Old technology in a new way. FreeBSD Jails + CBSD Project

Foreword

About 9 years ago, when the first unlimited tariffs appeared in my city (something like 128 kbit / s for 500 rubles), I decided to keep my own “server” in the apartment for solving various tasks. One of the first ideas was raising a mirror for the FreeBSD.org project. It worked for about 2 years. Then there was no point in it, due to the expansion of channels and other reasons.

In addition, the server assumed other tasks for different periods of time:

• Storage backup copies of data, documents and distributions;
• Download torrents;
• Distribution of torrents for DLNA and SMB to various devices;
• VPN client to the provider (there was even a period when the server kept two PPTP connections via MPD - for local traffic and slow no-limit);
• VPN server and connection to the office gateway (channel to work);
• Asterisk server for IP-telephony (later in the house there were all sorts of SPA-3112, radio-tubes, etc.);
• FTP service for receiving data from an IP camera, for dumping backups from Mikrotik-s scripts;
• Etc. etc.

The general idea - in the hands was a designer with a bunch of multi-colored parts and a great desire to fasten something else. In general, this is the usual situation for most system administrators who know and love * nix-systems.

operating system

As an operating system, for the first 4-5 years I had FreeBSD. At a certain point, when I changed jobs and began to sink into Microsoft technologies, I had absolutely no time to work on my home server. I also remember that I was really sick of wasting time on portupgrade. Maybe there were other reasons, I do not remember exactly. But the result was a move to Debian (half a day) and the server was abandoned for a long time (used, but not modified - only occasionally updated).
')
And just recently, on the January holidays, another return to the sources took place - the server was reinstalled again - already on FreeBSD 11. And the reason for that is my acquaintance and admiration for the CBSD project.

Reasons to love the CBSD project

To do this, you need to recall the reasons why I left FreeBSD about 5 years ago - the lack of free time, the outdated system for installing binary packages (pkg_ *), and the inconvenient control of Jails. It's hard to say exactly why I switched from FreeBSD to Linux then. But what I'm sure of right now - using the CBSD project with FreeBSD on my server allows me to finally combine both convenience and security.

All my previous installations were tuned by the principle - all the eggs in one basket. The compromise of one service automatically meant the compromise of all. With the arrival of CBSD on my server, I took it as a rule to place each service in my cell, limiting the interaction and leaving only the most necessary minimum.

So - my reasons:

• Easy installation (install the cbsd package, run the initial wizard and answer typical questions - these are 2 minutes);
• The speed of creating new cells (1 minute is spent on having executed just one command to get a new cell, with a dedicated IP address, assigned quotas, placed in its FS on ZFS and with an already initialized pkgng, which will work);
• The ease of transferring cells with all the settings between servers (this is very convenient and important - since I currently have 5 FreeBSD-based servers (at home, for parents, mother-in-law, a couple at work) - and it’s enough for me to make and configure the cell only once - and in the future I can transfer it anywhere via export / import or clone / migrate;
• Safety and convenience. Usually poorly compatible things. But - here it seems it was possible to combine:

1. You can make cells with Read-Only root system. What complicates the introduction of RootKit-tools into the cell (replacing the basic utilities);
2. Just to limit the interaction of the cell with other cells and with the Internet - PF / IPFW control is integrated into CBSD;
3. Due to the simplicity and speed of creating new environments, there is no temptation to put new software into the base system (laziness ... laziness);
4. Cells simply reserve export / import - it means that you can make copies more often and on schedule;
5. Cells are simply updated by controlling them from the main system (update the world and update installed software). You do not need to raise the SSH service and configure Ansible and others like it;
6. Content Security. CBSD has a built-in ability to place content and Jail itself in different places. And when starting the cell, mount the content directory in Jail to the specified directory via mount_nullfs. And it is possible in the mode Read-Write, and it is possible in Read-Only. This is very convenient - because it allows, for example, to write a script that stops the cell, produces backup (export), and starts the cell again. As a result, the archive will contain only software and settings (200-300 MB in compressed form), and the content will be separate and will not be exported (for example, I have 1TB torrents). Similarly with ownCloud. Samba servers. Etc.

Finally pkgng

I want to say a special thank you to the creators of pkgng. Without the development of a modern batch (binary) management system, the CBSD project would not be as convenient as it is now.

The emergence of pkgng is a reason “almost completely” to abandon / usr / ports - or rather, to consider it as an addition to pkg. I use the following principles:

1. I install all possible software via pkg. At the same time, I get updates from the latest branch (editing the /etc/pkg/FreeBSD.conf file);
2. If I understand (pkg info) that some software is collected in the pkg repository with flags that do not suit me, I mount / usr / ports inside the cell (and not with my hands, but through the CBSD framework - cbsd jset mode = quiet jname = dokuwiki mount_ports = "1"), and collect this software from the ports with the necessary USE flags;
3. With the help of pkg lock, this software, assembled with unique options, is closed from further automatic updating via pkg upgrade;

The result is that on any number of cells I can update 99% of the programs with one script and with a probability of 99% I will not break the services at the same time. Alas - 1% always remains. BUT - there are automated backups of cells. And also there is a directory with a cache of previous installed packages. Therefore, there are two options for rollback (roll back the package or roll back the entire cell). Let me remind you - I have one cell - one service / service.

Examples of scripts and settings written during the study of CBSD:

Summary:

CBSD is a very interesting project, which I recommend getting to know better and having it in my “portfolio of ready-made and successful solutions”.