path: root/blog/2017/poudriere-in-ezjail.rst
diff options
Diffstat (limited to 'blog/2017/poudriere-in-ezjail.rst')
1 files changed, 34 insertions, 0 deletions
diff --git a/blog/2017/poudriere-in-ezjail.rst b/blog/2017/poudriere-in-ezjail.rst
new file mode 100644
index 0000000..706260b
--- /dev/null
+++ b/blog/2017/poudriere-in-ezjail.rst
@@ -0,0 +1,34 @@
1.. title: Running poudriere in ezjail
2.. date: 2017/08/06 21:42
4Ever since `poudriere <>`_ was published, I felt the obligation to run a public repository with packages tuned to my needs (i.e. without X11, without Java, with a certain TLS library as default, etc). But considering this tool's complexity, I never felt comfortable running it on a production system's host. So naturally I've been looking for a way to jail it away and only 2 years after `this tutorial <>`_ outlined how that works, I managed to acutally try it out. Long story short: This guide kinda works and I got poudriere running in a jail. But I want the jail to automatically start up, get the correct dataset attached and receive all permissions needed to do zfs stuff and creating its own builder jails, in other words: I wanted to embed it as an ezjail.
6Now, turns out, that's actually not so hard: If you're running ezjail with zfs enabled, you first create the dataset for poudriere to work on::
8 zfs create -o jailed=on tank/poudriere
10then you just create your poudriere jail, making sure to pass it an ::1 IP address::
12 ezjail-admin create -c zfs poudriere,lo0|::1
14and then manually edit the two config lines in ``/usr/local/etc/ezjail/poudriere`` to read::
16 export jail_poudriere_parameters="children.max=10 allow.mount=1 allow.mount.devfs=1 allow.mount.procfs=1 allow.mount.zfs=1 allow.mount.nullfs=1 allow.raw_sockets=1 allow.socket_af=1 allow.sysvipc=1 allow.chflags=1 enforce_statfs=1"
17 export jail_poudriere_zfs_datasets="tank/poudriere"
19dont forget that this jail needs a resolv.conf, too and now you can just::
21 ezjail-admin console -f poudriere
23and follow `the FreeBSD handbook section on poudriere <>`_ to get your poudriere jobs running. Since I wanted the web server jail to serve the packages, I exposed them in ``/etc/`` by adding a line::
25 /usr/jails/poudriere/tank/poudriere/data/packages /usr/jails/ nullfs ro 0 0
27and after an ``ezjail-admin restart``, you should be able to use the packages built by adding a ``/usr/local/etc/pkg/repos/www.conf`` of::
29 www: {
30 url: "file:///packages/103amd64-local-workstation/",
31 enabled: yes
32 }
34*Update:* Should you be missing the file systems inside your poudriere jail, make sure to mount them in your periodic script that runs poudriere (using ``zfs mount -a``, before running poudriere), or take a look at `the thread on the ezjail mailing list <>`_ regarding rc.d/zfs not finding the dataset when it's run.