Managing Python installation in a FreeBSD jail from the host of the jail

Hi all,

I'm curious about what is the Ansible way of working with FreeBSD Jails on a
remote host.

In my company we deploy almost all of our inhouse software inside jails and
therefore I have developed a connection plugin "sshjail" that allows us to use
a jail on a remote host as an Ansible host (addressed by jailname@host).

To setup flexible test environments we want to use Ansible to create and
configure the jails up to the point where we can use our connection plugin to
connect to the jail. One crucial part in the creation process is to setup
Python inside the jail. I created a patched version of the pkgng module that
exposes pkg's --jail option as a "jail" parameter. See the pull request
https://github.com/ansible/ansible-modules-extras/pull/131 . This allows me to
have a simple task that runs against the host and installs Python inside the
jail. After that I can ran plays against the jail.

Michael is unhappy with the idea of having a jail parameter in the pkgng
module and closed the pull request. Coming from my use case there won't be a
need to have a jail option in all modules to do things in jails, so the
argument for closing the request does not really convince me. Furthermore, the
proposed jail parameter just exposes a feature present in the pkg program.

But maybe there is an elegant way to use the pkgng module from outside a jail
to install software inside the jail?

Best Wishes!
David

I normally exposed the jails over ssh and just used the raw module to
bootstrap ansible (install python).

By design from our software architect the regular access path to the jails is
ssh + sudo + jexec and as this looks very sensible to me I would like to
follow this way using Ansible.

Our jails usually do have private IPs and have no ssh daemon running. I could
suggest to have a ssh daemon running inside the jail, but I'm not free to
expose an ssh daemon in a jail to the internet. So I would need to tunnel the
ssh connection through the server hosting the jails which requires quite some
configuration I rather would not need to manage. Also, inside the jails we do
not have the user accounts we use to ssh into the server, which complicates
the ssh connection even more.

David

I normally used a bastion/jumphost to do ssh, which works with ansible.
In any case, your sshjails connection plugin sounds like it already
takes care of most issues better than adding --jails options to other
modules.

Hi,

I normally used a bastion/jumphost to do ssh, which works with ansible.

Out of curiosity: What is the simplest way to setup an Ansible-usable ssh
connection through a jumphost?
For our first tests with Ansible we defined hosts in a local ssh_config in the
following way (jailhost was the FreeBSD server running in a VirtualBox and to
get things running quickly we allowed and used direct root login):

Host jailname
  HostName 10.0.0.1
  ProxyCommand=ssh -F ./ssh_config jailhost -W %h:%p

In any case, your sshjails connection plugin sounds like it already
takes care of most issues better than adding --jails options to other
modules.

I totally agree that it would be a bad idea to have a jails option to every
module I use to do something in a jail.

My pkgng pull request [1] contains some non-jail related cleanup and some
minor bugfixes for the annotation related parts. I could make a new pull
request for that if there is any interest.

David

[1] https://github.com/ansible/ansible-modules-extras/pull/131

ansible uses ssh, which by default uses your .ssh/config, but you can
also pass a 'common' ssh config as an ssh arg if you don't want
everybody to have it defined.

Is this considered a closed issue, or open for debate?

I’ve fairly recently started looking at ansible, and found this discussion (and the pull-request) because I’m looking to do things in exactly the way David Fritzsche describes.

I’d like to elaborate a bit on why, hoping it can help convince people to consider the pull request again.

FreeBSDs jails doesn’t really force a specific way of using them upon you, you could have a single program use jail(), similar to the more common pattern of just using chroot().

For “fuller” jails, it’s quite common to do a basic FreeBSD-install, and run basic services in the jail. You could easily run ssh in these jails, and use ansible like it was a “normal” system.

Where Davids pull-request really comes in handy though (in my opinion at least), is for smaller service-jails, customer-specific ones, and so on. If you do a bare-bones install of the things you require for that specific service, customer or similar, it could more than double the size of the jail if you install python as well, and double the memory-footprint if you start ssh.

If you have a couple of hundred of these jails running on one machine, it can be terribly inconvenient to have to run a couple of hundres ssh daemons as well, for the sole purpose of ansible reaching them, when you could use ssh to the host, and jexec your way to the jail, only when you’re actually doing something with it.

I get that I could use the jail-connector and run ansible locally on the host, but going down that route, you’re starting to throw away some the very point (for me at least) of being able to separate an ansible-orchestration host from various service-hosts, etc.

Terje