Jails | diyIT
Jail management leverages iocage

iocage is a python framework which makes managing jail configurations and operations script friendly. The Makefile needs to be edited for 12.2 FreeBSD installation - Makefile

  • There is a "common" dataset which contain various configuration files common to all jails. This directory is mounted under /mnt/common by create.sh when it runs.
  • There is a "config" dataset which contain various configuration files specifc to that jail. This directory is mounted under /mnt/config.
  • There is a "certs" dataset that is maintained by the cert jail and is RO mounted into every jail for them to share the common letsencrypt domain certificates. This directory is mounted under /mnt/certs.
  • Create the IPv4 and IPv6 "DNS Resolver" entries for the jail IP under "pfsense - Services"
git clone --recursive https://github.com/iocage/iocage
cd iocage
git checkout master

diff Makefile Makefile.orig
3c3
< PYTHON?=/usr/local/bin/python3.7
---
> PYTHON?=/usr/local/bin/python3.6
7,8c7,8
<   @test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python37"; pkg install -q -y python37)
<   pkg install -q -y py37-libzfs
---
>   @test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python36"; pkg install -q -y python36)
>   pkg install -q -y py36-libzfs

make install
  • add v4 and v6 ip address to DNS resolver on pfsense
  • create config directory with jail specific configuration files
  • launch create.sh following jail specific parameters
Notes

For Apache+PHP-FPM enabled websites:

iocage exec $JAIL "sysrc apache24_enable=YES"
iocage exec $JAIL "cp /mnt/config/httpd.conf /usr/local/etc/apache24/"
iocage exec $JAIL "cp /mnt/config/secret/.htpasswd /usr/local/www/apache24/"
iocage exec $JAIL "cp /mnt/config/.htaccess /usr/local/www/apache24/data/"
iocage exec $JAIL "cp /mnt/config/020_mod_ssl.conf /usr/local/etc/apache24/modules.d/"
iocage exec $JAIL "cp /mnt/config/php.ini /usr/local/etc/php.ini"

iocage exec $JAIL "sysrc php_fpm_enable=YES"
iocage exec $JAIL "cp -f /mnt/config/www.conf /usr/local/etc/php-fpm.d/"
iocage exec $JAIL "service php-fpm start"

iocage exec $JAIL "service apache24 restart"


## httpd.conf and php.ini are customized per jail as required


config # cat 020_mod_ssl.conf | grep -ve "^[[:space:]]*[#;]" | tr -s "\n"
Listen 443
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off
SSLOptions      +StrictRequire
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout  300
SSLSessionCache         shmcb:/usr/local/etc/apache24/ssl_scache(512000)



config # cat www.conf | grep -ve "^[[:space:]]*[#;]" | tr -s "\n"
[www]
user = www
group = www
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp



php upgrades
php73 to php74 upgrade:

remember to compile php74-ldap and related samba411 (ldap dependency) on pkgp

on every web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)

Dry run:
pkg info | grep php73 | cut -w -f 1 | rev | cut -d “-” -f 2- | rev | sed ‘s/73/74/’ | sort | grep -v “php74-hash|php74-wddx” | xargs pkg install

Install:
pkg info | grep php73 | cut -w -f 1 | rev | cut -d “-” -f 2- | rev | sed ‘s/73/74/’ | sort | grep -v “php74-hash|php74-wddx” | xargs pkg install -y

Pkg list:
pkg info | grep php74 | cut -w -f 1 | rev | cut -d “-” -f 2- | rev | xargs echo

diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf
diff /usr/local/etc/php.ini /mnt/config/php.ini
diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf

cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf
service apache24 restart
Showcased here is a capital and operational cost effective approach, using minimal server and networking hardware with multiple virtualized applications for Home and Business. This solution template can be easily scaled out and adapted for larger Enterprise deployments.
drop by the diyIT Matrix public room at #diyit:matrix.ahlawat.com
if you have any IT questions/feedback or to request pro bono consulting for a nonprofit

message me privately at @sharad:matrix.ahlawat.com
or email me at - sharad@ahlawat.com - pgpkey: 68DD6B89
Networking and Security Technologist.
Engineer and an avid Programmer.

https://sharad.ahlawat.com
strive to learn and pass on the knowledge to the next generation
one day humanity will understand the meaning of life and hopefully it will be more than ASCII 42 = "*" regex for whatever you want it to be,
and destiny is more than just a roll of a pair of dice with 42 dots (Lets nail down Quantum Entanglement)

May you Live Long (Intelligently) and Prosper and work on technology that matters.
© 2024 Sharad Ahlawat

No personal identifying data is collected or any form of analytics/metrics reported to a third-party by this website.