb">cat</span> /var/bind9/chroot/var/cache/bind/selfhost.zone
<span class="nv">$TTL</span> 86400
@ IN SOA ns1 root <span class="o">(</span>
1622390729 <span class="p">;</span> serial number
8h <span class="p">;</span> Refresh
2h <span class="p">;</span> Retry
8h <span class="p">;</span> Expire
4m <span class="p">;</span> Min TTL
<span class="o">)</span>
@ IN NS ns1
ns1 IN A <span class="nv">$public_ip</span>
<span class="k">*</span> IN A <span class="nv">$public_ip</span>
</code></pre></div></div>
<p>Lets test it</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>dig @127.0.0.1 ns1.eoli3n.eu.org
<span class="o">[</span>...]
<span class="p">;;</span> ANSWER SECTION:
ns1.eoli3n.eu.org. 86400 IN A <span class="nv">$public_ip</span>
<span class="p">;;</span> AUTHORITY SECTION:
eoli3n.eu.org. 86400 IN NS ns1.eoli3n.eu.org.
<span class="o">[</span>...]
</code></pre></div></div>
<h3 id="get-my-own-domain-on-euorg">Get my own domain on eu.org</h3>
<p>I asked for <code class="language-bash highlighter-rouge">eoli3n.eu.org</code> domain by creating a request on the free domain registrar <strong>eu.org</strong>.<br />
To configure it, just add <code class="language-bash highlighter-rouge">ns1.eoli3n.eu.org</code> glue record with your public IP and redirect TCP/UDP on port 53 to your DNS server on your ISP router.</p>In part 2, I setup my nas, but I didn’t notice that I created ZFS pool without mirroring.Password store2021-05-30T00:00:00+02:002021-05-30T00:00:00+02:00/2021/05/30/passwords<p>Password managment is the cornerstone of services security. If you use web, you would create one random password per service, and activate <a href="https://en.wikipedia.org/wiki/Time-based_One-Time_Password">Time-based One-Time Password</a> for all important one, like mail.</p>
<p>I used firefox lockwise to manage my web passwords, and FreeOTP on Android.<br />
Firefox Lockwise can be configured to asks for a master password at every accesses.<br />
Easy synchronization between multiple hosts, including my phone, sticked me to it.</p>
<p>Problem is that I don’t really own my data, that I can’t drop Firefox if I would like to, and I can’t manage non web passwords.</p>
<p><a href="https://www.passwordstore.org/">Pass</a> defines itself like “<strong>the standard unix password manager</strong>”.<br />
It uses <a href="https://gnupg.org/">gnupg</a> to encrypt passwords as <code class="language-bash highlighter-rouge">.gpg</code> files, and git to distribute.<br />
A clever extension lets you use it with <a href="https://github.com/davatorium/rofi">rofi</a> : <a href="https://github.com/carnager/rofi-pass">rofi-pass</a><br />
But <em>pass</em> defaulty miss some comfortable features:</p>
<ul>
<li>Automatic commit/push/pull, if you forget to commit a change, you can’t access it on other devices</li>
<li>TOTP generator, but <a href="https://github.com/tadfisher/pass-otp">pass-otp</a> exists</li>
</ul>
<p><a href="https://www.gopass.pw/">Gopass</a> handles those by default, and even more.<br />
You can manage multiple password stores and share them with your teams, with access control lists based on gpg.<br />
A password leak and quality checker is embeeded, desktop notifications, etc..</p>
<h3 id="setup-and-configure-gnupg">Setup and configure GnuPG</h3>
<p>First, you need to create a gpg keypair. Ensure that you use gnupg2, some linux distros has gnupg <em>v1.x</em> in a different package.</p>
<p>On Voidlinux:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gpg2 <span class="nt">--full-generate-key</span>
<span class="c"># (1) RSA et RSA</span>
<span class="c"># size: 3073 bits</span>
<span class="c"># set expiration</span>
<span class="c"># set your real name, email and comment</span>
</code></pre></div></div>
<p>Generate a revoke certificate and store it in a safe place, check your <em>keyid</em> with <code class="language-bash highlighter-rouge">gpg2 <span class="nt">--list-keys</span></code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gpg2 <span class="nt">--gen-revoke</span> <span class="nt">--output</span> revoke.asc <span class="s2">"</span><span class="nv">$key_id</span><span class="s2">"</span>
</code></pre></div></div>
<p>To backup your key, export you secret key and the trust db</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gpg2 <span class="nt">--export-secret-keys</span> <span class="nt">--armor</span> <span class="s2">"</span><span class="nv">$key_id</span><span class="s2">"</span> <span class="o">></span> secret.asc
<span class="nv">$ </span>gpg2 <span class="nt">--export-ownertrust</span> <span class="o">></span> trustdb-backup.txt
</code></pre></div></div>
<p>Gnupg defaulty use a ncurses pinentry, you would change it for a graphical one, I chose <code class="language-bash highlighter-rouge">pinentry-gtk</code> and configured gpg by creating the file <code class="language-bash highlighter-rouge">~/.gnupg/gpg-agent.conf</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pinentry-program /bin/pinentry-gtk-2
</code></pre></div></div>
<p>To test gpupg, you can try to sign a file with <code class="language-bash highlighter-rouge">gpg2 <span class="nt">--sign</span> test.file</code>.</p>
<p>I use <a href="https://www.funtoo.org/Keychain">keychain</a> to autostart gpg agent at first shell login, with fish</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> ~/.config/fish/conf.d/keychain.fish
<span class="c"># https://stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0</span>
<span class="nb">set</span> <span class="nt">-x</span> GPG_TTY <span class="o">(</span><span class="nb">tty</span><span class="o">)</span>
<span class="c"># https://github.com/fish-shell/fish-shell/issues/4583</span>
<span class="k">if </span>status <span class="nt">--is-interactive</span>
keychain <span class="nt">--eval</span> <span class="nt">--agents</span> ssh <span class="nt">--quiet</span> <span class="nt">-Q</span> id_rsa | <span class="nb">source
</span>keychain <span class="nt">--eval</span> <span class="nt">--agents</span> gpg <span class="nt">--quiet</span> <span class="nt">--gpg2</span> <span class="nt">-Q</span> | <span class="nb">source
</span>end
</code></pre></div></div>
<p>I don’t target the key to load, when I will use it, it will be added after typing my passphrase.<br />
Gpg agent is not like SSH agent, it forgets the passphrase token after <em>600 seconds</em> by default.</p>
<h3 id="configure-git-with-gnupg">Configure Git with Gnupg</h3>
<p>Now, you need a centralised git repository, and the ability to sign your commits.<br />
I created mine on my nas server with <a href="https://gitolite.com/gitolite/index.html">gitolite</a>, but you can use a Github private repository.<br />
To make signing work, I needed to edit my git-config to match my gpg binary and my gpg key.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat</span> ~/.gitconfig
<span class="o">[</span>user]
name <span class="o">=</span> eoli3n
email <span class="o">=</span> jonathan.kirszling@runbox.com
signingkey <span class="o">=</span> eoli3n
<span class="o">[</span>pull]
rebase <span class="o">=</span> <span class="nb">false</span>
<span class="o">[</span>gpg]
program <span class="o">=</span> gpg2
</code></pre></div></div>
<p>Let’s try to sign a commit:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">mkdir </span>git-gpg-test
<span class="nv">$ </span><span class="nb">cd </span>git-gpg-test/
<span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"testing"</span> <span class="o">></span> README.md
<span class="nv">$ </span>git init
<span class="nv">$ </span>git add README.md
<span class="nv">$ </span>git commit <span class="nt">-S</span> <span class="nt">-m</span> <span class="s2">"testing to sign this commit"</span>
<span class="o">[</span>master <span class="o">(</span>commit racine<span class="o">)</span> c8fb990] testing to sign this commit
1 file changed, 1 insertion<span class="o">(</span>+<span class="o">)</span>
create mode 100644 README.md
</code></pre></div></div>
<p>Ok, great, now let’s create the password store.</p>
<h3 id="password-store">Password Store</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gopass setup
__ _ _ _ _ _ ___ ___
/<span class="s1">'_ '</span><span class="se">\ </span>/<span class="s1">'_'</span><span class="se">\ </span><span class="o">(</span> <span class="s1">'_'</span><span class="se">\ </span> /<span class="s1">'_'</span> <span class="o">)</span>/<span class="s1">',__)/'</span>,__<span class="o">)</span>
<span class="o">(</span> <span class="o">(</span>_<span class="o">)</span> |<span class="o">(</span> <span class="o">(</span>_<span class="o">)</span> <span class="o">)</span>| <span class="o">(</span>_<span class="o">)</span> <span class="o">)(</span> <span class="o">(</span>_| |<span class="se">\_</span>_, <span class="se">\\</span>__, <span class="se">\</span>
<span class="s1">'\__ |'</span><span class="se">\_</span>__/<span class="s1">'| ,__/''\__,_)(____/(____/
( )_) | | |
\___/'</span> <span class="o">(</span>_<span class="o">)</span>
🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🌟 Configuring your password store ...
🎮 Please <span class="k">select </span>a private key <span class="k">for </span>encrypting secrets:
<span class="o">[</span>0] gpg - 0xFEEDBEEF - Jonathan Kirszling <jonathan.kirszling@runbox.com>
Please enter the number of a key <span class="o">(</span>0-12, <span class="o">[</span>q]uit<span class="o">)</span> <span class="o">(</span>q to abort<span class="o">)</span> <span class="o">[</span>0]: 0
❓ Do you want to add a git remote? <span class="o">[</span>y/N/q]: y
Configuring the git remote ...
Please enter the git remote <span class="k">for </span>your shared store <span class="o">[]</span>: git@nas.domain.fr:passwords.git
✅ Configured
</code></pre></div></div>
<h3 id="add-your-first-password">Add your first password</h3>
<p>Use <code class="language-bash highlighter-rouge">insert</code> subcommand to create password entries</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gopass insert work/test
Enter password <span class="k">for </span>work/test:
Retype password <span class="k">for </span>work/test:
</code></pre></div></div>
<p>Querying it will prompt for you gpg passphrase.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gopass work/test
Secret: work/test
Passw0rd
</code></pre></div></div>
<h3 id="add-a-totp">Add a TOTP</h3>
<p>To add a TOTP key, you need to use <code class="language-bash highlighter-rouge"><span class="nt">--multiline</span></code> argument</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gopass insert <span class="nt">-m</span> work/vpn
totp: XXXXXXXXXXXXXXXXXXXXXX
<span class="nv">$ </span>gopass totp work/vpn
069268 lasts 8s |----------------------<span class="o">========</span>|
</code></pre></div></div>
<h3 id="synchronization-with-android">Synchronization with Android</h3>
<p>On Android, you need <a href="https://www.openkeychain.org/">OpenKeychain</a>, to add your previously exported gpg secret key.<br />
To be able to use <em>TOTP</em> and your password store, use <a href="https://github.com/android-password-store/Android-Password-Store">Password Store</a> with your ssh key to reach you git <em>passwords</em> repository. No need to use <em>FreeOTP</em> anymore.<br />
<em>Password Store</em> does not pull/push commit automatically, don’t forget to sync from the app !</p>
<h3 id="configure-a-new-node">Configure a new node</h3>
<p>Import your gpg key and your trust db</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gpg2 —-import secret.asc
<span class="nv">$ </span><span class="nb">rm</span> ~/.gnupg/trustdb.gpg
<span class="nv">$ </span>gpg2 <span class="nt">--import-ownertrust</span> < trustdb-backup.txt
</code></pre></div></div>
<p>Then gopass wrap your <em>passwords</em> reporistory git clone</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>gopass clone git@nas.domain.fr:passwords.git
</code></pre></div></div>
<p>You project with be stored in <code class="language-bash highlighter-rouge">.local/share/gopass/stores/root/</code>.</p>
<h3 id="go-a-bit-further">Go a bit further</h3>
<p>On my desktop hosts, I now need to find an alternative to <em>rofi-pass</em> for <a href="https://cloudninja.pw/docs/wofi.html">Wofi</a>.<br />
<em>gopass</em> should be fully compatible with <em>pass</em> by default, except for totp generator which differs a bit.</p>
<p><em>gopass</em> has a great plugin to manage passwords from browser: <a href="https://github.com/gopasspw/gopassbridge">gopassbridge</a>.<br />
It would be a great firefox lockwise replacement.</p>
<p><em>20/06/23 edit</em></p>
<p><a href="https://github.com/eoli3n/dotfiles/blob/5187359320e5870dbfac50bcf1d9b678ecd605e9/roles/sway/templates/config.j2#L34-L35">This</a> is the way to get <em>wofi-pass</em> working, with autocopy and totp mode.</p>Password managment is the cornerstone of services security. If you use web, you would create one random password per service, and activate Time-based One-Time Password for all important one, like mail.Improve Backups2021-05-21T00:00:00+02:002021-05-21T00:00:00+02:00/2021/05/21/improve-backups<p>After <a href="/2020/04/30/backup.html">my first post</a> about how to setup BorgBackup and a first install of a home nas, I do have now two borg servers, lets spread our backups !</p>
<h3 id="drop-the-shell-backup-script">Drop the shell backup script</h3>
<p><a href="https://torsion.org/borgmatic/">Borgmatic</a> is an overlay to BorgBackup which let you configure everything with a yaml file and wrap Borg command to let you interact with your repository easierly.</p>
<p>Here a <code class="language-bash highlighter-rouge">/etc/borgmatic/config.yaml</code> file exemple</p>
<p><em>11/06/23 edit: use <code class="language-bash highlighter-rouge">patterns</code> instead of <code class="language-bash highlighter-rouge">exclude_patterns</code> to be able to backup directories in a declarative way</em><br />
See <a href="https://github.com/borgbackup/borg/pull/7644">borg patterns help</a></p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">location</span><span class="pi">:</span>
<span class="na">source_directories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">/</span>
<span class="na">repositories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">root@nas:/data/backups/osz</span>
<span class="na">exclude_caches</span><span class="pi">:</span> <span class="no">true</span>
<span class="na">patterns</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">R /</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/lost+found'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.iso'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.mkv'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.vmdk'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.pyc'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">root/.cache'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.cache'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.var/app/*/cache'</span> <span class="c1"># flatpak caches</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.local/share/Steam'</span> <span class="c1"># steam installed games</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.local/share/Trash'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">etc/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">root/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">home/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">var/log/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">!</span><span class="nv"> </span><span class="s">re:^(dev|proc|run|sys|tmp)'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**'</span>
<span class="na">storage</span><span class="pi">:</span>
<span class="na">encryption_passphrase</span><span class="pi">:</span> <span class="s2">"</span><span class="s">***************************"</span>
<span class="na">compression</span><span class="pi">:</span> <span class="s">zstd</span>
<span class="na">archive_name_format</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{hostname}-{now:%Y-%m-%dT%H:%M:%S}'</span>
<span class="na">ssh_command</span><span class="pi">:</span> <span class="s">ssh -i /root/.ssh/backup_rsa</span>
<span class="na">relocated_repo_access_is_ok</span><span class="pi">:</span> <span class="no">true</span>
<span class="na">retention</span><span class="pi">:</span>
<span class="na">prefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{hostname}-'</span>
<span class="na">keep_daily</span><span class="pi">:</span> <span class="m">7</span>
<span class="na">keep_weekly</span><span class="pi">:</span> <span class="m">4</span>
<span class="na">keep_monthly</span><span class="pi">:</span> <span class="m">6</span>
<span class="na">keep_yearly</span><span class="pi">:</span> <span class="m">2</span>
<span class="na">consistency</span><span class="pi">:</span>
<span class="na">check_last</span><span class="pi">:</span> <span class="m">3</span>
</code></pre></div></div>
<p>On the repository server, you need to add a restricted authorized_key as explained in my previous post.<br />
Then you can create the repository and start your first backup.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">sudo </span>borgmatic init <span class="nt">--encryption</span><span class="o">=</span>repokey-blake2
<span class="nv">$ </span><span class="nb">sudo </span>borgmatic <span class="nt">-v2</span>
</code></pre></div></div>
<p>As the process is now standard, you can write an ansible task to add an anacron and automate backups more nicely.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">automate daily backups</span>
<span class="na">copy</span><span class="pi">:</span>
<span class="na">dest</span><span class="pi">:</span> <span class="s">/etc/cron.daily/backup</span>
<span class="na">mode</span><span class="pi">:</span> <span class="m">0755</span>
<span class="na">content</span><span class="pi">:</span> <span class="pi">|</span>
<span class="s">#!/bin/bash</span>
<span class="s">borgmatic -v1</span>
</code></pre></div></div>
<p>The borgmatic toolbox let you interact with the repository from the client.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">sudo </span>borgmatic info
root@nas:/data/backups/osz: Displaying summary info <span class="k">for </span>archives
Repository ID: 664b076398e3d4ef96031d33f99ec0df1bb98a8ca39b181052f5dbc6c335f70e
Location: ssh://root@nas/data/backups/osz
Encrypted: Yes <span class="o">(</span>repokey BLAKE2b<span class="o">)</span>
Cache: /root/.cache/borg/664b076398e3d4ef96031d33f99ec0df1bb98a8ca39b181052f5dbc6c335f70e
Security <span class="nb">dir</span>: /root/.config/borg/security/664b076398e3d4ef96031d33f99ec0df1bb98a8ca39b181052f5dbc6c335f70e
<span class="nt">------------------------------------------------------------------------------</span>
Original size Compressed size Deduplicated size
All archives: 1.90 TB 1.08 TB 149.50 GB
Unique chunks Total chunks
Chunk index: 961954 8286300
<span class="nv">$ </span><span class="nb">sudo </span>borgmatic list
root@nas:/data/backups/osz: Listing archives
osz-2021-05-14T18:19:19-voidlinux-install Fri, 2021-05-14 18:19:20 <span class="o">[</span>dd21865bff728fdf4751cdc0e1f714164436eb5863452298b72952093dfbad4c]
osz-2021-05-15T11:50:05 Sat, 2021-05-15 11:50:06 <span class="o">[</span>a38b92d57f58c97195e42047611679aa24a065a092da93d6ed9a68d7d94a52ad]
osz-2021-05-16T12:21:03 Sun, 2021-05-16 12:21:03 <span class="o">[</span>b2e2f061939bb4818cb7be33e7da2c572ce7b60ebb6f9482ed317e18cf01895f]
osz-2021-05-17T09:23:14 Mon, 2021-05-17 09:23:15 <span class="o">[</span>183c1b2f399999012cfa977a3b5f67ca3b8b0299384adfad486e3858a469659e]
osz-2021-05-18T18:36:34 Tue, 2021-05-18 18:36:35 <span class="o">[</span>b71d73f6d62a328ff09c5728ddb042b6858148fcfbfe078828178abd34a10795]
osz-2021-05-19T08:16:24 Wed, 2021-05-19 08:16:24 <span class="o">[</span>514b13dcdfbca936930adf67066bb7fcb5e668f5301c0d5ec1a98915c9926bb9]
osz-2021-05-20T09:40:59 Thu, 2021-05-20 09:40:59 <span class="o">[</span>de40b1ca2cfe99893cb8023b2c496ba56695f3596199a126ac79ccf36ee566d0]
<span class="nv">$ </span><span class="nb">sudo </span>borgmatic mount <span class="nt">--archive</span> osz-2021-05-19T08:16:24 <span class="nt">--mount-point</span> /mnt
<span class="nv">$ </span><span class="nb">sudo ls</span> /mnt
bin dev etc lib lib64 mnt proc run sys tmp var
boot efi home lib32 media opt root sbin sysroot usr
</code></pre></div></div>
<h3 id="spread-your-backups">Spread your Backups</h3>
<p>I use <a href="https://syncthing.net/">Syncthing</a> to sync my backups over the network between two repository servers.<br />
The important line in the client configuration is <code class="language-bash highlighter-rouge">relocated_repo_access_is_ok: <span class="nb">true</span></code> which lets you access your backups from the second server.<br />
Syncing a borg repository is not the recommended way to spread your backups, because if a data corruption occurs on one side, it is stupidly replicated.<br />
You should prefer to add a second repository in the yaml config, borgmatic will trigger two separated backups.</p>
<p>I chose to sync with Syncthing because one of my repository is accessible only from a OTP secured vpn. I can’t automate VPN connection on all clients that I backup.</p>
<p>The replication is done in two ways, from <code class="language-bash highlighter-rouge">server 1</code> to <code class="language-bash highlighter-rouge">server 2</code> and vice-versa.</p>
<p><em>02/01/22 edit</em></p>
<p>As borg <a href="https://borgbackup.readthedocs.io/en/stable/faq.html#can-i-copy-or-synchronize-my-repo-to-another-location">documentation says</a>, borg repositories are not designed to be synced.<br />
When I switched to redundant backups, I had to debug my repositories for few hours… So, just ,don’t.<br />
Using two backup locations in borgmatic config will took twice the time, but security worth it.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="na">repositories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">root@nas:/data/backups/osz</span>
<span class="pi">-</span> <span class="s">root@borgbase:/repo</span>
</code></pre></div></div>
<h3 id="online-backups">Online Backups</h3>
<p>If you backup at home and at a different location, that’s pretty solid. I was annoyed by the fact that I backup my personnal data at work as second place, and wanted, for my most important data, to be safe to move in another city, and changing work without to be worried about my backups.</p>
<p><a href="https://www.borgbase.com/">BorgBase</a> describes itself as “Simple and Secure Offsite Backups” service.<br />
To use it, simply open an account for free, to test. Then you will be able to upgrade your plan to the 100G small plan. That’s enough for me, for my most important data, and only costs 2€/month under 100G, and then 0.01€/Go/month.</p>
<p><img src="/assets/images/server/borgbase.png" alt="borgbase" /></p>
<p>Repositories support encryption, and the web UI is secured with 2fa TOTP authentication.<br />
I upload my backups at 12Mo/s, so I’m fully satisfied with the service.<br />
You can enable alerts when repositories didn’t get any backup since some days.<br />
Let’s see with time.</p>
<p><em>11/06/23 edit</em></p>
<h3 id="per-repository-configurations">Per repository configurations</h3>
<p>Borgbase storage is not free, you can then define a shorter retention time on that repository.<br />
To do this, we will use include feature of configuration files, which is documented in <a href="https://torsion.org/borgmatic/docs/how-to/make-per-application-backups/#multiple-backup-configurations">Borgmatic multiple backup configurations</a>.</p>
<p>You need to create a <code class="language-bash highlighter-rouge">/etc/borgmatic/config-main.yaml</code> file which will have configurations that apply to both repostiories. Then two <code class="language-bash highlighter-rouge">/etc/borgmatic.d/config-<span class="o">{</span>nas,borgbase<span class="o">}</span>.yaml</code> for repository specific configurations, which will include the main configuration file. You need to put the main configuration file outside of <code class="language-bash highlighter-rouge">/etc/borgmatic.d</code> or it will be processed as a third configuration file.</p>
<p>The <code class="language-bash highlighter-rouge">borgmatic/config-main.yaml</code> will contains in my case excludes and storage configurations.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">location</span><span class="pi">:</span>
<span class="na">exclude_caches</span><span class="pi">:</span> <span class="no">true</span>
<span class="na">patterns</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">R /</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/lost+found'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.iso'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.mkv'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.vmdk'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**/*.pyc'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">root/.cache'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.cache'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.var/app/*/cache'</span> <span class="c1"># flatpak caches</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.local/share/Steam'</span> <span class="c1"># steam installed games</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">home/*/.local/share/Trash'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">etc/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">root/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">home/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">+</span><span class="nv"> </span><span class="s">var/log/**'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">!</span><span class="nv"> </span><span class="s">re:^(dev|proc|run|sys|tmp)'</span>
<span class="pi">-</span> <span class="s1">'</span><span class="s">-</span><span class="nv"> </span><span class="s">**'</span>
<span class="na">storage</span><span class="pi">:</span>
<span class="na">encryption_passphrase</span><span class="pi">:</span> <span class="s2">"</span><span class="s">********************************"</span>
<span class="na">compression</span><span class="pi">:</span> <span class="s">zstd</span>
<span class="na">archive_name_format</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{hostname}-{now:%Y-%m-%dT%H:%M:%S}'</span>
<span class="na">relocated_repo_access_is_ok</span><span class="pi">:</span> <span class="no">true</span>
</code></pre></div></div>
<p><code class="language-bash highlighter-rouge">borgmatic.d/config-nas.yaml</code> and <code class="language-bash highlighter-rouge">borgmatic.d/config-nas.yaml</code> will contain location with source path, the repository url, consistency and retention policies.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="s"><<</span><span class="pi">:</span> <span class="kt">!include</span> <span class="s">/root/.config/borgmatic/config-main.yaml</span>
<span class="na">location</span><span class="pi">:</span>
<span class="na">source_directories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">/</span>
<span class="na">repositories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">ssh://borg-base/./repo</span>
<span class="na">label</span><span class="pi">:</span> <span class="s">borgbase</span>
<span class="na">retention</span><span class="pi">:</span>
<span class="na">prefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{hostname}-'</span>
<span class="na">keep_daily</span><span class="pi">:</span> <span class="m">7</span>
<span class="na">keep_weekly</span><span class="pi">:</span> <span class="m">4</span>
<span class="na">consistency</span><span class="pi">:</span>
<span class="na">check_last</span><span class="pi">:</span> <span class="m">3</span>
</code></pre></div></div>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="s"><<</span><span class="pi">:</span> <span class="kt">!include</span> <span class="s">/root/.config/borgmatic/config-main.yaml</span>
<span class="na">location</span><span class="pi">:</span>
<span class="na">source_directories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">/</span>
<span class="na">repositories</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">ssh://nas/backups/osz</span>
<span class="na">label</span><span class="pi">:</span> <span class="s">nas</span>
<span class="na">consistency</span><span class="pi">:</span>
<span class="na">check_last</span><span class="pi">:</span> <span class="m">3</span>
<span class="na">retention</span><span class="pi">:</span>
<span class="na">prefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{hostname}-'</span>
<span class="na">keep_daily</span><span class="pi">:</span> <span class="m">7</span>
<span class="na">keep_weekly</span><span class="pi">:</span> <span class="m">4</span>
<span class="na">keep_monthly</span><span class="pi">:</span> <span class="m">6</span>
<span class="na">keep_yearly</span><span class="pi">:</span> <span class="m">1</span>
</code></pre></div></div>
<p>You can now run <code class="language-bash highlighter-rouge">borgmatic</code> and it will proceed as configured.<br />
Note that <a href="https://projects.torsion.org/borgmatic-collective/borgmatic/issues/635">borgmatic now supports labels</a> for repositories.</p>After my first post about how to setup BorgBackup and a first install of a home nas, I do have now two borg servers, lets spread our backups !