jailmaker/README.md

172 lines
7.7 KiB
Markdown
Raw Normal View History

2023-01-28 22:09:54 +00:00
# Jailmaker
2023-06-15 08:12:32 +00:00
Persistent Linux 'jails' on TrueNAS SCALE to install software (docker-compose, portainer, podman, etc.) with full access to all files via bind mounts.
2023-01-28 22:09:54 +00:00
## Disclaimer
**USING THIS SCRIPT IS AT YOUR OWN RISK! IT COMES WITHOUT WARRANTY AND IS NOT SUPPORTED BY IXSYSTEMS.**
2023-01-29 11:58:28 +00:00
2023-01-28 22:09:54 +00:00
## Summary
2023-08-12 16:17:38 +00:00
TrueNAS SCALE can create persistent Linux 'jails' with systemd-nspawn. This script helps with the following:
2023-01-28 22:09:54 +00:00
2023-08-12 16:17:38 +00:00
- Installing the systemd-container package (which includes systemd-nspawn)
2023-01-28 22:09:54 +00:00
- Setting up the jail so it won't be lost when you update SCALE
2023-10-28 08:52:31 +00:00
- Choosing a distro (Debian 12 strongly recommended, but Ubuntu, Arch Linux or Rocky Linux seem good choices too)
2023-01-28 22:09:54 +00:00
- Optional: configuring the jail so you can run Docker inside it
2023-03-05 16:24:45 +00:00
- Optional: GPU passthrough (including [nvidia GPU](README.md#nvidia-gpu) with the drivers bind mounted from the host)
2023-01-28 22:09:54 +00:00
- Starting the jail with your config applied
2024-01-27 15:59:51 +00:00
## Security
Despite what the word 'jail' implies, jailmaker's intended use case is to create one or more additional filesystems to run alongside SCALE with minimal isolation. By default the root user in the jail with uid 0 is mapped to the host's uid 0. This has [obvious security implications](https://linuxcontainers.org/lxc/security/#privileged-containers). If this is not acceptable to you, you may lock down the jails by [limiting capabilities](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html#Security_Options) and/or using [user namespacing](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html#User_Namespacing_Options) or use a VM instead.
2023-01-28 22:09:54 +00:00
## Installation
Create a new dataset called `jailmaker` with the default settings (from TrueNAS web interface). Then login as the root user and download `jlmkr.py`.
2023-01-28 22:09:54 +00:00
```shell
cd /mnt/mypool/jailmaker
curl --location --remote-name https://raw.githubusercontent.com/Jip-Hop/jailmaker/main/jlmkr.py
chmod +x jlmkr.py
2023-08-12 16:14:09 +00:00
./jlmkr.py install
```
2023-08-15 17:28:43 +00:00
The `jlmkr.py` script (and the jails + config it creates) are now stored on the `jailmaker` dataset and will survive updates of TrueNAS SCALE. Additionally a symlink has been created so you can call `jlmkr` from anywhere.
2023-08-12 16:14:09 +00:00
2023-08-15 17:28:43 +00:00
After an update of TrueNAS SCALE the symlink will be lost and `systemd-nspawn` (the core package which makes `jailmaker` work) may be gone too. Not to worry, just run `./jlmkr.py install` again or use [the `./jlmkr.py startup` command](#startup-jails-on-boot).
2023-08-14 13:42:20 +00:00
2023-08-15 12:48:22 +00:00
## Usage
### Create Jail
2023-01-28 22:09:54 +00:00
2023-01-29 11:58:28 +00:00
Creating a jail is interactive. You'll be presented with questions which guide you through the process.
2023-01-28 22:09:54 +00:00
```shell
2023-08-14 13:42:20 +00:00
jlmkr create myjail
2023-01-28 22:09:54 +00:00
```
2023-01-29 11:58:28 +00:00
After answering a few questions you should have your first jail up and running!
2023-08-15 17:28:43 +00:00
### Startup Jails on Boot
```shell
# Best to call startup directly (not through the jlmkr symlink)
/mnt/mypool/jailmaker/jlmkr.py startup
# Can be called from the symlink too...
# But this may not be available after a TrueNAS SCALE update
jlmkr startup
```
2023-01-28 22:09:54 +00:00
2023-08-15 17:28:43 +00:00
In order to start jails automatically after TrueNAS boots, run `/mnt/mypool/jailmaker/jlmkr.py startup` as Post Init Script with Type `Command` from the TrueNAS web interface. This will automatically fix the installation of `systemd-nspawn` and setup the `jlmkr` symlink, as well as start all the jails with `startup=1` in the config file. Running the `startup` command Post Init is recommended to keep `jailmaker` working after a TrueNAS SCALE update.
2023-01-28 22:09:54 +00:00
2023-08-15 12:48:22 +00:00
### Start Jail
2023-03-02 20:52:16 +00:00
```shell
2023-08-14 13:42:20 +00:00
jlmkr start myjail
2023-03-02 20:52:16 +00:00
```
2023-08-15 12:48:22 +00:00
### List Jails
2023-03-02 20:52:16 +00:00
```shell
2023-08-14 13:42:20 +00:00
jlmkr list
2023-03-02 20:52:16 +00:00
```
2023-01-28 22:09:54 +00:00
2023-08-15 12:48:22 +00:00
### Execute Command in Jail
2023-08-15 12:45:52 +00:00
You may want to execute a command inside a jail, for example from a shell script or a CRON job. The example below executes the `env` command inside the jail.
```shell
jlmkr exec myjail env
```
This example executes bash inside the jail with a command as additional argument.
```shell
jlmkr exec myjail bash -c 'echo test; echo $RANDOM;'
```
2023-08-15 12:48:22 +00:00
### Edit Jail Config
2023-08-14 14:12:33 +00:00
```shell
jlmkr edit myjail
```
Once you've created a jail, it will exist in a directory inside the `jails` dir next to `jlmkr.py`. For example `/mnt/mypool/jailmaker/jails/myjail` if you've named your jail `myjail`. You may edit the jail configuration file, e.g. using the `jlmkr edit myjail` command (which uses the nano text editor). You'll have to stop the jail and start it again with `jlmkr` for these changes to take effect.
2023-08-15 12:48:22 +00:00
### Remove Jail
2023-03-02 20:52:16 +00:00
```shell
2023-08-14 13:42:20 +00:00
jlmkr remove myjail
2023-03-02 20:52:16 +00:00
```
2023-08-15 12:48:22 +00:00
### Stop Jail
2023-03-03 18:46:25 +00:00
```shell
2023-08-15 11:58:47 +00:00
jlmkr stop myjail
2023-03-03 18:46:25 +00:00
```
2023-08-15 12:48:22 +00:00
### Jail Shell
2023-01-28 22:09:54 +00:00
```shell
2023-08-15 11:58:47 +00:00
jlmkr shell myjail
2023-01-28 22:09:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Jail Status
2023-01-28 22:09:54 +00:00
```shell
2023-08-15 11:58:47 +00:00
jlmkr status myjail
2023-01-28 22:09:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Jail Logs
2023-01-28 22:09:54 +00:00
```shell
2023-08-15 11:58:47 +00:00
jlmkr log myjail
2023-01-28 22:09:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Additional Commands
2023-08-15 11:58:47 +00:00
2024-01-27 15:59:51 +00:00
Expert users may use the following additional commands to manage jails directly: `machinectl`, `systemd-nspawn`, `systemd-run`, `systemctl` and `journalctl`. The `jlmkr` script uses these commands under the hood and implements a subset of their functions. If you use them directly you will bypass any safety checks or configuration done by `jlmkr` and not everything will work in the context of TrueNAS SCALE.
2023-08-15 11:58:47 +00:00
2023-01-28 22:09:54 +00:00
## Networking
By default the jail will have full access to the host network. No further setup is required. You may download and install additional packages inside the jail. Note that some ports are already occupied by TrueNAS SCALE (e.g. 443 for the web interface), so your jail can't listen on these ports. This is inconvenient if you want to host some services (e.g. traefik) inside the jail. To workaround this issue when using host networking, you may disable DHCP and add several static IP addresses (Aliases) through the TrueNAS web interface. If you setup the TrueNAS web interface to only listen on one of these IP addresses, the ports on the remaining IP addresses remain available for the jail to listen on.
See [Advanced Networking](./NETWORKING.md) for more.
2023-01-28 22:24:12 +00:00
## Docker
2023-08-15 17:28:43 +00:00
The `jailmaker` script won't install Docker for you, but it can setup the jail with the capabilities required to run docker. You can manually install Docker inside the jail using the [official installation guide](https://docs.docker.com/engine/install/#server) or use [convenience script](https://get.docker.com).
2023-01-28 22:24:12 +00:00
2023-10-28 08:52:31 +00:00
## Documentation
Additional documentation contributed by the community can be found in [the docs directory](./docs/).
2023-01-28 22:09:54 +00:00
## Comparison
2023-08-15 17:28:43 +00:00
TODO: write comparison between systemd-nspawn (without `jailmaker`), LXC, VMs, Docker (on the host).
2023-01-28 22:09:54 +00:00
2024-01-20 15:45:23 +00:00
## Incompatible Distros
2023-01-29 11:58:28 +00:00
The rootfs image `jlmkr.py` downloads comes from the [Linux Containers Image server](https://images.linuxcontainers.org). These images are made for LXC. We can use them with systemd-nspawn too, although not all of them work properly. For example, the `alpine` image doesn't work well. If you stick with common systemd based distros (Debian, Ubuntu, Arch Linux...) you should be fine.
2023-01-29 11:58:28 +00:00
2024-01-20 15:45:23 +00:00
## Tips & Tricks
### Colorized bash prompt
To visually distinguish between a root shell inside the jail and a root shell outside the jail, it's possible to colorize the shell prompt. When using a debian jail with the bash shell, you may run the following command to get a yellow prompt inside the jail (will be activated the next time you run `jlmkr shell myjail`):
```bash
echo "PS1='${debian_chroot:+($debian_chroot)}\[\033[01;33m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '" >> ~/.bashrc
```
2023-01-28 22:09:54 +00:00
## References
2024-01-06 10:47:35 +00:00
- [TrueNAS Forum Thread about Jailmaker](https://www.truenas.com/community/threads/linux-jails-experimental-script.106926/)
2023-01-28 22:09:54 +00:00
- [systemd-nspawn](https://manpages.debian.org/bullseye/systemd-container/systemd-nspawn.1.en.html)
- [machinectl](https://manpages.debian.org/bullseye/systemd-container/machinectl.1.en.html)
- [systemd-run](https://manpages.debian.org/bullseye/systemd/systemd-run.1.en.html)
2023-01-28 22:24:12 +00:00
- [Run docker in systemd-nspawn](https://wiki.archlinux.org/title/systemd-nspawn#Run_docker_in_systemd-nspawn)
2023-06-15 08:12:32 +00:00
- [The original Jailmaker gist](https://gist.github.com/Jip-Hop/4704ba4aa87c99f342b2846ed7885a5d)