Update common.sh with functions for all jails+first migration "console.sh" #792
Conversation
Rename "check_target_is_running" and "target_all_jails" to have the suffix "_old". These two function are only ever called from within the main bastille executable. I am integrating these functions in "common.sh" so renaming them here for removal in the future is the best path forward.
These are all the new function I am beginning to move to common.sh for use with all jails.
This makes console act with the new common.sh file. Enable debug mode Allow console by JID Allow jail autocomplete
This is because bastille0 is always used ad the default loopback when using "bastille setup" and interferes when trying to create the first VNET jail on the list. This ensures that VNET jails will have their epairs (non-bridge) start with bastille1 then 2 then 3 etc...
There was a problem hiding this comment.
Hello, I would like more insight about this PR as I have no "bastille0" loopback set and I have both VNET and shared IP jails, all of them works perfectly fine and both jails types gets internet as expected.
Here part of my bastille network config example for further reference:
## Networking
bastille_network_loopback="" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="em0" ## default: ""
bastille_network_gateway="" ## default: ""
bastille_network_gateway6="" ## default: ""
Notice that ${bastille_network_loopback}/${bastille_network_gateway} are empty/non-set but only the shared em0 physical interface.
However I have to note that I don't use neither PF nor IPFW for jails since my Firewall stuff is managed by post-ISP external OPNsense server/appliance, so I keep my shared-IP/VNET jails networking as simple as possible on my homelab, so excuse my ignorance here.
So just thinking, can this additional IF can be created if the user is explicitly is using "bastille0" loopback?, so it keep system/configuration simplicity and avoid unnecessary interfaces?
PR in this regards: 02396f5
Regards!
|
So, when you run "bastille setup" an interface gets created for use with non-VNET jails called "bastille0" and populates the "bastille_loopback" variable with that. This interface is used when creating jails and not specifying an interface. If you don not use pf/firewall, then of course this won't matter, except if you run "bastille setup", then your first VNET jail won't ever work because it also tries to use "bastille0" as the interface. This PR starts the count at bastille1 (which to me is better anyway) I ran into this problem just yesterday when trying to create a VNET jails after having run "bastille setup". The VNET jails tried to create e0a_bastille0 and e0b_bastille0. The jail wouldn't start because it couldn't create the interface pairs. Switching it to start at e0[ab]_bastille1 solved it. This commit only changes that one fact and the one below. Its starts looking for "epair[1-9]+" for bridges and "bastille[1-9]+" for VNET. I've chosen to also change the naming schema of the bridge epairs to stay simply "epair1[ab]" and add a description as -V does because of a naming limit I ran into. See #786 |
|
After further studying, we should find a better way to handle Doing bastille setup vnet will also throw a wrench into this, because it creates a bridge, and names it bastille1. Perhaps we should change the default names to "bastille_bridge" and "bastille_loopback" to avoid these issues. Thoughts? |
|
Below is the relevant code inside "setup.sh" |
Hello, I understand that this takes place only when using the loopback and/or I've just executed Part of my Part of my I'm a bit busy ATM to perform a full test on all the PR's but I will try to look this more in deep on the weekend if possible, so hopefully you and other developers/collaborators/contributors can test this PR's in every possible case user scenario, from simple bastille network setups setups to more complex ones and sames applies for ZFS and UFS as the underlying storage filesystem. Between keep this nice contributions going so we can enhance this little jail manager further. Regards! |
|
Your "bastille_network_loopback" is not filled in (as you said above) with the default value of "bastille0" |
Hello, the major problem/issue is that changing variable names already used for long(specially bastille config) may break current configurations for most user unaware of it, and may broke third party jails managers such as XigmaNAS Bastille Ext and Webmin Bastille manager among others DevOps related operations, if we are talking about bastille core code we can always find a solution indeed. Hopefully this can ve solved however. Regards! |
|
Good point. Right now they are called "e0b_bastille[0-9]+" so perhaps "bastille_vnet[0-9]+" would be a good starting place. This not only tells you what the interface is being used as, but also tells you it is a VNEt interface, just like "epair" tells you it is a bridge interface. That way, bastille0 can stay the loopback, and bastille1 can stay the bridge loopback. |
Hi, yes name schemas for basic/vnet/linux jails is a nice addition and can also increase readability for further code addition/updates, between be aware that the part of Regards! |
|
Yes I am aware. Just throwing out ideas. bastille_vnet1a bastille_vnet2a Would work. I can't really think of a better schema right now. |
Yeah that should work indeed, between this may be discussed further with developers and @cedwards in regards of this naming changes and adoption/ideas. Lets see for further comments/opinions/ideas about this from other users running in production as well. Regards! |
|
On even further consideration, I will adjust this PR. I will be focusing on just the other functions people are asking for. This way we can discuss what the path forward is for networking. Thanks for your interaction @JRGTH |
|
@JRGTH I've reverted so this PR now only adds the new functions, and updates console.sh to use them. See it you can test if more easily now. |
tschettervictor
changed the title
|
per @cedwards the setup was a hack he threw together. I think since it tends to clobber everything that we may want to disable that for now until we can discuss further what a "setup" command should actually do. @tschettervictor and I talked about adding a make a .bak file of the config file, but in reading all of this discussion and thinking through all the possibilities, I am not sure having the setup is even a good idea. What do you guys think? |
|
I think a check for each setup sub command would work. If the ZFS vars are filled, exit. If the interface it tries to create exists, exit. If the pf file exists, exit. (This last one it already does) Or have an interactive script that will ask the user to confirm every step. |
Hi Barry, yes this command is more so like a wrapper/helper for a quick ZFS/Network/Firewall etc setup, and may be useful for newcomers and for third-party managers using I will provide some help here in the ZFS/UFS department for a proper ZFS activation in I will wait for the currents PR's as they need deep testing, so I can provide some help in this Regards! |
|
@JRGTH @tschettervictor should we have a separate PR for fixing / updating setup subcommand? I don't want this PR here to become too hard to test with too many moving pieces. I like smaller PRs that are cleaner to test. Thoughts? |
|
Separate I think. |
+1, This command should be on a separate PR and needs special attention and careful testing, as this command does write to I will start to re-write this command specially on the ZFS/UFS filesystem setups, the detailed/interactive user options and menu, then after deep testing on a several system configurations including ZFS and UFS configs I can upload so other with experience in the complex networking part can follow the code layout/consistency and enhance the rest of the bits. Regards |
+1 on this as well. Regards! |
so @JRGTH you start a PR for the setup command rewrite please. Lets fix Christer's setup hack to the next level with testing and some warnings. |
No worry man, I will start the rewrite of Regards! |
|
The EDIT: Initial interactive ZFS activation helper is tested/completed for systems booting from ZFS as the default, now I'm testing alternate configurations for systems booting from UFS systems but with jails stored on dedicated ZFS storage pool to keep both worlds happy, after a deep re-test will submit an initial PR to be open for additional enhancements. Regards! |
|
Tested using JID to console into a jail. Tested as advertised. |
This PR does 3 things.
Update common.sh with the new functions which include "set_target_single" "set_target" and others that will be used in the future.
Update console command to allow use with JID and jailname autocomplete
And as a treat, adds the "debug mode" function.
@JRGTH can you go over this and see if it will fit current code structure?
@bmac2
To test
Just a quick note. This PR should affect nothing except the console command. Everything else will still use the standard methods of validating jail names, check if running/stopped etc... so shouldn't be too hard to test.