SaltStack states

[kraileth]

This is just to document the work that I have done with SaltStack so far. I want to use it on the VM server to build up some support infrastructure first and eventually manage every server using Salt. First task is being able to use Salt to deal with jails. There's a Salt formula for it out there but that's a bit too advanced for me right now so I'll stick with doing simple things for now.

Generally on the freshly installed system it's only necessary to install SaltStack, put the contents below into a state file and run SaltStack:

# pkg install -y py27-salt
# vi bootstrap.sls
# salt-call --local --file-root=. state.apply bootstrap

The code below should bring up Pf and prepare the system for simple NATing, setup the newly python-based iocage (not yet in :quarterly, so for now the repo has to be changed to :latest) and create a test jail that can access the net even though it uses an address of the 10.x.x.x range. Not terribly impressive, but at least it is fully idempotent and hey, it's a start.

Code: Select all

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

##########
 # Jail #
##########

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py27-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

create_testjail:
  cmd.run:
    - name: iocage create tag=testjail ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: iocage list | grep testjail

Next task: Install a Git server into a jail and look into port forwarding so that it can be accessed from the internet, too. That Git server will later hold non-public repos for internal use, e.g. project documentation and SaltStack states, files and the pillar.

[ASX]

Look cool!
I will gladly leave that in your hands because I'm busy enough with synth.

[kraileth]

Used the first day of my vacation to tinker a bit more with SaltStack and jails. The progress does not look too encouraging but that's because I ran into a problem right when I picked up where I left last time: Jail creation works well but when starting a jail, things go sideways. The jail actually starts but the process never ends properly... This was not a problem with the shell-based iocage or the iocell fork!

I tried to find out what goes wrong but I have little to no knowledge of how Python subprocesses work - and probably iocage uses subprocesses as well to manage the jail startup and then we'd have the case of Python subprocesses inside a Python subprocess. No clue if that's a problematic case in general or how to actually debug this...

Since I cannot do anything about that (except for maybe raising an issue on the project Github page) I decided to grind my teeth and work around it for now even if that's more a dirty hackish way of doing so: I set a timeout and tell Salt to fail hard when the state is unsuccessful due to hitting the timeout. Then the hanging process can be sent to the background and be terminated by killing python2.7. Then the state file can be applied again and since the jail is now running the problematic state is skipped because it's not needed.

Finally I wrote a quick state that ensures that pkg is available in the "basejail" that is created and if it's not, it's bootstrapped successfully. To do that I set an environment variable and use an execution module rendered by the jinja templating engine to get the UUID of the jail (it looks complicated but I'm pretty happy with that solution because everything else that I came up with worked but was a lot less elegant). Here's the updated state file:

Code: Select all

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

######################
 # Jail preparation #
######################

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py27-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

jail_create_basejail:
  cmd.run:
    - name: iocage create tag=basejail ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: iocage list | grep basejail

basejail_ensure_running:
  cmd.run:
    - name: iocage start basejail
    - timeout: 10
    - failhard: True
    - unless: iocage list | grep basejail | grep up

basejail_ensure_pkg:
  cmd.run:
    - name: iocage pkg basejail "install pkg"
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless: test -e /iocage/jails/{{ salt['cmd.shell']('iocage get host_hostuuid basejail') }}/root/usr/local/sbin/pkg

I've also decided to build a template first before turning towards "gitjail". Next station: Installing SaltStack inside "basejail", configuring the minion daemon and turning it into a template.

[kraileth]

Didn't have too much time to work on this but the next version is ready nevertheless; in addition to the previous states, this will install the package "py27-salt" in the running basejail, stop it again and then convert it to a template. I've also added more conditions to some of the previous states that are not supposed to be re-applied if the template is already present:

Code: Select all

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

######################
 # Jail preparation #
######################

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py27-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

jail_create_basejail:
  cmd.run:
    - name: iocage create tag=basejail ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: test `iocage list | grep basejail | wc -l` -gt 0 -o `iocage list -t | grep basejail | wc -l` -gt 0 && true || false

basejail_ensure_running:
  cmd.run:
    - name: iocage start basejail
    - timeout: 10
    - failhard: True
    - unless: test `iocage list | grep basejail | grep up | wc -l` -gt 0 -o `iocage list -t | grep basejail | wc -l` -gt 0 && true

basejail_ensure_pkg:
  cmd.run:
    - name: iocage pkg basejail "install pkg"
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless: test -e /iocage/jails/{{ salt['cmd.shell']('iocage get host_hostuuid basejail') }}/root/usr/local/sbin/pkg -o `iocage list -t | grep basejail | wc -l` -gt 0 && true

basejail_install_salt:
  cmd.run:
    - name: iocage pkg basejail install py27-salt
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -d /iocage/jails/{{ salt['cmd.shell']('iocage get host_hostuuid basejail') }}/root/usr/local/etc/salt -o `iocage list -t | grep basejail | wc -l` -gt 0 && true

basejail_ensure_stopped:
  cmd.run:
    - name: iocage stop basejail
    - unless: test `iocage list | grep basejail | grep down | wc -l` -gt 0 -o `iocage list -t | grep basejail | wc -l` -gt 0 && true

basejail_convert_template:
  cmd.run:
    - name: iocage set template=yes basejail
    - unless: iocage list -t | grep basejail

Next step is to add basic Salt minion configuration to the template, clone the "gitjail" from it and provision that one.

[kraileth]

Took a "little" detour... *sigh* So far well over 90% of the time I'm not fighting with SaltStack but in fact with FreeBSD and iocage. I found out that there were two newer iocage versions out after the one that I used and decided to give the newest one a try. A port for that was only released a day ago and so I had to build from ports as a package is not yet even in :latest.

The good thing about the new version: It fixes the problem with the "hanging" process that I experienced before. The bad news: This version depends on the system having a UTF-8 locale activated. I tried hard to force FreeBSD to provide LC_ALL=en_US.UTF-8 in the environment but it wouldn't let me. A lot of people seem to set this via loader.conf, but I cannot get this to work. After hours of wasted time valuable learning experience, I gave up on that one for now and resort to issuing setenv LC_ALL en_US.UTF-8 before doing the salt run. Iocage now requires Python 3.6 instead of 2.7 which lead to all that Unicode fun. But hey, it solved the other problem, so that's probably worth it.
([rant]I really hope that they will make UTF-8 the default for 12... Non-UTF-8 locales suck big time anyway and this is way overdue! [/rant])

Another thing that I simply do not understand is: When I edit /etc/rc.conf of one jail, adding a line to it and then turn that jail into a template, I would expect any new jail built from that template to come with that change. Unfortunately... this is not what happens. I can edit rc.conf to my liking and when I cat out the file, everything is fine, the additional line is there. Any new jails build from the template however get a fresh rc.conf! I have no idea what the heck is happening here. This is completely stupid behavior and I'm clueless as to how that can even be.

Progress (if you will): The state file can now be applied in one run again without having to CTRL-Z and kill the hanging process only to start another run. Also the system is now configured for UTF-8.

Code: Select all

#########################
 # UTF-8 configuration #
#########################

set_login.conf_UTF-8:
  file.blockreplace:
    - name: /etc/login.conf
    - marker_start: ':datasize=unlimited:\'
    - marker_end: ':stacksize=unlimited:\'
    - content: |
        :charset=UTF-8:\
        :setenv=LC_ALL=en_US.UTF-8,LC_COLLATE=en_US.UTF-8,LC_CTYPE=en_US.UTF-8,LC_MESSAGES=en_US.UTF-8,LC_MONETARY=en_US.UTF-8,LC_NUMERIC=en_US.UTF-8,LC_TIME=en_US.UTF-8:\
        :lang=en_US.UTF-8:\

cap_mkdb:
  cmd.run:
    - name: 'cap_mkdb /etc/login.conf'
    - onchanges:
      - file: set_login.conf_UTF-8

set_env_lang:
  environ.setenv:
    - name: LANG
    - value: en_US.UTF-8
    - update_minion: True

set_env_lc-all:
  environ.setenv:
    - name: LC_ALL
    - value: en_US.UTF-8
    - update_minion: True

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

########################
 # iocage preparation #
########################

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py36-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

##########################
 # salt minion template #
##########################

saltminion_create_jail:
  cmd.run:
    - name: iocage create tag=saltminion ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: test `iocage list | grep saltminion | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true || false

saltminion_ensure_running:
  cmd.run:
    - name: iocage start saltminion
    - unless: test `iocage list | grep saltminion | grep up | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_pkg:
  cmd.run:
    - name: iocage pkg saltminion "install pkg"
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless: test -e /iocage/jails/`iocage get host_hostuuid saltminion`/root/usr/local/sbin/pkg -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_salt_installed:
  cmd.run:
    - name: iocage pkg saltminion install py27-salt
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -d /iocage/jails/`iocage get host_hostuuid saltminion`/root/usr/local/etc/salt -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_stopped:
  cmd.run:
    - name: iocage stop saltminion
    - unless: test `iocage list | grep saltminion | grep down | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_converted_template:
  cmd.run:
    - name: iocage set template=yes saltminion
    - unless: iocage list -t | grep saltminion

I decided to build the saltmaster next instead of the gitjail an I probably have to do all configuration there if I don't find a way to make iocage copy important configuration files over...

[kraileth]

Finally some good progress last night:

The "template config file poblem" seems to be limited to rc.conf (which is probably just created by iocage for each new jail), everything else works as expected. I was able to create a saltmaster jail from the template and modify it so that the master daemon is launched during startup. The first time the daemon runs it creates certificates. I've been able to extract the master's "fingerprint" and add that into the minion configuration on the template. So the template is now complete.

I also did a lot of tweaks here and there and use iocage's "tags" dir which has symlinks to the actual filesystems (which I previously used jinja to do which is both more complicated and slower). Now the whole thing feels a lot more mature to me and I'm actually pretty happy with the implementation.

This is what it does so far (30 states):

• Install iocage and prepare the system so it can be used
• Create a jail ("saltminion") and start it up
• Bootstrap pkg inside the jail and install py27-salt as well
• Shutdown the jail and convert it into a template
• Create a new jail ("saltmaster") from the template and modify it
• Start up "saltmaster" so that the master daemon can create certs
• Extract the master finger and append it to the minion config in the template
• Shutdown the "saltmaster" jail because it's of no use so far
• Create a new jail ("gitjail") from the now complete template

Code: Select all

{% set saltmaster_ip = '10.0.1.1' %}
{% set gitjail_ip = '10.0.1.2' %}

#########################
 # UTF-8 configuration #
#########################

set_login.conf_UTF-8:
  file.blockreplace:
    - name: /etc/login.conf
    - marker_start: ':datasize=unlimited:\'
    - marker_end: ':stacksize=unlimited:\'
    - content: |
        :charset=UTF-8:\
        :setenv=LC_ALL=en_US.UTF-8,LC_COLLATE=en_US.UTF-8,LC_CTYPE=en_US.UTF-8,LC_MESSAGES=en_US.UTF-8,LC_MONETARY=en_US.UTF-8,LC_NUMERIC=en_US.UTF-8,LC_TIME=en_US.UTF-8:\
        :lang=en_US.UTF-8:\

cap_mkdb:
  cmd.run:
    - name: 'cap_mkdb /etc/login.conf'
    - onchanges:
      - file: set_login.conf_UTF-8

set_env_lang:
  environ.setenv:
    - name: LANG
    - value: en_US.UTF-8
    - update_minion: True

set_env_lc-all:
  environ.setenv:
    - name: LC_ALL
    - value: en_US.UTF-8
    - update_minion: True

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

########################
 # iocage preparation #
########################

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py36-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

##################################
 # salt minion template (pt. 1) #
##################################

saltminion_create_jail:
  cmd.run:
    - name: iocage create tag=saltminion ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: test `iocage list | grep saltminion | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true || false

saltminion_ensure_running:
  cmd.run:
    - name: iocage start saltminion
    - unless: test `iocage list | grep saltminion | grep up | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_pkg:
  cmd.run:
    - name: iocage pkg saltminion "install pkg"
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless: test -e /iocage/tags/saltminion/root/usr/local/sbin/pkg -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_salt_installed:
  cmd.run:
    - name: iocage pkg saltminion install py27-salt
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -d /iocage/tags/saltminion/root/usr/local/etc/salt -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_stopped:
  cmd.run:
    - name: iocage stop saltminion
    - unless: test `iocage list | grep saltminion | grep down | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_convert_template:
  cmd.run:
    - name: iocage set template=yes saltminion
    - unless: iocage list -t | grep saltminion

saltminion_minion_config:
  file.managed:
    - name: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - contents: 'master: {{ saltmaster_ip }}'
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

########################
 # saltmaster (pt. 1) #
########################

saltmaster_create_jail:
  cmd.run:
    - name: iocage create tag=saltmaster ip4_addr="lo1|{{ saltmaster_ip }}/24" -t saltminion
    - unless: iocage list | grep saltmaster

saltmaster_master_config:
  file.managed:
    - name: /iocage/tags/saltmaster/root/usr/local/etc/salt/master
    - contents: |
        ipv6: False
        publish_port: 4505
        ret_port: 4506
        pidfile: /var/run/salt-master.pid
        root_dir: /
        pki_dir: /usr/local/etc/salt/pki/master
        cachedir: /var/cache/salt/master
        sockdir: /var/run/salt/master
        verify_env: True
        keep_jobs: 24
        timeout: 5
        loop_interval: 60
        output: nested
        show_timeout: True
        color: True
        job_cache: True
        minion_data_cache: True
        preserve_minion_cache: False
        #####
        open_mode: False
        auto_accept: False
        token_expire: 43200
        file_recv: False
        state_top: top.sls

saltmaster_enable_minion_rc-conf:
  file.append:
    - name: /iocage/tags/saltmaster/root/etc/rc.conf
    - text: |
        salt_master_enable="YES"
        salt_minion_enable="YES"

saltmaster_start_temporarily:
  cmd.run:
    - name: iocage start saltmaster
    - unless: test `iocage list | grep saltmaster | grep up | wc -l` -gt 0 -o `grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion | wc -l` -gt 0

##################################
 # salt minion template (pt. 2) #
##################################

saltminion_complete_minion_config:
  cmd.run:
    - name: 'echo master_finger: `iocage exec saltmaster "salt-call key.finger --local"` >> /iocage/templates/saltminion/root/usr/local/etc/salt/minion'
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

saltminion_fix_minion_config:
  file.replace:
    - name: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - pattern: 'local: '
    - repl: ''

########################
 # saltmaster (pt. 2) #
########################

saltmaster_stop_jail:
  cmd.run:
    - name: iocage stop saltmaster
    - onlyif: iocage list | grep saltmaster | grep up

saltmaster_copy_minion_config:
  file.copy:
    - name: /iocage/tags/saltmaster/root/usr/local/etc/salt/minion
    - source: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - force: True
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

#############
 # gitjail #
#############

gitjail_create_jail:
  cmd.run:
    - name: iocage create tag=gitjail ip4_addr="lo1|{{ gitjail_ip }}/24" -t saltminion
    - unless: iocage list | grep gitjail

So now I can finally turn towards provisioning "gitjail". While I had intended to do this on Friday, a lot of stuff is in place now that would likely have caused me even more trouble if I hadn't decided to go that other way. Sure, there's still nothing to actually show off. But I feel much more confident now than yesterday. I'm most likely on the right track again.

[kraileth]

Another bit of progress (didn't have much time to work on this today): The "gitjail" is now being provisioned. It has SSH configured and enabled (and I tested it manually: If I create a user within the jail I can ssh into the jail from the host). It also has some packages installed, group and user for git created and such. Also both jails have proper hostnames now and can actually access the net again (tuned lo1's subnet mask).

Still nothing to really show off, but I'm getting close. 40 states so far.

Code: Select all

{% set saltmaster_ip = '10.0.1.1' %}
{% set gitjail_ip = '10.0.1.2' %}

#########################
 # UTF-8 configuration #
#########################

set_login.conf_UTF-8:
  file.blockreplace:
    - name: /etc/login.conf
    - marker_start: ':datasize=unlimited:\'
    - marker_end: ':stacksize=unlimited:\'
    - content: |
        :charset=UTF-8:\
        :setenv=LC_ALL=en_US.UTF-8,LC_COLLATE=en_US.UTF-8,LC_CTYPE=en_US.UTF-8,LC_MESSAGES=en_US.UTF-8,LC_MONETARY=en_US.UTF-8,LC_NUMERIC=en_US.UTF-8,LC_TIME=en_US.UTF-8:\
        :lang=en_US.UTF-8:\

cap_mkdb:
  cmd.run:
    - name: 'cap_mkdb /etc/login.conf'
    - onchanges:
      - file: set_login.conf_UTF-8

set_env_lang:
  environ.setenv:
    - name: LANG
    - value: en_US.UTF-8
    - update_minion: True

set_env_lc-all:
  environ.setenv:
    - name: LC_ALL
    - value: en_US.UTF-8
    - update_minion: True

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.0.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

########################
 # iocage preparation #
########################

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py36-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

##################################
 # salt minion template (pt. 1) #
##################################

saltminion_create_jail:
  cmd.run:
    - name: iocage create tag=saltminion ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: test `iocage list | grep saltminion | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true || false

saltminion_ensure_running:
  cmd.run:
    - name: iocage start saltminion
    - unless: test `iocage list | grep saltminion | grep up | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_pkg:
  cmd.run:
    - name: iocage pkg saltminion "install pkg"
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless: test -e /iocage/tags/saltminion/root/usr/local/sbin/pkg -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_salt_installed:
  cmd.run:
    - name: iocage pkg saltminion install py27-salt
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -d /iocage/tags/saltminion/root/usr/local/etc/salt -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_stopped:
  cmd.run:
    - name: iocage stop saltminion
    - unless: test `iocage list | grep saltminion | grep down | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_convert_template:
  cmd.run:
    - name: iocage set template=yes saltminion
    - unless: iocage list -t | grep saltminion

saltminion_minion_config:
  file.managed:
    - name: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - contents: 'master: {{ saltmaster_ip }}'
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

########################
 # saltmaster (pt. 1) #
########################

saltmaster_create_jail:
  cmd.run:
    - name: iocage create tag=saltmaster ip4_addr="lo1|{{ saltmaster_ip }}/24" -t saltminion
    - unless: iocage list | grep saltmaster

saltmaster_set_hostname:
  cmd.run:
    - name: iocage set host_hostname=saltmaster saltmaster
    - unless: iocage get host_hostname saltmaster | grep saltmaster

saltmaster_master_config:
  file.managed:
    - name: /iocage/tags/saltmaster/root/usr/local/etc/salt/master
    - contents: |
        ipv6: False
        publish_port: 4505
        ret_port: 4506
        pidfile: /var/run/salt-master.pid
        root_dir: /
        pki_dir: /usr/local/etc/salt/pki/master
        cachedir: /var/cache/salt/master
        sockdir: /var/run/salt/master
        verify_env: True
        keep_jobs: 24
        timeout: 5
        loop_interval: 60
        output: nested
        show_timeout: True
        color: True
        job_cache: True
        minion_data_cache: True
        preserve_minion_cache: False
        #####
        open_mode: False
        auto_accept: False
        token_expire: 43200
        file_recv: False
        state_top: top.sls

saltmaster_enable_minion_rc-conf:
  file.append:
    - name: /iocage/tags/saltmaster/root/etc/rc.conf
    - text: |
        salt_master_enable="YES"
        salt_minion_enable="YES"

saltmaster_start_temporarily:
  cmd.run:
    - name: iocage start saltmaster
    - unless: test `iocage list | grep saltmaster | grep up | wc -l` -gt 0 -o `grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion | wc -l` -gt 0

##################################
 # salt minion template (pt. 2) #
##################################

saltminion_complete_minion_config:
  cmd.run:
    - name: 'echo master_finger: `iocage exec saltmaster "salt-call key.finger --local"` >> /iocage/templates/saltminion/root/usr/local/etc/salt/minion'
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

saltminion_fix_minion_config:
  file.replace:
    - name: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - pattern: 'local: '
    - repl: ''

########################
 # saltmaster (pt. 2) #
########################

saltmaster_stop_jail:
  cmd.run:
    - name: iocage stop saltmaster
    - onlyif: iocage list | grep saltmaster | grep up

saltmaster_copy_minion_config:
  file.copy:
    - name: /iocage/tags/saltmaster/root/usr/local/etc/salt/minion
    - source: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - force: True
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

#############
 # gitjail #
#############

gitjail_create_jail:
  cmd.run:
    - name: iocage create tag=gitjail ip4_addr="lo1|{{ gitjail_ip }}/24" -t saltminion
    - unless: iocage list | grep gitjail

gitjail_set_hostname:
  cmd.run:
    - name: iocage set host_hostname=gitjail gitjail
    - unless: iocage get host_hostname gitjail | grep gitjail

gitjail_set_ssh_port:
  file.replace:
    - name: /iocage/tags/gitjail/root/etc/ssh/sshd_config
    - pattern: '#Port 22'
    - repl: 'Port 220'

gitjail_enable_ssh:
  file.append:
    - name: /iocage/tags/gitjail/root/etc/rc.conf
    - text: sshd_enable="YES"

gitjail_start_jail:
  cmd.run:
    - name: iocage start gitjail
    - unless: iocage list | grep gitjail | grep up

gitjail_install_gitolite:
  cmd.run:
    - name: iocage pkg gitjail install gitolite
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -e /iocage/tags/gitjail/root/usr/local/bin/git

gitjail_install_sudo:
  cmd.run:
    - name: iocage pkg gitjail install sudo
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -e /iocage/tags/gitjail/root/usr/local/bin/sudo

gitjail_ensure_git_group:
  cmd.run:
    - name: 'iocage exec gitjail pw groupadd -n git -g 9418'
    - unless: grep 9418 /iocage/tags/gitjail/root/etc/group

gitjail_ensure_git_user:
  cmd.run:
    - name: 'iocage exec gitjail "pw useradd -n git -u 9418 -g git -c git -d /var/gitrepos -s /bin/sh -h -"'
    - unless: grep 9418 /iocage/tags/gitjail/root/etc/passwd

gitjail_ensure_repos_dir:
  file.directory:
    - name: /iocage/tags/gitjail/root/var/gitrepos
    - user: 9418
    - group: 9418
    - dir_mode: 755
    - file_mode: 644

A first git repo has to be created and made accessible 1) to other users within the jail 2) to users outside the jail on the host system 3) to anybody on the internet who has his public key added to the repo control.
I'm somewhat confident about 1) and 2). For 3) NAT rules will have to be changed. Anybody with a bit of PF experience wants to lend a hand?

[ASX]

I'm somewhat confident about 1) and 2). For 3) NAT rules will have to be changed. Anybody with a bit of PF experience wants to lend a hand?

I don't think you need to change the NAT rule, (which apply to outbound connections), all you need to do is to add a rule to open/pass-in inbound traffic on port 22. But no, I'm not a pf expert,

this might help:
https://forums.freebsd.org/threads/60144/

[kraileth]

I'm somewhat confident about 1) and 2). For 3) NAT rules will have to be changed. Anybody with a bit of PF experience wants to lend a hand?

I don't think you need to change the NAT rule, (which apply to outbound connections), all you need to do is to add a rule to open/pass-in inbound traffic on port 22. But no, I'm not a pf expert,

this might help:
https://forums.freebsd.org/threads/60144/

Ok, "change" was the wrong word, "extend" is what I actually meant. Well, I've even owned P. Hansteen's "The book of PF" for quite a while now... The only thing that I don't have is time to actually read it! And even though I know that PF is not nearly as horrible, thanks to netfilter/iptables I still hate firewalling enough to have stayed away from it so far.
But thanks for the link, will have a look at it.

On a quick note: I just successfully tested the git server in the jail. As expected it works both for users inside the jail and users outside on the host machine. Since this was for testing purposes only, it involved manual steps however. Now I need to figure out what to do to redirect port 220 of (chosen for no real reason) the host machine into the jail. Once that is in place, I can work on automating the remaining steps - and then we'll have everything needed to automatically setup a gitserver in a jail.

[kraileth]

Yay, the git server is ready now! Got the additional NAT rule working and wrote a couple more states to automatically import an admin public key for access of the git server. The admin can then add more keys for other users; this could be automated as well but that's probably overkill (how often will new team members join or existing members leave?). So I think it's ok to leave that step to be done manually. For the states to apply correctly, a public (SSH) key needs to be supplied in the same dir from where the salt run is started. The file has to be named admin_key.pub.

The 44 states now create a jail with a git server that can be reached by the public internet. I'm using gitolite to manage the git repos and I think that's a pretty nice piece of software.

Code: Select all

{% set saltmaster_ip = '10.0.1.1' %}
{% set gitjail_ip = '10.0.1.2' %}

#########################
 # UTF-8 configuration #
#########################

set_login.conf_UTF-8:
  file.blockreplace:
    - name: /etc/login.conf
    - marker_start: ':datasize=unlimited:\'
    - marker_end: ':stacksize=unlimited:\'
    - content: |
        :charset=UTF-8:\
        :setenv=LC_ALL=en_US.UTF-8,LC_COLLATE=en_US.UTF-8,LC_CTYPE=en_US.UTF-8,LC_MESSAGES=en_US.UTF-8,LC_MONETARY=en_US.UTF-8,LC_NUMERIC=en_US.UTF-8,LC_TIME=en_US.UTF-8:\
        :lang=en_US.UTF-8:\

cap_mkdb:
  cmd.run:
    - name: 'cap_mkdb /etc/login.conf'
    - onchanges:
      - file: set_login.conf_UTF-8

set_env_lang:
  environ.setenv:
    - name: LANG
    - value: en_US.UTF-8
    - update_minion: True

set_env_lc-all:
  environ.setenv:
    - name: LC_ALL
    - value: en_US.UTF-8
    - update_minion: True

#########
 # NAT #
#########

create_lo1_if:
  file.append:
    - name: /etc/rc.conf
    - text:
      - cloned_interfaces="lo1"
      - ifconfig_lo1="inet 10.0.0.254 netmask 255.255.0.0"

  cmd.run:
    - name: ifconfig lo1 create
    - unless: ifconfig -l | grep lo1

basic_pf_nat_rules:
  file.managed:
    - name: /etc/pf.conf
    - contents: |
        ext_if="vtnet0"
        int_if="lo1"
        localnet=$int_if:network
        GITJAIL = "10.0.1.2"
        GITPORT = "220"

        scrub in all fragment reassemble
        set skip on lo0
        set skip on lo1

        #nat for jails
        nat on $ext_if inet from $localnet to any -> ($ext_if)
        rdr pass on $ext_if inet proto tcp to port $GITPORT -> $GITJAIL

load_pf_ko:
  cmd.run:
    - name: kldload pf.ko
    - unless: 'service pf status | grep -v "pf.ko is not loaded"'

activate_pf:
  file.append:
    - name: /etc/rc.conf
    - text:
      - pf_enable="YES"
      - pflog_enable="YES"

  cmd.run:
    - name: pfctl -e -f /etc/pf.conf
    - unless: 'service pf status | grep "Status: Enabled for"'

########################
 # iocage preparation #
########################

prepare_latest_repo:
  file.directory:
    - name: /usr/local/etc/pkg/repos
    - makedirs: True

activate_latest_repo:
  file.managed:
    - name: /usr/local/etc/pkg/repos/FreeBSD.conf
    - contents: |
        FreeBSD: {
          url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
        }

install_iocage_package:
  pkg.installed:
    - name: py36-iocage

jail_fetch_fbsd11:
  cmd.run:
    - name: 'iocage fetch --release 11.0-RELEASE'
    - creates: /iocage/releases/11.0-RELEASE

##################################
 # salt minion template (pt. 1) #
##################################

saltminion_create_jail:
  cmd.run:
    - name: iocage create tag=saltminion ip4_addr="lo1|10.0.0.1/24" -r 11.0-RELEASE
    - unless: test `iocage list | grep saltminion | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true || false

saltminion_ensure_running:
  cmd.run:
    - name: iocage start saltminion
    - unless: test `iocage list | grep saltminion | grep up | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_pkg:
  cmd.run:
    - name: iocage pkg saltminion "install pkg"
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless: test -e /iocage/tags/saltminion/root/usr/local/sbin/pkg -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_salt_installed:
  cmd.run:
    - name: iocage pkg saltminion install py27-salt
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -d /iocage/tags/saltminion/root/usr/local/etc/salt -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_ensure_stopped:
  cmd.run:
    - name: iocage stop saltminion
    - unless: test `iocage list | grep saltminion | grep down | wc -l` -gt 0 -o `iocage list -t | grep saltminion | wc -l` -gt 0 && true

saltminion_convert_template:
  cmd.run:
    - name: iocage set template=yes saltminion
    - unless: iocage list -t | grep saltminion

saltminion_minion_config:
  file.managed:
    - name: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - contents: 'master: {{ saltmaster_ip }}'
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

########################
 # saltmaster (pt. 1) #
########################

saltmaster_create_jail:
  cmd.run:
    - name: iocage create tag=saltmaster ip4_addr="lo1|{{ saltmaster_ip }}/24" -t saltminion
    - unless: iocage list | grep saltmaster

saltmaster_set_hostname:
  cmd.run:
    - name: iocage set host_hostname=saltmaster saltmaster
    - unless: iocage get host_hostname saltmaster | grep saltmaster

saltmaster_master_config:
  file.managed:
    - name: /iocage/tags/saltmaster/root/usr/local/etc/salt/master
    - contents: |
        ipv6: False
        publish_port: 4505
        ret_port: 4506
        pidfile: /var/run/salt-master.pid
        root_dir: /
        pki_dir: /usr/local/etc/salt/pki/master
        cachedir: /var/cache/salt/master
        sockdir: /var/run/salt/master
        verify_env: True
        keep_jobs: 24
        timeout: 5
        loop_interval: 60
        output: nested
        show_timeout: True
        color: True
        job_cache: True
        minion_data_cache: True
        preserve_minion_cache: False
        #####
        open_mode: False
        auto_accept: False
        token_expire: 43200
        file_recv: False
        state_top: top.sls

saltmaster_enable_minion_rc-conf:
  file.append:
    - name: /iocage/tags/saltmaster/root/etc/rc.conf
    - text: |
        salt_master_enable="YES"
        salt_minion_enable="YES"

saltmaster_start_temporarily:
  cmd.run:
    - name: iocage start saltmaster
    - unless: test `iocage list | grep saltmaster | grep up | wc -l` -gt 0 -o `grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion | wc -l` -gt 0

##################################
 # salt minion template (pt. 2) #
##################################

saltminion_complete_minion_config:
  cmd.run:
    - name: 'echo master_finger: `iocage exec saltmaster "salt-call key.finger --local"` >> /iocage/templates/saltminion/root/usr/local/etc/salt/minion'
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

saltminion_fix_minion_config:
  file.replace:
    - name: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - pattern: 'local: '
    - repl: ''

########################
 # saltmaster (pt. 2) #
########################

saltmaster_stop_jail:
  cmd.run:
    - name: iocage stop saltmaster
    - onlyif: iocage list | grep saltmaster | grep up

saltmaster_copy_minion_config:
  file.copy:
    - name: /iocage/tags/saltmaster/root/usr/local/etc/salt/minion
    - source: /iocage/templates/saltminion/root/usr/local/etc/salt/minion
    - force: True
    - unless: grep master_finger /iocage/templates/saltminion/root/usr/local/etc/salt/minion

#############
 # gitjail #
#############

gitjail_create_jail:
  cmd.run:
    - name: iocage create tag=gitjail ip4_addr="lo1|{{ gitjail_ip }}/24" -t saltminion
    - unless: iocage list | grep gitjail

gitjail_set_hostname:
  cmd.run:
    - name: iocage set host_hostname=gitjail gitjail
    - unless: iocage get host_hostname gitjail | grep gitjail

gitjail_set_ssh_port:
  file.replace:
    - name: /iocage/tags/gitjail/root/etc/ssh/sshd_config
    - pattern: '#Port 22'
    - repl: 'Port 220'

gitjail_enable_ssh:
  file.append:
    - name: /iocage/tags/gitjail/root/etc/rc.conf
    - text: sshd_enable="YES"

gitjail_start_jail:
  cmd.run:
    - name: iocage start gitjail
    - unless: iocage list | grep gitjail | grep up

gitjail_install_gitolite:
  cmd.run:
    - name: iocage pkg gitjail install gitolite
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -e /iocage/tags/gitjail/root/usr/local/bin/git

gitjail_install_sudo:
  cmd.run:
    - name: iocage pkg gitjail install sudo
    - env:
      - ASSUME_ALWAYS_YES: 'yes'
    - unless:  test -e /iocage/tags/gitjail/root/usr/local/bin/sudo

gitjail_ensure_git_group:
  cmd.run:
    - name: 'iocage exec gitjail pw groupadd -n git -g 9418'
    - unless: grep 9418 /iocage/tags/gitjail/root/etc/group

gitjail_ensure_git_user:
  cmd.run:
    - name: 'iocage exec gitjail "pw useradd -n git -u 9418 -g git -c git -d /var/gitrepos -s /bin/sh -h -"'
    - unless: grep 9418 /iocage/tags/gitjail/root/etc/passwd

gitjail_ensure_repos_dir:
  file.directory:
    - name: /iocage/tags/gitjail/root/var/gitrepos
    - user: 9418
    - group: 9418
    - dir_mode: 755
    - file_mode: 644

gitjail_copy_admin_key:
  file.copy:
    - name: /iocage/tags/gitjail/root/var/gitrepos/admin_key.pub
    - source: ./admin_key.pub
    - failhard: True

gitjail_permissions_admin_key:
  file.managed:
    - name: /iocage/tags/gitjail/root/var/gitrepos/admin_key.pub
    - user: 9418
    - group: 9418
    - dir_mode: 755
    - file_mode: 644

gitjail_setup_gitolite:
  cmd.run:
    - name: 'iocage exec gitjail "cd /var/gitrepos ; sudo -u git /usr/local/bin/gitolite setup -pk admin_key.pub"'
    - unless: test -d /iocage/tags/gitjail/root/var/gitrepos/repositories

The next step can be any of two alternatives:

1) Document Gitolite basics for internal use so that every team member can manage our git
2) Get the salt master working with git as the backend so that I can finally feed it real states (those states posted here are just for bootstrapping the real infrastructure and won't be needed again until we move servers or something breaks horribly).

I tend to take a look into 2) first (perhaps a few hours tonight before I have to leave for the conference). But I will definitely do 1), too, so there's no need for you to look closer at Gitolite (except if you have some spare time). And of course I can give both of you access to the git repo, if you want. Just ask if you want to try something out. I didn't add you so far because this is not the final one but I might tear down and rebuild the jail anytime.