### Start and Access VM Console Source: https://github.com/dtxdf/appjail/wiki/vm_image These commands are used to start the virtual machine and then access its console for interaction and management. ```sh vm start vm vm console vm ``` -------------------------------- ### Console Versions Source: https://github.com/dtxdf/appjail/wiki/vm_image Displays the versions of vm-bhyve, appjail, and appjail-reproduce being used. This helps ensure compatibility and proper setup. ```console # vm version vm-bhyve: Bhyve virtual machine management v1.6-devel (rev. 106001) # appjail version 3.5.0+54fb7f7e1e6260e31cc5a4c881bb162610ec68d4 # appjail-reproduce -v 0.4.0+211568647b45688249d0b4d0717bda93be2765fe ``` -------------------------------- ### Poudriere Bulk Build Command Example Source: https://github.com/dtxdf/appjail/wiki/repo This example demonstrates a typical Poudriere bulk build command, specifying the jail name and the custom ports tree. It highlights how Poudriere manages package fetching and building. ```bash poudriere bulk -j 132amd64 -p custom ``` -------------------------------- ### Initialize AppJail Director Project Source: https://github.com/dtxdf/appjail/wiki/mirror This command initializes and starts the AppJail director project named 'appjail-mirror', creating the configured services (web-server and git-hosting). ```console # appjail-director up Starting Director (project:appjail-mirror) ... Creating web-server (darkhttpd) ... Done. Creating git-hosting (gitea) ... Done. Finished: appjail-mirror ``` -------------------------------- ### Makejail Definition Source: https://github.com/dtxdf/appjail/wiki/vm_image Defines arguments, options, packages, and system configurations for building a VM image using appjail-reproduce. It includes options for starting, overwriting, networking, and copying configuration files. ```sh ARG hostname ARG timezone OPTION start OPTION overwrite=force OPTION virtualnet=: default OPTION nat OPTION resolv_conf=resolv.conf OPTION type=thick OPTION copydir=files OPTION file=/boot/loader.conf OPTION file=/etc/fstab OPTION file=/etc/rc.conf OPTION file=/etc/sysctl.conf OPTION tzdata=$timezone PKG neovim \ terminfo-db \ neofetch SYSRC "hostname=${hostname}" ``` -------------------------------- ### Reproduce Jail with Appjail Source: https://github.com/dtxdf/appjail/wiki/mirror This snippet shows the execution of the 'appjail-reproduce' command with the 'hello' argument. It logs the start and end times, details the jail's configuration (OS architecture, version, tag), and lists the 'Makejail' execution steps, including file removals and export operations. The output indicates the execution time and success of the process. ```bash # appjail-reproduce -b hello [ info ] Started at Fri May 10 21:24:44 -04 2024 [ info ] [hello]: [ info ] Logs: /home/dtxdf/.reproduce/logs/hello/2024-05-10_21h24m44s.log [ info ] > [hello] (osarch:amd64, osversion:13.3-RELEASE, tag:13.3): [ info ] Executing Makejail: jail:reproduce_9a220842-baa5-46e0-a531-5a84325d1211, release:default, args: [ info ] Execution time: 00:00:07 [ info ] Removing: rm -f var/log/* [ info ] Removing: rm -f var/cache/pkg/* [ info ] Removing: rm -rf usr/local/etc/pkg [ info ] Removing: rm -f var/run/* 2> /dev/null || : [ info ] Exporting hello [ info ] Export time: 00:00:01 [ info ] > [hello] (osarch:amd64, osversion:14.0-RELEASE, tag:14.0): [ info ] Executing Makejail: jail:reproduce_9a220842-baa5-46e0-a531-5a84325d1211, release:default, args: [ info ] Execution time: 00:00:06 [ info ] Removing: rm -f var/log/* [ info ] Removing: rm -f var/cache/pkg/* [ info ] Removing: rm -rf usr/local/etc/pkg [ info ] Removing: rm -f var/run/* 2> /dev/null || : [ info ] Exporting hello [ info ] Export time: 00:00:01 [ info ] --- [ info ] Ended at Fri May 10 21:25:08 -04 2024 [ info ] Build time: 00:00:24 [ info ] Hits: 2 [ info ] Errors: 0 ``` -------------------------------- ### Reproduce Appjail VM Source: https://github.com/dtxdf/appjail/wiki/vm_image This command initiates the reproduction of an appjail VM with specified parameters. It logs the start time, execution details, and cleanup operations, culminating in the export of the VM image. ```sh # appjail-reproduce -fb vm [ info ] Started at Fri Dec 27 16:49:19 -04 2024 [ info ] [vm]: [ info ] Logs: /root/.reproduce/logs/vm/2024-12-27_16h49m19s.log [ info ] > [vm] (osarch:amd64, osversion:14.2-RELEASE, tag:14.2): [ info ] Executing Makejail: jail:reproduce_24dd6371-80df-47a3-88fe-40c52a9de208, release:vm, args:"--hostname" "vm.lan" "--timezone" "America/Caracas" [ info ] Execution time: 00:01:39 [ info ] Removing: rm -f var/log/* 2> /dev/null || : [ info ] Removing: rm -f var/cache/pkg/* [ info ] Removing: rm -f var/run/* 2> /dev/null || : [ info ] Removing rc variable: defaultrouter [ info ] Exporting vm [ info ] Export time: 00:00:48 [ info ] --- ``` -------------------------------- ### Makejail for Badwolf Dependencies and Setup Source: https://github.com/dtxdf/appjail/wiki/app_jail This Makejail script installs doas, copies necessary application scripts, creates an 'appjail' group, and sets ownership for the badwolf.appjail script. It also provides instructions for updating doas.conf and adding users to the 'appjail' group. ```sh INCLUDE gh+AppJail-makejails/badwolf INCLUDE options/network.makejail INCLUDE options/misc.makejail CMD --local echo "======> Installing dependencies (host) <======" PKG --local doas CMD --local echo "======> Installing scripts <======" CMD --local mkdir -p /usr/local/bin CMD --local cp scripts/badwolf.appjail /usr/local/bin CMD --local mkdir -p /usr/local/bin/scripts CMD --local cp scripts/rjail.sh /usr/local/bin/scripts CMD --local cp scripts/ajcopy.sh /usr/local/bin/scripts CMD --local echo "======> Creating group 'appjail' <======" CMD --local pw groupadd -n appjail 2> /dev/null || : CMD --local chown -R root:appjail /usr/local/bin/badwolf.appjail CMD --local echo "======> Done <======" CMD --local echo CMD --local echo "===> Note #1: Add the following rules to your doas.conf(5): <===" CMD --local echo CMD --local echo "# badwolf.appjail" CMD --local echo "permit nopass :appjail cmd /usr/local/bin/scripts/rjail.sh" CMD --local echo "permit nopass :appjail cmd /usr/local/bin/scripts/ajcopy.sh" CMD --local echo CMD --local echo "===> Note #2: Add your user to the 'appjail' group <===" CMD --local echo ``` -------------------------------- ### Export and Import AppJail Source: https://github.com/dtxdf/appjail/wiki/migrate Demonstrates how to export an AppJail environment and then import it with specified network configurations and start options. This involves creating symbolic links for the jail's structure. ```sh # find . -ls | grep basejail 7723 1 drwxr-xr-x 2 root wheel 2 May 18 20:21 ./basejail 7721 1 lrwxr-xr-x 1 root wheel 14 May 18 20:21 ./boot -> /basejail/boot 7711 1 lrwxr-xr-x 1 root wheel 16 May 18 20:21 ./rescue -> /basejail/rescue 7707 1 lrwxr-xr-x 1 root wheel 14 May 18 20:21 ./sbin -> /basejail/sbin 8285 1 lrwxr-xr-x 1 root wheel 19 May 18 20:21 ./usr/lib32 -> /basejail/usr/lib32 8283 1 lrwxr-xr-x 1 root wheel 19 May 18 20:21 ./usr/share -> /basejail/usr/share 8284 1 lrwxr-xr-x 1 root wheel 21 May 18 20:21 ./usr/libexec -> /basejail/usr/libexec 8287 1 lrwxr-xr-x 1 root wheel 21 May 18 20:21 ./usr/libdata -> /basejail/usr/libdata 8281 1 lrwxr-xr-x 1 root wheel 17 May 18 20:21 ./usr/src -> /basejail/usr/src 8275 1 lrwxr-xr-x 1 root wheel 21 May 18 20:21 ./usr/include -> /basejail/usr/include 8279 1 lrwxr-xr-x 1 root wheel 17 May 18 20:21 ./usr/bin -> /basejail/usr/bin 8280 1 lrwxr-xr-x 1 root wheel 18 May 18 20:21 ./usr/sbin -> /basejail/usr/sbin 8276 1 lrwxr-xr-x 1 root wheel 17 May 18 20:21 ./usr/lib -> /basejail/usr/lib 8278 1 lrwxr-xr-x 1 root wheel 19 May 18 20:21 ./usr/ports -> /basejail/usr/ports 7714 1 lrwxr-xr-x 1 root wheel 13 May 18 20:21 ./bin -> /basejail/bin 7719 1 lrwxr-xr-x 1 root wheel 17 May 18 20:21 ./libexec -> /basejail/libexec 7722 1 lrwxr-xr-x 1 root wheel 13 May 18 20:21 ./lib -> /basejail/lib # mv basejail .appjail # ln -fs /.appjail/boot ./boot # ln -fs /.appjail/rescue ./rescue # ln -fs /.appjail/lib ./lib # ln -fs /.appjail/bin ./bin # ln -fs /.appjail/usr/libdata ./usr/libdata # ln -fs /.appjail/usr/lib ./usr/lib # ln -fs /.appjail/usr/libexec ./usr/libexec # ln -fs /.appjail/usr/sbin ./usr/sbin # ln -fs /.appjail/usr/bin ./usr/bin # ln -fs /.appjail/usr/src ./usr/src # ln -fs /.appjail/usr/share ./usr/share # ln -fs /.appjail/usr/lib32 ./usr/lib32 # ln -fs /.appjail/usr/include ./usr/include # ln -fs /.appjail/libexec ./libexec # ln -fs /.appjail/sbin ./sbin # unlink usr/ports # cd .. # tar -C b -cJf ezjail-blue.txz . ``` ```sh appjail-user quick blue \ import+jail="input:ezjail-blue.txz" \ virtualnet="development:blue default" \ nat \ start ``` -------------------------------- ### Execute Poudriere Bulk Build Source: https://github.com/dtxdf/appjail/wiki/repo This command initiates a Poudriere bulk build for the 'sysutils/htop' port within a FreeBSD jail. It specifies the jail name ('132amd64'), the ports tree ('custom'), and the build type ('latest' with binary packages). The output shows the progress of jail setup, package fetching, and dependency installation. ```shell poudriere bulk -j 132amd64 -p custom -b latest sysutils/htop ``` -------------------------------- ### Start Badwolf Jail Source: https://github.com/dtxdf/appjail/wiki/app_jail Starts the Badwolf application within an AppJail environment. It logs the starting process and configures network access. ```sh # appjail start badwolf [00:00:00] [ info ] [badwolf] Starting badwolf... access control disabled, clients can connect from any host ea_badwolf eb_badwolf badwolf: created add net default: gateway 10.42.0.1 defaultrouter: 10.42.0.1 -> 10.42.0.1 ``` -------------------------------- ### Rc.conf Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image The main system configuration file for FreeBSD, setting hostname, enabling DHCP for network interfaces, starting SSHD, and configuring other system services. ```FreeBSD # HOSTNAME hostname="" # Clear /tmp clear_tmp_enable="YES" # SYSLOGD syslogd_flags="-ss" # DHCP ifconfig_vtnet0="DHCP" # SSHD sshd_enable="YES" # MOUSED moused_nondefault_enable="NO" # DUMPDEV dumpdev="NO" # fsck(8) -y fsck_y_enable="YES" ``` -------------------------------- ### Create htop Jail with Appjail Source: https://github.com/dtxdf/appjail/wiki/repo This command initiates the creation of a new jail named 'htop' using the appjail tool. It specifies 'htop' as the application to be built and installed within the jail. The process involves downloading and installing necessary packages. ```bash # appjail makejail -j htop [00:00:00] [ info ] [htop] Building htop ... [00:00:05] [ warn ] [htop] htop is not running. [00:00:08] [ info ] [htop] Creating a standard jail (thin) ... [00:00:08] [ info ] [htop] Creating a thinjail ... [00:00:15] [ info ] [htop] Done. [00:00:21] [ info ] [htop] Starting htop... ea_htop eb_htop htop: created add net default: gateway 10.42.0.1 defaultrouter: NO -> 10.42.0.1 Updating FreeBSD repository catalogue... [htop.appjail] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01 [htop.appjail] Fetching packagesite.pkg: 100% 7 MiB 491.2kB/s 00:14 Processing entries: 100% FreeBSD repository update completed. 32882 packages processed. Updating custom repository catalogue... [htop.appjail] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01 [htop.appjail] Fetching packagesite.pkg: 100% 9 KiB 9.5kB/s 00:01 Processing entries: 38% Processing entries: 100% custom repository update completed. 27 packages processed. All repositories are up to date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: htop: 3.2.2_1 [custom] lsof: 4.97.0,8 [custom] Number of packages to be installed: 2 206 KiB to be downloaded. [htop.appjail] [1/2] Fetching lsof-4.97.0,8.pkg: 100% 110 KiB 112.5kB/s 00:01 [htop.appjail] [2/2] Fetching htop-3.2.2_1.pkg: 100% 96 KiB 98.4kB/s 00:01 Checking integrity... done (0 conflicting) [htop.appjail] [1/2] Installing lsof-4.97.0,8... [htop.appjail] [1/2] Extracting lsof-4.97.0,8: 100% [htop.appjail] [2/2] Installing htop-3.2.2_1... [htop.appjail] [2/2] Extracting htop-3.2.2_1: 100% ===== Message from lsof-4.97.0,8: -- NOTE: Due to the way the FreeBSD build clusters make packages, you may see a warning similar to the following: lsof: WARNING: compiled for FreeBSD release 11.1-RELEASE-p6; this is 11.1-RELEASE-p4. This is because the poudriere jails that build the packages don't have the corresponding kernel installed, so they don't know that the kernel version is different. This warning can be ignored if you are using a system that is updated via freebsd-update and are using pre-built packages. ``` -------------------------------- ### AppJail Version Check Source: https://github.com/dtxdf/appjail/wiki/mirror Displays the installed versions of AppJail and its related tools, appjail-director and appjail-reproduce. This is useful for verifying installations and compatibility. ```console # appjail version 3.3.0+fbe8792bc494bc94cedf112917db5889bb1c2cca # appjail-director --version appjail-director, version 0.8.0 # appjail-reproduce -v 0.4.0 ``` -------------------------------- ### Makejail Configuration Example Source: https://github.com/dtxdf/appjail/wiki/app_jail A Makejail file that includes another Makejail and defines various options such as virtual network, NAT, directory copying, file inclusion, and X11 support. ```sh INCLUDE gh+AppJail-makejails/badwolf OPTION virtualnet=testing:badwolf default OPTION nat OPTION copydir=/tmp/files OPTION file=/etc/rc.conf OPTION x11 ``` -------------------------------- ### AppJail Commands Source: https://github.com/dtxdf/appjail/wiki/app_jail Provides the sequence of commands to build, start, and run the 'badwolf' jail. These commands are used after configuring the jail's files and directories. ```bash appjail makejail -j badwolf appjail start badwolf appjail run -s badwolf_open -p url=http://example.org badwolf ``` -------------------------------- ### Install Project Dependencies Source: https://github.com/dtxdf/appjail/wiki/pyapp Switches to the 'pyapp' user and installs the project's Python dependencies listed in 'requirements.txt' using pip. The '--user' flag installs packages in the user's home directory. ```Make USER pyapp RUN pip install --user -r requirements.txt ``` -------------------------------- ### Create and Start Jail with ZFS Support Source: https://github.com/dtxdf/appjail/wiki/zfs Creates a new jail named 'jzfs' using the 'appjail quick' command. It configures devfs rules, specifies the ZFS template, forces overwriting if the jail exists, and starts the jail. ```sh appjail quick jzfs \ mount_devfs \ device='include $devfsrules_hide_all' \ device='include $devfsrules_unhide_basic' \ device='include $devfsrules_unhide_login' \ device='path zfs unhide' \ template=template.conf \ overwrite=force \ start ``` -------------------------------- ### Import FreeBSD jail to AppJail using bastille export Source: https://github.com/dtxdf/appjail/wiki/migrate This snippet shows how to import a previously exported and prepared FreeBSD jail (created using bastille) into AppJail. It uses the 'appjail-user quick' command with specific parameters for importing the jail, setting up a virtual network, and enabling NAT, followed by starting the jail. ```console $ appjail-user quick yellow import+jail="input:bastille-yellow.txz" virtualnet="development:yellow default" nat start [00:00:01] [ info ] [yellow] Importing yellow ... [00:00:01] [ info ] [yellow] Creating an empty jail ... [00:00:04] [ info ] [yellow] Done. [00:00:09] [ info ] [yellow] Starting yellow... ea_yellow eb_yellow yellow: created add net default: gateway 10.42.0.1 defaultrouter: NO -> 10.42.0.1 $ appjail-user jail list STATUS NAME TYPE VERSION PORTS NETWORK_IP4 UP yellow thin 13.1-RELEASE - 10.42.0.2 $ appjail-user login yellow root@yellow:~ # ``` -------------------------------- ### Import Jail with AppJail Source: https://github.com/dtxdf/appjail/wiki/migrate Imports a new jail using the 'appjail-user quick import' command. It specifies the jail archive, type, virtual network, OS version, NAT configuration, and initiates the start process. ```sh appjail-user quick eight \ import+jail="input:jail-eight.tgz" \ type=thick \ virtualnet="development:eight default" \ osversion=13.2-RELEASE \ nat \ start ``` -------------------------------- ### Define Application Run Command Source: https://github.com/dtxdf/appjail/wiki/pyapp Sets up the 'cmd' stage to run the FastAPI application using uvicorn. It specifies the user, working directory, and the command to start the development server, listening on all interfaces. ```Make STAGE cmd USER pyapp WORKDIR /app RUN /app/.local/bin/uvicorn main:app --reload --host 0.0.0.0 ``` -------------------------------- ### Custom Package Repository Configuration Source: https://github.com/dtxdf/appjail/wiki/repo This file defines a custom package repository named 'custom' with a specified URL and priority, used for installing packages within an AppJail. ```bash custom { url: "http://192.168.1.105/132amd64-custom", priority: 1 } ``` -------------------------------- ### Format and Mount GELI Encrypted Partition Source: https://github.com/dtxdf/appjail/wiki/geli Formats the GELI encrypted partition after writing random data and then mounts it to a specified directory. It also includes an example of adding the mount to /etc/fstab for persistence. ```console # newfs -j /dev/da0p1.eli /dev/da0p1.eli: 512.0MB (1048568 sectors) block size 32768, fragment size 4096 using 4 cylinder groups of 128.00MB, 4096 blks, 16384 inodes. with soft updates super-block backups (for fsck_ffs -b #) at: 192, 262336, 524480, 786624 Using inode 4 in cg 0 for 4194304 byte journal newfs: soft updates journaling set # mkdir /media/master-keys # mount /dev/da0p1.eli /media/master-keys echo "/dev/da0p1.eli /media/master-keys ufs rw,late 0 3" >> /etc/fstab ``` -------------------------------- ### AppJail Makejail Configuration Source: https://github.com/dtxdf/appjail/wiki/app_jail This configuration sets up a 'badwolf' jail using AppJail's makejail system. It includes installing dependencies, copying scripts, creating a group, and configuring 'doas' for permissions. ```make INCLUDE gh+AppJail-makejails/badwolf INCLUDE options/network.makejail INCLUDE options/misc.makejail CMD --local echo "======> Installing dependencies (host) <======" PKG --local doas CMD --local echo "======> Installing scripts <======" CMD --local mkdir -p /usr/local/bin CMD --local cp scripts/badwolf.appjail /usr/local/bin CMD --local mkdir -p /usr/local/bin/scripts CMD --local cp scripts/rjail.sh /usr/local/bin/scripts CMD --local cp scripts/ajnullfs_badwolf.sh /usr/local/bin/scripts CMD --local echo "======> Creating group 'appjail' <======" CMD --local pw groupadd -n appjail 2> /dev/null || : CMD --local chown -R root:appjail /usr/local/bin/badwolf.appjail CMD --local echo "======> Done <======" CMD --local echo CMD --local echo "===> Note #1: Add the following rules to your doas.conf(5): <===" CMD --local echo CMD --local echo "# badwolf.appjail" CMD --local echo "permit nopass :appjail cmd /usr/local/bin/scripts/rjail.sh" CMD --local echo "permit nopass :appjail cmd /usr/local/bin/scripts/ajnullfs_badwolf.sh" CMD --local echo CMD --local echo "===> Note #2: Add your user to the 'appjail' group <=== ``` -------------------------------- ### Create GPT Partition Table Source: https://github.com/dtxdf/appjail/wiki/geli This command creates a GUID Partition Table (GPT) on a given device (e.g., da0). GPT is a standard for the layout of partition tables on a physical hard disk drive. ```console # gpart create -s gpt da0 da0 created ``` -------------------------------- ### AppJail NullFS Setup Script Source: https://github.com/dtxdf/appjail/wiki/app_jail This script is designed to set up NullFS for a specific jail and user. It's a helper script executed by the main AppJail wrapper to manage filesystem access within the jail. ```sh #!/bin/sh # see sysexits(3) EX_USAGE=64 ``` -------------------------------- ### Consolidated AppJail Makejail Configuration Source: https://github.com/dtxdf/appjail/wiki/pyapp This is a complete Makejail file that combines all the previous configurations for setting up a Python FastAPI application within an AppJail. It includes Python and network setup, user creation, dependency installation, and the application run command. ```Make INCLUDE gh+AppJail-makejails/python # Optional, see below for details. INCLUDE options/network.makejail WORKDIR /app COPY app/ CMD pw useradd -n pyapp -d /app -s /bin/sh CMD mkdir -p /app CMD chown -R pyapp:pyapp /app PKG py%{PYTHON_MAJOR}%{PYTHON_MINOR}-pip PKG py%{PYTHON_MAJOR}%{PYTHON_MINOR}-wheel PKG rust USER pyapp RUN pip install --user -r requirements.txt STAGE cmd USER pyapp WORKDIR /app RUN /app/.local/bin/uvicorn main:app --reload --host 0.0.0.0 ``` -------------------------------- ### Install Python Packages (pip and wheel) Source: https://github.com/dtxdf/appjail/wiki/pyapp Installs the Python package installer (pip) and wheel for the detected Python version within the jail. Rust is also installed as it's a dependency for FastAPI. ```Make PKG py%{PYTHON_MAJOR}%{PYTHON_MINOR}-pip PKG py%{PYTHON_MAJOR}%{PYTHON_MINOR}-wheel PKG rust ``` -------------------------------- ### AppJail Reproduce Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image Defines the compression algorithm and specifies Makejail scripts to be executed before the main Makejail. This allows for custom image building. ```sh COMPRESS_ALGO=zstd BEFORE_MAKEJAILS="/root/Reproduce/main.makejail" ``` -------------------------------- ### Fetch VM Release Components Source: https://github.com/dtxdf/appjail/wiki/vm_image Commands to fetch the base system and kernel components for a specific FreeBSD release (e.g., 14.2-RELEASE) using appjail-fetch. This prepares the necessary files for VM creation. ```console # appjail fetch www -v 14.2-RELEASE vm base.txz kernel.txz ... # appjail fetch list ARCH VERSION NAME amd64 14.2-RELEASE default amd64 14.2-RELEASE vm ``` -------------------------------- ### AppJail Reproduce Project Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image Configuration file for appjail-reproduce, defining tags, architecture, default router removal, release name, and VM-specific arguments like hostname and timezone. ```sh tags: 14.2/14.2-RELEASE arch: amd64 remove_rc_vars: defaultrouter release: vm args: hostname timezone 14.2.args.hostname: vm.lan 14.2.args.timezone: America/Caracas ``` -------------------------------- ### Create and Partition VM Disk Source: https://github.com/dtxdf/appjail/wiki/vm_image This script outlines the process of creating a virtual machine disk image, attaching it using mdconfig, partitioning it with GPT, and creating a UFS filesystem for the jail. It includes mounting and unmounting the partition. ```sh vm create -t CS0 -s 20G vm mdconfig -at vnode /cloud-machine/vm/vm/disk0.img gpart create -s gpt md0 gpart add -t freebsd-boot -s 512k -a 1m md0 gpart add -t freebsd-swap -s 2G -a 1m md0 gpart add -t freebsd-ufs -a 1m md0 gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 md0 newfs -Ujt /dev/md0p3 mount /dev/md0p3 /mnt tar -C /mnt --strip-components=2 -xf /cloud-machine/appjail/cache/images/vm/14.2-amd64-image.appjail ./jail/ umount /mnt mdconfig -du 0 ``` -------------------------------- ### Fstab Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image Defines the file system table for the VM, specifying how partitions are mounted, including the root filesystem and swap space. ```FreeBSD /dev/nda0p3 / ufs rw 1 1 /dev/nda0p2 none swap sw 0 0 ``` -------------------------------- ### Install poudriere-devel Source: https://github.com/dtxdf/appjail/wiki/repo Installs the poudriere-devel package from the ports collection. This is recommended over the stable poudriere package for access to newer features and testing. ```console # cd /usr/ports/ports-mgmt/poudriere-devel # make install clean ``` -------------------------------- ### AppJail Available Releases Source: https://github.com/dtxdf/appjail/wiki/mirror Lists the available FreeBSD releases that can be fetched by AppJail, including architecture and version information. This helps in selecting the correct base image. ```console # appjail fetch list ARCH VERSION NAME amd64 14.0-RELEASE default ``` -------------------------------- ### Run AppJail Source: https://github.com/dtxdf/appjail/wiki/pyapp Starts the AppJail named 'pyapp'. This command initiates the application environment within the jail, making it ready to serve requests. ```console # appjail run pyapp INFO: Will watch for changes in these directories: ['/app'] INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit) INFO: Started reloader process [93321] using WatchFiles INFO: Started server process [93323] INFO: Waiting for application startup. INFO: Application startup complete. ``` -------------------------------- ### Loader.conf Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image Configuration for the FreeBSD boot loader, enabling specific kernel modules and features like NVMe support and resource accounting. ```FreeBSD nvme_load="YES" if_bridge_load="YES" bridgestp_load="YES" kern.racct.enable=1 ``` -------------------------------- ### Export Vanilla Jail Source: https://github.com/dtxdf/appjail/wiki/migrate Demonstrates exporting a vanilla jail named 'eight' by creating a tarball of its root filesystem. It also shows a sample jail.conf configuration. ```console # cat jail.conf eight { path = "/var/jail/${name}/root"; exec.prestart = "jng bridge ${name} em0"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "jng shutdown ${name}"; vnet; vnet.interface = ng0_${name}; mount.devfs; devfs_ruleset = 10; } # tar -C /var/jail/eight/root --gzip -cf jail-eight.tgz . ``` -------------------------------- ### Initialize GELI Encrypted Partition Source: https://github.com/dtxdf/appjail/wiki/geli Initializes a disk partition for GELI encryption with specified authentication and encryption algorithms. It prompts for a passphrase and provides a command to restore metadata. ```console # geli init -b -a HMAC/SHA384 -e AES-XTS -l 256 da0p1 Enter new passphrase: Reenter new passphrase: Metadata backup for provider /dev/da0p1 can be found in /var/backups/da0p1.eli and can be restored with the following command: # geli restore /var/backups/da0p1.eli /dev/da0p1 ``` -------------------------------- ### Latest Package Repository Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image The configuration file for the FreeBSD package manager, specifying the URL for the latest package repository and signature verification details. ```FreeBSD FreeBSD: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } ``` -------------------------------- ### mount.sh Script Parameters Source: https://github.com/dtxdf/appjail/wiki/geli Outlines the parameters for the mount.sh script, responsible for creating a memory disk, attaching the encrypted device, and mounting it to a specified directory. ```text #### parameters * `-M` (mandatory): Directory where the device will be mounted. * `-m` (mandatory): Directory where the keys are stored. * `-i` (mandatory): Directory where the images are stored. * `-n` (mandatory): Image name. ``` -------------------------------- ### Create AppJail Project Directory Source: https://github.com/dtxdf/appjail/wiki/vm_image Command to create the necessary directory structure for a new appjail-reproduce project, specifically for a VM. ```sh mkdir -p ~/.reproduce/projects/vm ``` -------------------------------- ### Create a Simple FastAPI Application Source: https://github.com/dtxdf/appjail/wiki/pyapp A minimal FastAPI application that returns a 'Hello world' message when a GET request is made to the root endpoint. This serves as the basic API for the containerized application. ```Python from fastapi import FastAPI app = FastAPI() @app.get("/") async def root(): return {"message": "Hello world"} ``` -------------------------------- ### List available ports trees Source: https://github.com/dtxdf/appjail/wiki/repo Lists the currently configured ports trees managed by Poudriere, showing their method, timestamp, and path. ```console # poudriere ports -l ``` -------------------------------- ### Create AppJail with Encrypted File Mounting Source: https://github.com/dtxdf/appjail/wiki/geli This console command demonstrates how to create a new AppJail named 'www04' using a darkhttpd template and the previously defined `template.conf`. It configures network settings and specifies the template file. The subsequent commands show how to restart DNS services and fetch content from the newly created jail to verify its functionality. ```console # appjail makejail \ # -j www04 \ # -f gh+AppJail-makejails/darkhttpd \ # -o virtualnet=" default" \ # -o nat \ # -o template=$PWD/template.conf # service appjail-dns restart && service dnsmasq restart # To update the DNS hostnames # # as quickly as possible, but # # this is not required if you # # do not have DNS enabled. ... # fetch -qo - http://www04 # Of course, I use the DNS hostname, but # # you should use the IP address if you # # don't have DNS enabled in AppJail. Your website is encrypted, muahahahaha!!!!!! ``` -------------------------------- ### Sysctl.conf Configuration Source: https://github.com/dtxdf/appjail/wiki/vm_image System control parameters configuration for hardening the VM, including disabling process visibility and enabling packet filtering for bridge interfaces. ```FreeBSD # A bit of hardening security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 kern.randompid=1 # Allow packet filtering in if_bridge(4) net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 ``` -------------------------------- ### Main Makejail Script Source: https://github.com/dtxdf/appjail/wiki/vm_image A simple Makejail script that includes another Makejail file, 'pkg.makejail'. This is part of the process to customize the VM image. ```sh INCLUDE pkg.makejail ``` -------------------------------- ### AppJail Template Configuration for ZFS Source: https://github.com/dtxdf/appjail/wiki/zfs Defines the configuration for an AppJail template, specifying commands for starting and stopping the jail, enabling ZFS mounts, and managing ZFS datasets before and after jail execution. ```sh exec.start: "/bin/sh /etc/rc" exec.stop: "/bin/sh /etc/rc.shutdown jail" allow.mount allow.mount.zfs enforce_statfs: 1 ${dataset}: zroot/jailed exec.poststart: "zfs jail ${name} ${dataset}" exec.poststart+: "appjail cmd jexec ${name} zfs list -Hro name ${dataset} | xargs -L 1 appjail cmd jexec ${name} zfs mount" exec.prestop: "appjail cmd jexec ${name} zfs list -Hro name ${dataset} | tail -r | xargs -L 1 appjail cmd jexec ${name} zfs umount" exec.prestop+: "zfs unjail ${name} ${dataset}" ``` -------------------------------- ### Access AppJail Service Source: https://github.com/dtxdf/appjail/wiki/pyapp Makes an HTTP GET request to the service running inside the AppJail at IP address 172.0.0.2 on port 8000. This demonstrates how to interact with the application hosted within the jail. ```console # curl -i 'http://172.0.0.2:8000' HTTP/1.1 200 OK date: Sun, 05 Mar 2023 00:10:07 GMT server: uvicorn content-length: 25 content-type: application/json {"message":"Hello world"} ``` -------------------------------- ### create.sh Script Parameters Source: https://github.com/dtxdf/appjail/wiki/geli Details the parameters for the create.sh script, which is used to create, initialize, and format an encrypted file, including options for key length, image size, and directory locations. ```text #### parameters * `-g` (optional): Arguments used by `geli init`. * `-k` (default: `64`): Key length in bytes. The default is `64` bytes, so `512` bits. * `-N` (default: `-U`): Arguments used by `newfs(8)` * `-s` (default: `48`): Image size in Mebibytes. * `-m` (mandatory): Directory where the keys are stored. * `-i` (mandatory): Directory where the images are stored. * `-n` (mandatory): Image name. This will be concatenated with the master key directory and the image directory. The key filename will have the suffix `.key` and the image filename will have the suffix `.img`. ``` -------------------------------- ### FreeBSD Loader Configuration for ZFS and Crypto Source: https://github.com/dtxdf/appjail/wiki/mirror Configures the FreeBSD boot loader to enable ZFS support and the crypto device, which are prerequisites for AppJail's storage and security features. ```sh kern.geom.label.disk_ident.enable="0" kern.geom.label.gptid.enable="0" cryptodev_load="YES" # ZFS. zfs_load="YES" ``` -------------------------------- ### Export and Import pot Jail Source: https://github.com/dtxdf/appjail/wiki/migrate Illustrates exporting a pot jail named 'white' using ZFS snapshots and tarball creation, followed by importing it with specific OS version and network configurations. ```console # zfs list -r zroot/pot/jails/white NAME USED AVAIL REFER MOUNTPOINT zroot/pot/jails/white 443M 555G 26.5K /usr/local/pot/jails/white zroot/pot/jails/white/m 443M 555G 443M /usr/local/pot/jails/white/m # tar -C /usr/local/jails/white/m --zstd -cf /tmp/pot-white.tzst . ``` ```sh appjail-user quick white \ import+jail="input:pot-white.tzst" \ type=thick \ virtualnet="development:white default" \ osversion=13.1-RELEASE \ nat \ start ``` -------------------------------- ### AppJail Makejail Configuration for Python FastAPI Source: https://github.com/dtxdf/appjail/wiki/pyapp Configures an AppJail for a Python project using FastAPI. It includes instructions for setting the working directory, copying application files, creating a user, installing Python packages for FastAPI and Uvicorn, and running the Uvicorn server. ```python INCLUDE gh+AppJail-makejails/python # Optional, see below for details. INCLUDE options/network.makejail WORKDIR /app COPY app/ CMD pw useradd -n pyapp -d /app -s /bin/sh CMD mkdir -p /app CMD chown -R pyapp:pyapp /app PKG py%{PYTHON_MAJOR}%{PYTHON_MINOR}-fastapi PKG py%{PYTHON_MAJOR}%{PYTHON_MINOR}-uvicorn STAGE cmd USER pyapp WORKDIR /app RUN uvicorn main:app --reload --host 0.0.0.0 ``` -------------------------------- ### Fetch AppJail Components Source: https://github.com/dtxdf/appjail/wiki/app_jail Downloads necessary components for AppJail to function. This command should be run if the required components are not already present on the system. ```console appjail fetch ``` -------------------------------- ### Configure Custom Package Jail with Makejail Source: https://github.com/dtxdf/appjail/wiki/repo This Makejail configuration sets up a jail for a custom package, including virtual networking, NAT, automatic starting, overwriting existing jails, copying directories, and specifying a custom package repository configuration file. ```make OPTION virtualnet=testing:htop default OPTION nat OPTION start OPTION overwrite OPTION copydir=files OPTION file=/usr/local/etc/pkg/repos/Custom.conf PKG htop ```