Telescope on FreeBSD 13 Inside a Jail

Introduction

This topic is totally new for me and it took additional to understand and get this done. Jails are confined environments to isolate services and/or processes, but you can do whatever you want with jails. The use case here is to mess up with unstable/development software while keep the system clean.

If you trust the source of a software, whereas is git repo or tarball, you probably do not need to jump through all these loopholes to get a simple TUI Gemini client, however it may be worthy to give it a try.

FreeBSD offers a variety of solution which I will not examine here but I'd like to leave a couple links:

FreeBSD Handbook: Jail.

Michael W. Lucas - FreeBSD Jail Management Tools

By my hand I decided to use "ezjail" for two reason it looks like is well documented anywhere on the internet and it is written in shell hence does not requires additional packages.

"From Micahel W. Lucas: ezjail – perhaps the best known jail management tool. Written entirely in shell."

Let's Start

The official documentations miss specific parts that might be trivials for expert sysadmins but are complicated to handle for desktop users; so far all the information I needed to complete this documentations are here:

EZJail: quick start

http://kbeezie.com/freebsd-jail-single-ip/

https://www.secure-computing.net/wiki/index.php/FreeBSD_jails_with_ezjail

http://abowhill.github.io/ezjail-setup.html

https://dan.langille.org/2014/04/03/installing-ezjail-3-3-on-freebsd-9-2-using-zfs/

Setup ezjail

To begin install the software:

doas pkg install ezjail

Add a loopback interface in /etc/rc.conf

cloned_interfaces="lo1"
ezjail_enable="YES"

Enable the loopback interface:

doas service netif cloneup

Create a pool for the jail

Ezjail can benefit from zfs, create the pool:

doas zfs create zroot/usr/jails

Modify the /usr/local/etc/ezjail.conf

# ZFS options

# Setting this to YES will start to manage the basejail and newjail in ZFS
ezjail_use_zfs="YES"

# Setting this to YES will manage ALL new jails in their own zfs
ezjail_use_zfs_for_jails="YES"

# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
ezjail_jailzfs="zroot/usr/jails"

Start the service:

doas service ezjail start

Populate the jail with "a basejail based on the FreeBSD RELEASE matching that of the host computer":

doas ezjail-admin install -p

Before to create the jail we should look about the network interfaces:

ifconfig -a

This is the output from this VM:

ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether c6:f9:61:62:68:ba
	inet 192.168.32.213 netmask 0xffffff00 broadcast 192.168.32.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

We already knew the interface is ue0 because the tethering, we then chose an IP from the internal network; for the jail I am going to use: 192.168.32.214; just right next the IP of the VM.

Create the jail

I am going to call this "gem":

doas ezjail-admin create gem 'lo1|127.0.1.1,ue0|192.168.32.214'

• some errors:

Warning: Some services already seem to be listening on all IP, (including 127.0.1.1)
  This may cause some confusion, here they are:
ntpd     ntpd       9197  20 udp6   *:123                 *:*
ntpd     ntpd       9197  21 udp4   *:123                 *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.32.214)
  This may cause some confusion, here they are:
ntpd     ntpd       9197  20 udp6   *:123                 *:*
ntpd     ntpd       9197  21 udp4   *:123                 *:*

Here is the fix:

https://forums.freebsd.org/threads/ezjail-says-ip-is-not-configured-on-a-local-interface.54060/

"For syslogd(8) add this to rc.conf:""

syslogd_flags="-ss"

Restart syslogd:

doas service syslogd restart

Allow ping and other stuff modifying:

• "/etc/sysctl.conf"

doas sysctl security.jail.allow_raw_sockets=1

Make this setting permanent editing "/etc/sysctl.conf"

#jail
security.jail.allow_raw_sockets=1

• "/usr/local/etc/ezjail/gem"

doas micro /usr/local/etc/ezjail/gem

modify this line:

export jail_gem_parameters="allow.raw_sockets=1"

Start the jail

doas ezjail-admin start gem

a warning message:

/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf.

Admin the Jail

To begin:

• Copy "resolv.conf" file from the host into the jail:

doas cp /etc/resolv.conf /usr/jails/gem/etc/resolv.conf

Go inside the Jail:

doas ezjail-admin console gem

• Change root password:

# passwd
Changing local password for root
New Password:
Retype New Password:

• Add user, I am going to create the same user I have to my VM, the reason will be explained later:

adduser

• Time zone configuration (1/2):

tzsetup

The jail’s time zone can be set with tzsetup(8). To avoid spurious error messages, the adjkerntz(8) entry in /etc/crontab can be commented or removed. This job attempts to update the computer’s hardware clock with time zone changes, but jails are not allowed to access that hardware.

• Time zone configuration (2/2) - edit crontab commenting the voice: "adjkerntz".

ee /etc/crontab

• Edit /etc/host:

ee /etc/hosts

• Add address and the jail name:

::1             localhost localhost.my.domain
127.0.1.1		localhost localhost.my.domain
192.168.32.214  gem.my.domain gem

• Installing dependencies, begin with:

pkg install doas

This will request to install PKG, say: y.

• Setup doas as did before:

ee /usr/local/etc/doas.conf

Copy inside:

# Sample file for doas
# Please see doas.conf manual page for information on setting
# up a doas.conf file.

# Permit members of the wheel group to perform actions as root.
permit :wheel

# Permit user your user to run commands a root user.
permit nopass "YOUR-USER" as root

Here finishes the setup of the jail.

Install Telescope dependencies:

Things are getting cocky!

pkg install git libretls ncurses libevent byacc autotools pkgconf

Exit jail and re-enter as normal user with:

doas ezjail-admin console -e "/usr/bin/login -f freezer" gem

Cloning Telescope from git:

git clone https://git.omarpolo.com/telescope.git
cd telescope
./autogen.sh
./configure

if it fails hence:

./configure CFLAGS='-I /usr/local/include' LDFLAGS='-L /usr/local/lib'
make
doas make install
telescope

Bind the Telescope to your home editing "/etc/fstab.gem"

/usr/home/freezer/.config/telescope /usr/jails/gem/usr/home/freezer/.config/telescope	nullfs rw 0 0

Now the "jailed" Telescope is bound with the real home, since jail and my home share the same name, the process is totally transparent.

Last thing to do is to compile and enabling DucklingProxy. This is exactly why the jail comes handy because I do not code, I do not understand anything about go, and I do not want go installed on my real system but I do not care messing the jail, which is exactly the meaning of all of this documentation!

Duckling-Proxy

Duckling-Proxy is a proxy utility that translate HTML pages in GEMTEXT pages, it has many limitations hence pages that rely heavily on javascript and the like will not even rendered but the so called "small web" should be rendered almost readable.

The utility is written in GO thus is necessary install the GO environment.

Installing GO

Go is available as port:

cd /usr/ports/lang/go/
doas make install clean

Installing Duckling-Proxy

I was unable to compile it on Linux but on FreeBSD has been a breeze:

git clone https://github.com/LukeEmmet/duckling-proxy.git
cd duckling-proxy

Duckling-Proxy requires certificate to work, you can reuse ones that you already have or create brand new certificate

All the information to setup Duckling-Proxy are already available here:

Watching the Gemini-space through a "Telescope" (part 3)

If Internet is not working anymore!

I recently realized that since the connection is using DHCP your IP may change and therefore the jail cannot communicate with the external, if you notice it you can verify running an "ifconfing" command:

ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 22:4d:fb:19:d0:b1
    inet 192.168.170.198 netmask 0xffffff00 broadcast 192.168.170.255
    inet 192.168.32.214 netmask 0xffffffff broadcast 192.168.32.214
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

As you can see the first inet line is your current IP address:

inet 192.168.170.198 netmask 0xffffff00 broadcast 192.168.170.255

While the second inet line is the one that has been setup accordingly to this documentation:

inet 192.168.32.214 netmask 0xffffffff broadcast 192.168.32.214

In order to restore the connection you must follow the following step:

• Into the jail modifying "/etc/hosts":

127.0.1.1		localhost localhost.my.domain
192.168.170.199		gem.my.domain	gem # this entry has been updated

Since the new current host IP is 192.168.170.198 I used the same rule I used the very first time and I assigned to the jail the next IP number.

• Exit and stop the jail:

exit
doas service ezjail stop

• Recopy again the "resolv.conf" file from the host into the jail:

doas cp /etc/resolv.conf /usr/jails/gem/etc/resolv.conf

• Modifying the "/usr/local/etc/ezjail/gem", update this entry "jail_gem_ip" with the new IP after "ue0|":

export jail_gem_ip="lo1|127.0.1.1,ue0|192.168.170.199"

• Save the file and start the jail:

doas service ezjail start

Now the connection should be re-enabled!

Updating the Jail

This is something that I had to deal recently.

Apparently the "good way" to use the jails is building the "world", basically regenerating the whole three ports and therefore using the ports collection rather than the packages.

Apparently the "good way" to use the jails is building the "world"

I used instead packaging because building the world might be blazing fast on a server class computer but is awfully slow on limited virtual machine. Also the use of packaging help when you try to simulate what you are going to do to your real OS.

I tested all the commands as for the documentation:

FreeBSD Handbook: 15.6. Managing Jails with ezjail

But for this case specifically the following one is the correct:

doas ezjail-admin update -u

Which produces a lot of warnings:

Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory
mtree: /usr/jails/newjail//boot/kernel: No such file or directory
mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory
touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory
Could not create kernel backup directory

Those warnings should not represent any issues since:

It's not failing actually, it's only complaining there's no source and no kernel. Both of which can be ignored.

is purely cosmetic.

As reported here:

FreeBSD Forum: Updating jails with ezjail-admin fails

Wrapping This Up!

Now you can test or run development versions of Telescope in jail while using the releases outside the jail, you can also copy the binary of duckling-proxy in your home run it from there while keeping the go dependencies only live in the jail.

I don't think I have anything else to add hence you can come back to Part 03:

↩ Go back to "Part 03"

For comments or suggestion write me at:

freezr AT disroot DOT org

↩ go back

(last edit February 2, 2022)