jailmaker/README.md

272 lines
14 KiB
Markdown
Raw Normal View History

2023-01-28 22:09:54 +00:00
# Jailmaker
Persistent Linux 'jails' on TrueNAS SCALE to install software (k3s, docker, portainer, podman, etc.) with full access to all files via bind mounts.
2023-01-28 22:09:54 +00:00
2024-04-28 10:04:10 +00:00
## Video Tutorial
[![TrueNAS Scale - Setting up Sandboxes with Jailmaker - YouTube Video](https://img.youtube.com/vi/S0nTRvAHAP8/0.jpg)<br>Watch on YouTube](https://www.youtube.com/watch?v=S0nTRvAHAP8 "TrueNAS Scale - Setting up Sandboxes with Jailmaker - YouTube Video")
2023-01-28 22:09:54 +00:00
## Disclaimer
**USING THIS SCRIPT IS AT YOUR OWN RISK! IT COMES WITHOUT WARRANTY AND IS NOT SUPPORTED BY IXSYSTEMS.**
2023-01-29 11:58:28 +00:00
2023-01-28 22:09:54 +00:00
## Summary
2023-08-12 16:17:38 +00:00
TrueNAS SCALE can create persistent Linux 'jails' with systemd-nspawn. This script helps with the following:
2023-01-28 22:09:54 +00:00
- Setting up the jail so it won't be lost when you update SCALE
2023-10-28 08:52:31 +00:00
- Choosing a distro (Debian 12 strongly recommended, but Ubuntu, Arch Linux or Rocky Linux seem good choices too)
- Will create a ZFS Dataset for each jail if the `jailmaker` directory is a dataset (easy snapshotting)
2023-01-28 22:09:54 +00:00
- Optional: configuring the jail so you can run Docker inside it
2024-04-28 09:57:41 +00:00
- Optional: GPU passthrough (including nvidia GPU with the drivers bind mounted from the host)
2023-01-28 22:09:54 +00:00
- Starting the jail with your config applied
## Installation
2024-05-28 18:55:46 +00:00
Beginning with 24.04 (Dragonfish), TrueNAS SCALE officially includes the systemd-nspawn containerization program in the base system. Technically there's nothing to install. You only need the `jlmkr.py` script file in the right place. [Instructions with screenshots](https://www.truenas.com/docs/scale/scaletutorials/apps/sandboxes/) are provided on the TrueNAS website. Start by creating a new dataset called `jailmaker` with the default settings (from TrueNAS web interface). Then login as the root user and download `jlmkr.py`.
2023-01-28 22:09:54 +00:00
```shell
cd /mnt/mypool/jailmaker
curl --location --remote-name https://raw.githubusercontent.com/Jip-Hop/jailmaker/main/jlmkr.py
chmod +x jlmkr.py
2023-08-12 16:14:09 +00:00
```
The `jlmkr.py` script (and the jails + config it creates) are now stored on the `jailmaker` dataset and will survive updates of TrueNAS SCALE. If the automatically created `jails` directory is also a ZFS dataset (which is true for new users), then the `jlmkr.py` script will automatically create a new dataset for every jail created. This allows you to snapshot individual jails. For legacy users (where the `jails` directory is not a dataset) each jail will be stored in a plain directory.
2024-05-28 18:55:46 +00:00
### Alias
Optionally you may create a shell alias for the currently logged in (admin) user to conveniently run `jlmkr.py` without having to change into the `jailmaker` directory or specify the full absolute path. I suggest to create the `jlmkr` alias like this:
```shell
echo "alias jlmkr=\"sudo -E '/mnt/mypool/jailmaker/jlmkr.py'\"" >> ~/.bashrc
2024-05-28 18:55:46 +00:00
```
Please replace `/mnt/mypool/jailmaker/` with the actual path to where you stored `jlmkr.py`. If you're using zsh instead of bash, then you should replace `.bashrc` in the command above with `.zshrc`. If you've created the alias, you may use it instead of `./jlmkr.py`.
2024-05-29 02:58:53 +00:00
The alias will be available the next time you load the shell, but to use the alias immediately you can `source ~/.bashrc` or `source ~/.zshrc`, as appropriate.
2023-08-15 12:48:22 +00:00
## Usage
### Create Jail
2023-01-28 22:09:54 +00:00
Creating a jail with the default settings is as simple as:
2023-01-28 22:09:54 +00:00
```shell
./jlmkr.py create --start myjail
2023-01-28 22:09:54 +00:00
```
You may also specify a path to a config template, for a quick and consistent jail creation process.
```shell
./jlmkr.py create --start --config /path/to/config/template myjail
2024-03-01 16:35:05 +00:00
```
Or you can override the default config by using flags. See `./jlmkr.py create --help` for the available options. Anything passed after the jail name will be passed to `systemd-nspawn` when starting the jail. See the `systemd-nspawn` manual for available options, specifically [Mount Options](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html#Mount_Options) and [Networking Options](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html#Networking_Options) are frequently used.
2024-03-02 16:20:50 +00:00
```shell
./jlmkr.py create --start --distro=ubuntu --release=jammy myjail --bind-ro=/mnt
2024-03-02 16:20:50 +00:00
```
2024-03-01 16:35:05 +00:00
If you omit the jail name, the create process is interactive. You'll be presented with questions which guide you through the process.
```shell
./jlmkr.py create
```
2023-01-29 11:58:28 +00:00
After answering some questions you should have created your first jail (and it should be running if you chose to start it after creating)!
2024-03-01 16:35:05 +00:00
2023-08-15 17:28:43 +00:00
### Startup Jails on Boot
```shell
2024-02-10 12:04:18 +00:00
# Call startup using the absolute path to jlmkr.py
2023-08-15 17:28:43 +00:00
/mnt/mypool/jailmaker/jlmkr.py startup
```
2023-01-28 22:09:54 +00:00
In order to start jails automatically after TrueNAS boots, run `/mnt/mypool/jailmaker/jlmkr.py startup` as Post Init Script with Type `Command` from the TrueNAS web interface. This will start all the jails with `startup=1` in the config file.
2023-01-28 22:09:54 +00:00
2023-08-15 12:48:22 +00:00
### Start Jail
2023-03-02 20:52:16 +00:00
```shell
./jlmkr.py start myjail
2023-03-02 20:52:16 +00:00
```
2023-08-15 12:48:22 +00:00
### List Jails
2023-03-02 20:52:16 +00:00
2024-05-09 12:33:27 +00:00
See list of jails (including running, startup state, GPU passthrough, distro, and IP).
2023-03-02 20:52:16 +00:00
```shell
./jlmkr.py list
2023-03-02 20:52:16 +00:00
```
2023-01-28 22:09:54 +00:00
2023-08-15 12:48:22 +00:00
### Execute Command in Jail
2023-08-15 12:45:52 +00:00
2024-05-09 12:33:27 +00:00
You may want to execute a command inside a jail, for example manually from the TrueNAS shell, a shell script or a CRON job. The example below executes the `env` command inside the jail.
2023-08-15 12:45:52 +00:00
```shell
./jlmkr.py exec myjail env
2023-08-15 12:45:52 +00:00
```
This example executes bash inside the jail with a command as additional argument.
```shell
./jlmkr.py exec myjail bash -c 'echo test; echo $RANDOM;'
2023-08-15 12:45:52 +00:00
```
2023-08-15 12:48:22 +00:00
### Edit Jail Config
2023-08-14 14:12:33 +00:00
```shell
./jlmkr.py edit myjail
2023-08-14 14:12:33 +00:00
```
Once you've created a jail, it will exist in a directory inside the `jails` dir next to `jlmkr.py`. For example `/mnt/mypool/jailmaker/jails/myjail` if you've named your jail `myjail`. You may edit the jail configuration file using the `./jlmkr.py edit myjail` command. This opens the config file in your favorite editor, as determined by following [Debian's guidelines](https://www.debian.org/doc/debian-policy/ch-customized-programs.html#editors-and-pagers) on the matter. You'll have to stop the jail and start it again with `jlmkr` for these changes to take effect.
2023-08-14 14:12:33 +00:00
2023-08-15 12:48:22 +00:00
### Remove Jail
2023-03-02 20:52:16 +00:00
2024-05-09 12:33:27 +00:00
Delete a jail and remove it's files (requires confirmation).
2023-03-02 20:52:16 +00:00
```shell
./jlmkr.py remove myjail
2023-03-02 20:52:16 +00:00
```
2023-08-15 12:48:22 +00:00
### Stop Jail
2023-03-03 18:46:25 +00:00
```shell
./jlmkr.py stop myjail
2023-03-03 18:46:25 +00:00
```
2024-02-08 06:39:54 +00:00
### Restart Jail
```shell
./jlmkr.py restart myjail
2024-02-08 06:39:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Jail Shell
2023-01-28 22:09:54 +00:00
2024-05-09 12:33:27 +00:00
Switch into the jail's shell.
2023-01-28 22:09:54 +00:00
```shell
./jlmkr.py shell myjail
2023-01-28 22:09:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Jail Status
2023-01-28 22:09:54 +00:00
```shell
./jlmkr.py status myjail
2023-01-28 22:09:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Jail Logs
2023-01-28 22:09:54 +00:00
2024-05-09 12:33:27 +00:00
View a jail's logs.
2023-01-28 22:09:54 +00:00
```shell
./jlmkr.py log myjail
2023-01-28 22:09:54 +00:00
```
2023-08-15 12:48:22 +00:00
### Additional Commands
2023-08-15 11:58:47 +00:00
2024-01-27 15:59:51 +00:00
Expert users may use the following additional commands to manage jails directly: `machinectl`, `systemd-nspawn`, `systemd-run`, `systemctl` and `journalctl`. The `jlmkr` script uses these commands under the hood and implements a subset of their functions. If you use them directly you will bypass any safety checks or configuration done by `jlmkr` and not everything will work in the context of TrueNAS SCALE.
2023-08-15 11:58:47 +00:00
2024-05-28 18:55:46 +00:00
## Security
By default the root user in the jail with uid 0 is mapped to the host's uid 0. This has [obvious security implications](https://linuxcontainers.org/lxc/security/#privileged-containers). If this is not acceptable to you, you may lock down the jails by [limiting capabilities](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html#Security_Options) and/or using [user namespacing](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html#User_Namespacing_Options) or use a VM instead.
### Seccomp
Seccomp is a Linux kernel feature that restricts programs from making unauthorized system calls. This means that when seccomp is enabled there can be times where a process run inside a jail will be killed with the error "Operation not permitted." In order to find out which syscall needs to be added to the `--system-call-filter=` configuration you can use `strace`.
For example:
```
# /usr/bin/intel_gpu_top
Failed to initialize PMU! (Operation not permitted)
# strace /usr/bin/intel_gpu_top 2>&1 |grep Operation\ not\ permitted
perf_event_open({type=0x10 /* PERF_TYPE_??? */, size=PERF_ATTR_SIZE_VER7, config=0x100002, sample_period=0, sample_type=0, read_format=PERF_FORMAT_TOTAL_TIME_ENABLED|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, use_clockid=1, ...}, -1, 0, -1, 0) = -1 EPERM (Operation not permitted)
write(2, "Failed to initialize PMU! (Opera"..., 52Failed to initialize PMU! (Operation not permitted)
```
The syscall that needs to be added to the `--system-call-filter` option in the `jailmaker` config in this case would be `perf_event_open`. You may need to run strace multiple times.
Seccomp is important for security, but as a last resort can be disabled by setting `seccomp=0` in the jail config.
2023-01-28 22:09:54 +00:00
## Networking
2024-05-09 12:33:27 +00:00
By default a jails will use the same networking namespace, with access to all (physical) interfaces the TrueNAS host has access to. No further setup is required. You may download and install additional packages inside the jail. Note that some ports are already occupied by TrueNAS SCALE (e.g. 443 for the web interface), so your jail can't listen on these ports.
Depending on the service this may be o.k. For example Home Assistant will bind to port 8123, leaving the 80 and 443 ports free from clashes for the TrueNAS web interface. You can then either connect to the service on 8123, or use a reverse proxy such as traefik.
But clashes may happen if you want some services (e.g. traefik) inside the jail to listen on port 443. To workaround this issue when using host networking, you may disable DHCP and add several static IP addresses (Aliases) through the TrueNAS web interface. If you setup the TrueNAS web interface to only listen on one of these IP addresses, the ports on the remaining IP addresses remain available for the jail to listen on.
2023-01-28 22:09:54 +00:00
2024-05-09 12:33:27 +00:00
See [the networking docs](./docs/network.md) for more advanced options (bridge and macvlan networking).
2023-01-28 22:09:54 +00:00
2023-01-28 22:24:12 +00:00
## Docker
2024-05-09 12:33:27 +00:00
Using the [docker config template](./templates/docker/README.md) is recommended if you want to run docker inside the jail. You may of course manually install docker inside a jail. But keep in mind that you need to add `--system-call-filter='add_key keyctl bpf'` (or disable seccomp filtering). It is [not recommended to use host networking for a jail in which you run docker](https://github.com/Jip-Hop/jailmaker/issues/119). Docker needs to manage iptables rules, which it can safely do in its own networking namespace (when using [bridge or macvlan networking](./docs/network.md) for the jail).
2023-01-28 22:24:12 +00:00
2023-10-28 08:52:31 +00:00
## Documentation
2024-05-09 12:33:27 +00:00
Additional documentation can be found in [the docs directory](./docs/) (contributions are welcome!).
2023-10-28 08:52:31 +00:00
2023-01-28 22:09:54 +00:00
## Comparison
2023-08-15 17:28:43 +00:00
TODO: write comparison between systemd-nspawn (without `jailmaker`), LXC, VMs, Docker (on the host).
2023-01-28 22:09:54 +00:00
2024-01-20 15:45:23 +00:00
## Incompatible Distros
2023-01-29 11:58:28 +00:00
The rootfs image `jlmkr.py` downloads comes from the [Linux Containers Image server](https://images.linuxcontainers.org). These images are made for LXC. We can use them with systemd-nspawn too, although not all of them work properly. For example, the `alpine` image doesn't work well. If you stick with common systemd based distros (Debian, Ubuntu, Arch Linux...) you should be fine.
2023-01-29 11:58:28 +00:00
2024-07-13 03:08:12 +00:00
## Development
2024-07-15 23:48:29 +00:00
After cloning the project, navigate into its working directory and create a self-contained Python [virtual environment](https://packaging.python.org/en/latest/tutorials/installing-packages/#creating-and-using-virtual-environments). Traditionally you would do that using the following command. Unfortunately, TrueNAS SCALE has [left out](https://ixsystems.atlassian.net/browse/NAS-130029) a necessary library from the base installation and *this command will fail:*
python3 -m venv .venv
The following workaround should accomplish the same task in more steps.
```
python3 -m venv --without-pip .venv
curl -OL https://bootstrap.pypa.io/pip/pip.pyz
.venv/bin/python3 pip.pyz install pip
rm pip.pyz
```
2024-07-15 01:12:51 +00:00
*Note: This process and the resulting build environment will cache some items under `~/.local/share` in addition to the project directory.*
2024-07-13 03:08:12 +00:00
Activate the venv into your *current* shell session.
source .venv/bin/activate
Develop away. Note that when you're done, you can undo this activation and return to the system's default Python environment. Just call a function that activation has inserted into your shell session:
deactivate
For more information on Python standard venvs, go to [the source](https://packaging.python.org/en/latest/tutorials/installing-packages/#creating-and-using-virtual-environments).
2024-07-15 01:12:51 +00:00
### Hatching a build
2024-07-15 23:48:29 +00:00
While in an *active* session, install the [Hatch](https://hatch.pypa.io) project manager. This will load quite a flurry of dependencies, but will only do so into the new `.venv` directory. *(And a bit into self-managed directories under `~/.local/share`.)*
2024-07-15 01:12:51 +00:00
pip install hatch
Build the "zipapp" target. This will create a `dist/jlmkr` tool which is the direct descendant of Jip-Hop's original `jlmkr.py` script.
hatch build -t zipapp
Now build the "appzip" target. This bundles the tool, `README.md` and `LICENSING` into a downloadable zip archive.
hatch build -t appzip
If you make any changes *to the embedded builder plugins* that perform the above, then you will need to clear caches between builds. Otherwise and generally, you will not need to do so.
hatch env prune
Hatch has oodles more features yet to be explored, such as: automated testing, code coverage, and style checking. For now, we've gotten it building.
2024-07-13 03:08:12 +00:00
## Filing Issues and Community Support
2024-05-28 18:55:46 +00:00
When in need of help or when you think you've found a bug in `jailmaker`, [please start with reading this](https://github.com/Jip-Hop/jailmaker/discussions/135).
2023-01-28 22:09:54 +00:00
## References
- [TrueNAS Forum Thread about Jailmaker](https://forums.truenas.com/t/linux-jails-sandboxes-containers-with-jailmaker/417)
2024-03-31 14:44:30 +00:00
- [systemd-nspawn](https://manpages.debian.org/bookworm/systemd-container/systemd-nspawn.1.en.html)
- [machinectl](https://manpages.debian.org/bookworm/systemd-container/machinectl.1.en.html)
- [systemd-run](https://manpages.debian.org/bookworm/systemd/systemd-run.1.en.html)
2023-01-28 22:24:12 +00:00
- [Run docker in systemd-nspawn](https://wiki.archlinux.org/title/systemd-nspawn#Run_docker_in_systemd-nspawn)
2023-06-15 08:12:32 +00:00
- [The original Jailmaker gist](https://gist.github.com/Jip-Hop/4704ba4aa87c99f342b2846ed7885a5d)