1 files changed, 34 insertions, 0 deletions
diff --git a/blog/2017/poudriere-in-ezjail.rst b/blog/2017/poudriere-in-ezjail.rst
new file mode 100644
index 0000000..706260b
--- /dev/null
+++ b/blog/2017/poudriere-in-ezjail.rst
@@ -0,0 +1,34 @@
+.. title: Running poudriere in ezjail
+.. date: 2017/08/06 21:42
+Ever since `poudriere <https://github.com/freebsd/poudriere>`_ was published, I felt the obligation to run a public repository with packages tuned to my needs (i.e. without X11, without Java, with a certain TLS library as default, etc). But considering this tool's complexity, I never felt comfortable running it on a production system's host. So naturally I've been looking for a way to jail it away and only 2 years after `this tutorial <https://github.com/freebsd/poudriere/wiki/poudriere_in_jail>`_ outlined how that works, I managed to acutally try it out. Long story short: This guide kinda works and I got poudriere running in a jail. But I want the jail to automatically start up, get the correct dataset attached and receive all permissions needed to do zfs stuff and creating its own builder jails, in other words: I wanted to embed it as an ezjail.
+Now, turns out, that's actually not so hard: If you're running ezjail with zfs enabled, you first create the dataset for poudriere to work on::
+  zfs create -o jailed=on tank/poudriere
+then you just create your poudriere jail, making sure to pass it an ::1 IP address::
+  ezjail-admin create -c zfs poudriere 127.0.0.1,lo0|::1
+and then manually edit the two config lines in ``/usr/local/etc/ezjail/poudriere`` to read::
+  export jail_poudriere_parameters="children.max=10 allow.mount=1 allow.mount.devfs=1 allow.mount.procfs=1 allow.mount.zfs=1 allow.mount.nullfs=1 allow.raw_sockets=1 allow.socket_af=1 allow.sysvipc=1 allow.chflags=1 enforce_statfs=1"
+  export jail_poudriere_zfs_datasets="tank/poudriere"
+dont forget that this jail needs a resolv.conf, too and now you can just::
+  ezjail-admin console -f poudriere
+and follow `the FreeBSD handbook section on poudriere <https://www.freebsd.org/doc/handbook/ports-poudriere.html>`_ to get your poudriere jobs running. Since I wanted the web server jail to serve the packages, I exposed them in ``/etc/fstab.www_domain.com`` by adding a line::
+  /usr/jails/poudriere/tank/poudriere/data/packages /usr/jails/www.domain.com/packages nullfs ro 0 0
+and after an ``ezjail-admin restart www.domain.com``, you should be able to use the packages built by adding a ``/usr/local/etc/pkg/repos/www.conf`` of::
+  www: {
+    url: "file:///packages/103amd64-local-workstation/",
+    enabled: yes
+  }
+*Update:* Should you be missing the file systems inside your poudriere jail, make sure to mount them in your periodic script that runs poudriere (using ``zfs mount -a``, before running poudriere), or take a look at `the thread on the ezjail mailing list <https://elektropost.org/ezjail/msg00902.html>`_ regarding rc.d/zfs not finding the dataset when it's run.

diff --git a/blog/2017/poudriere-in-ezjail.rst b/blog/2017/poudriere-in-ezjail.rst new file mode 100644 index 0000000..706260b --- /dev/null +++ b/blog/2017/poudriere-in-ezjail.rst
@@ -0,0 +1,34 @@
	1	.. title: Running poudriere in ezjail
	2	.. date: 2017/08/06 21:42
	3
	4	Ever since `poudriere <https://github.com/freebsd/poudriere>`_ was published, I felt the obligation to run a public repository with packages tuned to my needs (i.e. without X11, without Java, with a certain TLS library as default, etc). But considering this tool's complexity, I never felt comfortable running it on a production system's host. So naturally I've been looking for a way to jail it away and only 2 years after `this tutorial <https://github.com/freebsd/poudriere/wiki/poudriere_in_jail>`_ outlined how that works, I managed to acutally try it out. Long story short: This guide kinda works and I got poudriere running in a jail. But I want the jail to automatically start up, get the correct dataset attached and receive all permissions needed to do zfs stuff and creating its own builder jails, in other words: I wanted to embed it as an ezjail.
	5
	6	Now, turns out, that's actually not so hard: If you're running ezjail with zfs enabled, you first create the dataset for poudriere to work on::
	7
	8	zfs create -o jailed=on tank/poudriere
	9
	10	then you just create your poudriere jail, making sure to pass it an ::1 IP address::
	11
	12	ezjail-admin create -c zfs poudriere 127.0.0.1,lo0\|::1
	13
	14	and then manually edit the two config lines in ``/usr/local/etc/ezjail/poudriere`` to read::
	15
	16	export jail_poudriere_parameters="children.max=10 allow.mount=1 allow.mount.devfs=1 allow.mount.procfs=1 allow.mount.zfs=1 allow.mount.nullfs=1 allow.raw_sockets=1 allow.socket_af=1 allow.sysvipc=1 allow.chflags=1 enforce_statfs=1"
	17	export jail_poudriere_zfs_datasets="tank/poudriere"
	18
	19	dont forget that this jail needs a resolv.conf, too and now you can just::
	20
	21	ezjail-admin console -f poudriere
	22
	23	and follow `the FreeBSD handbook section on poudriere <https://www.freebsd.org/doc/handbook/ports-poudriere.html>`_ to get your poudriere jobs running. Since I wanted the web server jail to serve the packages, I exposed them in ``/etc/fstab.www_domain.com`` by adding a line::
	24
	25	/usr/jails/poudriere/tank/poudriere/data/packages /usr/jails/www.domain.com/packages nullfs ro 0 0
	26
	27	and after an ``ezjail-admin restart www.domain.com``, you should be able to use the packages built by adding a ``/usr/local/etc/pkg/repos/www.conf`` of::
	28
	29	www: {
	30	url: "file:///packages/103amd64-local-workstation/",
	31	enabled: yes
	32	}
	33
	34	Update: Should you be missing the file systems inside your poudriere jail, make sure to mount them in your periodic script that runs poudriere (using ``zfs mount -a``, before running poudriere), or take a look at `the thread on the ezjail mailing list <https://elektropost.org/ezjail/msg00902.html>`_ regarding rc.d/zfs not finding the dataset when it's run.