Verwaltung von virtuellen Maschinen und Jails für FreeBSD

Achtung! Der deutschsprachige Inhalt ist wegen fehlenden Betreuerinnen und Betreuern veraltet. Verwenden Sie bitte die englischsprachige Version!

Attention! Current pages describe CBSD version 13.0.x. If you are using an older version, please update first.

Achtung! Die deutsche Übersetzung ist noch nicht vollständig. Wer mithelfen möchte, kann seine Verbesserungen einfach über das GITHUB repository einreichen.

What you need to know about CBSD

Generelle Informationen

CBSD ist ein weiterer Abstraktionslayer über das Jail Framework und einem Teil der FreeBSD Funktionalität

Hier eine Liste der Funktionen die in CBSD vereint werden:

  • vnet (VIMAGE)
  • zfs
  • racct/rctl
  • ipfw
  • pf/ipfw/ipfilter
  • carp
  • hastd
  • bhyve

Viele dieser Subsysteme haben nicht direkt etwas mit Jails zu tun, jedoch erlauben sie es CBSD für Administratoren ein fortgeschrittenes und integriertes Werkzeug bereitzustellen. Im Weiteren folgen für Administratoren nützliche Informationen die die Architektur von CBSD im Detail beschreiben.

Es ist als erstes wichtig die offizielle Dokumentation von FreeBSD Jails verstanden zu haben.

Als zweites ist es wichtig die Filesystem-Hirachie von CBSD verstanden zu haben. Lassen wir uns im folgenden auf diese Definitionen dieser Begriffe einigen:

  • Node — pysikalischer Server.
  • Jail — Eine isolierte Umgebung mit eigenem Software-Set. Dies können serverseitige Dienste sein(DNS, Apache / nginx, postfix) oder auch grafische Umgebungen.
  • Cloud — Farm/Cluster bestehend aus Nodes, eine ausgewachsene Umgebung (jeder Node kann durch CBSD eine andere Aufgabe übernehmen)
  • Base — im CBSD Kontext — Eine Kopie des FreeBSD file base.
  • CBSD — Eine Instanz die die Kontrolle über Node(s) und die deren FreeBSD subsysteme hat. Diese ist in der Lage eine vereinfachte API für die Verwaltung der Nodes bereitzustellen.
  • $workdir — Arbeitsverzeichnis für CBSD auf einem Node das durch den ersten Aufruf des Kommandos cbsd initenv erstellt wird. Üblicherweise in /usr/jails
  • $jname — Steht als Name für Jails in den Beispielen.

 

All working data of CBSD placed in the directory $workdir(e.g.: /usr/jails), it is also the home directory for the user CBSD and you always can quickly change dit to it via:

			% cd ~cbsd
		

The most important data are located in $workdir/jails-data/$jname, as it is directly the root of the file system jails called $jname, if jail is created with the flag baserw=1, or contains the data of jail, which are superimposed on the standard $workdir/basejail/$basename in the directory ${workdir}/jails

Given that the base you can always get through the building source code, or by downloading from the repository. The other words, CBSD jail to migrate to any other project management of jails or use the basic functionality FreeBSD jail, the main thing — is to have a consistent data in this directory.


Notes: if you use a jails type md, then the directory $workdir/jails-data/$jname will contain the image of the jail.

Notes2:If you are using ZFS and discovered that the data directories is empty (when the jail is inactive), check the output of the command:

			% zfs list
		

cbsd can unmount the data when the jail is inactive. To access the data, use:

			% zfs mount $jname_file_system
		

The second-largest in the directory hierarchy can act CBSD configuration files to create jail that are in the directory $workdir/var/db/. All settings of jails are stored in the SQLite3 file pointed to by the symbolic link ${workdir}/var/db/local.sqlite in jails table. Table schema describes in ${workdir}/share/local-jails.schema file. For example, to see all the jails on the node and their ip address execute:

			% sqlite3 /usr/jails/var/db/local.sqlite "select jname,ip4_addr from jails"
		

The $workdir/jails-system/ directory serves as an additional storage for CBSD jail data, for example it may be configurators services, file with the description of the jail, traffic statistics, resources statistics, and so on. Internal information for cbsd stored in $workdir/db directory. For example, the information on the list of added nodes, inventory both the local and remote nodes, and so on.

Important in terms of security, is the directories ${workdir}/.rssh and ${workdir}/.ssh, in which there are private RSA keys with remote user CBSD nodes and local respectively. Make sure that the data of these directories were not available to other users of the system. Besides, to you information about scan be interesting for GELI encryption. By default, the key can be read only by a system CBSD user.

Finally, thirdly, be sure to read the modifications that prepares CBSD in your configuration: Modification which are carried out by CBSD scripts in FreeBSD

A brief summary of the hierarchy CBSD

${workdir}/.rssh/Directory for storage of private keys of remote nodes. The files are added and removed via the command cbsd node
${workdir}/.sshHere is kept private and a public key of the node itself. Formed during the initialization with the command cbsd initenv. It is from here will take the public key of remote hosts on the cbsd node mode=add command. Key file name is the md5 sum of the nodename.
${workdir}/basejailHere are kept ready for use at the bases and kernels FreeBSD (the result of cbsd buildworld/buildkernel, cbsd installworld/installkernel or cbsd repo action=get sources=base/kernel)
${workdir}/etcConfiguration files needed to run CBSD
${workdir}/exportDefault directory, which will be stored in a file exported by the jail (when the cbsd jexport jname=$jname, this directory will file $jname.img)
${workdir}/importDefault directory of which will be imported to jail (at cbsd jimport jname=$jname, will be deployed jail $jname)
${workdir}/jailsThis directory contains the mount point for the root jails, who use baserw=0.
${workdir}/jails-dataThis catalog have the jails data. It is these places need to backup jails (including fstab and rc.conf files). Also, if the jail use baserw=1, these directories are the root of the jail when it starts
${workdir}/jails-fstabfstab file for the jails. The syntax for regular FreeBSD with the only exception that the path to the mount point is written relative to the root jail (record /usr/ports /usr/ports nullfs rw 0 0 in the file fstab.$jname means that of the master node directory /usr/ports will be mounted at startup in ${workdir}/jails/$jname/usr/ports)
${workdir}/jails-rcconfrc.conf files for jail creation. These parameters can be changed at your editor, or via the command cbsd jset $jname param=val (eg cbsd jset jname=$jname ip="192.168.0.2/24"). To change these settings jail should be turned off.
${workdir}/jails-system This catalog may contain some helper scripts related to the jail (eg wizards to configure, configurators, etc) as well as the preserved jail traffic when using ipfw and its description. This catalog participates in jimport/jexport operations and migration of jail
${workdir}/var directory that contains system information CBSD. For example, in ${workdir}/var/db is an inventory of local and remote nodes if were added
/usr/local/cbsd A copy of the original files installed by CBSD port. Also contains the working scripts in sudoexec

Counting traffic jail

At this point, for counting jail traffic used count ruleset of ipfw filter. CBSD sets number of counters in 99 — 2000 range (you can change this in cbsd.conf). So be careful and make sure to follow your rules IPFW after a specified range.

Read more about jail traffic counting

Expose: tcp/udp port forwarding from master host to jail

At this point, for port forwarding used fwd ruleset of ipfw. CBSD sets number of counters in 2001 — 2999 range (you can change this in cbsd.conf). So be careful and make sure to follow your rules IPFW after a specified range.

Read more about expose

About rsync-based copying jail data between nodes

If you activate cbsdrsyncd, keep in mind, it is standard rsyncd(1) daemon who looks at a particular $jail-data directory and protected only by rsync password, which generates CBSD via:

		 head -c 30 /dev/random | uuencode -m - | tail -n 2 | head -n1
		 

Currently used transmission through the daemon, rather than rsync over ssh for the reason of avoiding open access for the user root. Accordingly, as an additional protection, it is recommended to close the port 1873/tcp which uses CBSD from untrusted hosts and used to separate management interface for nodeip or use encrypted communications between nodes (eg IPSec)

ANSII Color

By default, CBSD displayed text in color (using escape sequences ANSII). If for some reason the color is unpleasant, or you can use output from utilities CBSD in your scripts, which prevents ANSII sequence, you can disable the color through the environment variable NOCOLOR=1. For example, the command

			% env NOCOLOR=1 cbsd jls
		

prohibit the use of color in the derivation of the title.

If something went wrong

In the case when with CBSD tools errors and CBSD command debuging enlightenment has not brought, it is recommended to make the problem a bug-tracker of the project: If something went wrong cbsd issues or report via e-mail: CBSD at bsdstore.ru

Please make backup copies of directory ${workdir}/var/db, ${workdir}/var/db, ${workdir}/jails-fstab, ${workdir}/jails-system regularly. And also, of course, the data of their cells ${workdir}/jails-data