Apologies if this has been addressed before (I couldn't find anything in the docs about Python 3):

What's the ETA for Python 3 support? Is the Fabric the only requirement holding things back?
Also, since Fabric in Python 3 has been "just around the corner" for a few years, is it possible to use another backend?

Thanks for a great project!

Hi bsdploy developers,

I pointed out the gplv3 conflict with ansible at ployground/ploy_ansible#8.

However, at the same time, saltstack is a candidate for provisioning jails. They seem to have been pretty friendly to supporting BSD systems. Recently they put BSD Jails on their roadmap for salt-cloud: saltstack/salt#22983.

I'm checking to see if their is any desire on bsdploy's side to support salt for setting up environments in jails.

When configuring the jailhost it hangs indefinitely at the step jails_host | restart pf.
The same thing happens when I ssh into the jailhost and try to restart it manually but after a reboot it seems to be running.
The only line in the log (after enabling pflog) does not indicate a problem: capability mode sandbox enabled

This happens for me with the latest bsdploy version while deploying to virtualbox on both Mac OSX and Archlinux.

Did someone ever experience something similar?

I want to ssh as non-root. This user is in the wheel group and does sudo auth via ssh agent. See http://blather.michaelwlucas.com/archives/1106

I want commands run on the host to be invoked with sudo

I want ssh to the host to be invoked with: ssh -A

At present, I have this:

[plain-instance:tallboy]
host        = tallboy.example.org
user        = REDACTED
fingerprint = REDACTED

[ez-master:tallboy-jailhost]
instance = tallboy
roles    = jails_host
sudo     = true

/root/.ssh/config contains

Host tallboy.example.org
  Hostname     tallboy.example.org
  ForwardAgent yes

But:

[root@ansible:/usr/local/etc/bsdploy] # ploy configure tallboy-jailhost

PLAY [tallboy-jailhost] ******************************************************* 

GATHERING FACTS *************************************************************** 
fatal: [tallboy-jailhost] => Authentication or permission failure.  In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p $HOME/.ansible/tmp/ansible-tmp-1424378947.15-112924443990356 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1424378947.15-112924443990356 && echo $HOME/.ansible/tmp/ansible-tmp-1424378947.15-112924443990356, exited with result 1

TASK: [jails_host | bind host sshd to primary ip] ***************************** 
FATAL: no hosts matched or all hosts have already failed -- aborting

[root@ansible:/usr/local/etc/bsdploy] # 

getting the:
unknown or unsupported key type
in line 97:
('ssh_host_key', '-t rsa1 -b 1024'),
of the bootstrap_utils.py file.
Any reason for the ssh key to be rsa1 and not just rsa?
Thanks

When running the setup as described in the Quickstart documentation, bsdtar will fail with an out of memory error while extracting the FreeBSD distribution.

Maybe vm-memory should be higher in the example. I tested with 1024 meg and that worked.

As Hetzner, OVH is one of the most used providers (in Europe iirc), it would be nice to see an example like the Hetzner one.

@tomster @fschulze

In the RTD documentation there are whole sections about the boostrapping of the virtualbox mfsbsd image.

If I understand it correctly, when I do ploy bootstrap jailhost it will install that mfsbsd into the virtualbox box machine and somehow I end up with superclean freebsd installation where ezjail and all stuff is installed.

But it seems to me there is not such option in the current bsdploy.

There is missing bootstrap command for the ploy command.

What is superweird is that I can not do ploy configure as well.

All calls as ploy bootstrap and ploy configure end with the error that there are not such options.

How am I supposed to bootstrap and configure it then?

:)

In 2.2.0 the base flavour gained installation of python2, but this is already done in the startup script startup-ansible-jail.sh, maybe the only issue was that it installs python2.7 instead of python2, which doesn't add the python2 alias?

I think it's not clear that the current bsdploy docs only apply to dedicated servers used only with bsdploy

I tried bootstrapping a virtualbox VM on host only network, ploy ssh jailhost works fine.

% ploy ssh jailhost
Last login: Sun Nov 30 14:23:37 2014 from 192.168.56.10
FreeBSD 10.1-RELEASE (GENERIC) #0 r274401: Tue Nov 11 21:02:49 UTC 2014

Welcome to mfsBSD, the memory based FreeBSD distribution.

This is a stripped-down version of FreeBSD without:
- manual pages, info pages, examples
- include files, static library files, development tools
- bind binaries (host, dig, named, etc.)

Feel free to email me with any bug reports or feature suggestions.
Martin Matuska <[email protected]>
http://mfsbsd.vx.sk/

But ploy bootstrap jailhost fails.

% ploy bootstrap jailhost
Generated ssh_host_dsa_key with fingerprint a8:c3:b5:3f:18:9d:24:1a:28:4d:b1:4f:69:75:7b:01.
Generated ssh_host_ecdsa_key with fingerprint bc:b5:dd:44:86:a5:2e:aa:d4:b9:80:9d:19:b5:3b:d3.
Generated ssh_host_key with fingerprint 6d:3c:cf:44:0e:50:d2:af:fc:74:9e:9b:f7:6b:eb:20.
Generated ssh_host_rsa_key with fingerprint 60:5d:ea:6f:fe:40:35:84:de:4f:20:2f:af:38:0e:9f.

Using these local files for bootstrapping:
The '/usr/home/cse18/ploy/bootstrap-files/authorized_keys' file is missing.
Should we generate it using the key in '/home/cse18/.ssh/id_rsa.pub'? [yes/no] yes
/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap-files/FreeBSD.conf -(template:False)-> /mnt/usr/local/etc/pkg/repos/FreeBSD.conf
/usr/home/cse18/ploy/bootstrap-files/authorized_keys -(template:False)-> /mnt/root/.ssh/authorized_keys
/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap-files/make.conf -(template:False)-> /mnt/etc/make.conf
/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap-files/pf.conf -(template:False)-> /mnt/etc/pf.conf
/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap-files/pkg.conf -(template:True)-> /mnt/usr/local/etc/pkg.conf
/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap-files/rc.conf -(template:True)-> /mnt/etc/rc.conf
/usr/home/cse18/ploy/bootstrap-files/ssh_host_dsa_key -(template:False)-> /mnt/etc/ssh/ssh_host_dsa_key
/usr/home/cse18/ploy/bootstrap-files/ssh_host_dsa_key.pub -(template:False)-> /mnt/etc/ssh/ssh_host_dsa_key.pub
/usr/home/cse18/ploy/bootstrap-files/ssh_host_ecdsa_key -(template:False)-> /mnt/etc/ssh/ssh_host_ecdsa_key
/usr/home/cse18/ploy/bootstrap-files/ssh_host_ecdsa_key.pub -(template:False)-> /mnt/etc/ssh/ssh_host_ecdsa_key.pub
/usr/home/cse18/ploy/bootstrap-files/ssh_host_key -(template:False)-> /mnt/etc/ssh/ssh_host_key
/usr/home/cse18/ploy/bootstrap-files/ssh_host_key.pub -(template:False)-> /mnt/etc/ssh/ssh_host_key.pub
/usr/home/cse18/ploy/bootstrap-files/ssh_host_rsa_key -(template:False)-> /mnt/etc/ssh/ssh_host_rsa_key
/usr/home/cse18/ploy/bootstrap-files/ssh_host_rsa_key.pub -(template:False)-> /mnt/etc/ssh/ssh_host_rsa_key.pub
/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap-files/sshd_config -(template:False)-> /mnt/etc/ssh/sshd_config

No files will be downloaded on the host during bootstrap.

Found no FreeBSD system to install, please specify bootstrap-bsd-url and make sure mfsbsd is running

Ansible version 1.9 used from the stock RELEASE repository running on another VM which is acting as client.

% uname -a
FreeBSD freebsd 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64``

On the same machine, contents of ploy.conf.

ploy % ls
bootstrap-files etc
cse18@freebsd:~/ploy % cat etc/ploy.conf 

[ez-master:jailhost]
ip = 192.168.56.101
bootstrap-fingerprint = b5:cf:8f:12:4a:41:ea:b0:6f:5a:c0:25:1b:e6:f3:fa
bootstrap-system-devices = ada0
bootstrap-swap-size = 1
http_proxy = http://user:[email protected]:3128/

[instance:jail1]
master = jailhost
ip = 172.16.0.1

When using d5efe1f the generated jail.conf for a jail has a syntax error in the allow.raw_sockets line. This results in the jail not being able to start

is it doable?

Hello, I see that examples shown in RTD of BSDploy use pf. What about IPFW? Can I use it?

Btw, PF crashes BSD kernel built with VIMAGE, which was one of the reasons that made PC-BSD switch to IPFW. Refer -> https://forums.pcbsd.org/showthread.php?tid=19683

• default bootstrap-files location should be {playbook-directory}/bootstrap-files/{hostname}
• if there is no rc.conf at that location we warn the user about it and suggest to create a copy for it
• note: disable ntpd in the default rc.conf
• disable sendmail, too

after plain options, I think a basic sample, how a simple ploy.conf would looks could be great to correctly understand the meaning.

The definition of vb-disk:defaultdisk is missing in quickstart

I am trying to get my first jail host configured. I'm failing.

This succeeds:

# ploy ssh tallboy

This fails:

# ploy configure tallboy-jailhost
Traceback (most recent call last):
  File "/usr/local/bin/ploy", line 9, in 
    load_entry_point('ploy==1.0.3', 'console_scripts', 'ploy')()
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 540, in ploy
    return ctrl(argv)
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 532, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/usr/local/lib/python2.7/site-packages/ploy_ansible/__init__.py", line 623, in __call__
    extra_vars = parse_extra_vars(args.extra_vars)
  File "/usr/local/lib/python2.7/site-packages/ploy_ansible/__init__.py", line 262, in parse_extra_vars
    inject_ansible_paths()
  File "/usr/local/lib/python2.7/site-packages/ploy_ansible/__init__.py", line 41, in inject_ansible_paths
    C.DEFAULT_MODULE_PATH = pathsep.join([pathsep.join(extra_library), C.DEFAULT_MODULE_PATH])
TypeError: sequence item 1: expected string, NoneType found

Details of configuration:

# cat etc/ploy.conf
[plain-instance:tallboy]
host        = tallboy.example.org
user        = dvl
fingerprint = REDACTED

[ez-master:tallboy-jailhost]
instance = tallboy
roles    = jails_host

remote host is FreeBSD 10.1, freshly installed today.

localhost is FreeBSD 9.3 with:

bsdploy-1.3
py27-ploy-1.0.3
py27-ploy_ansible-1.2.1
py27-ploy_ec2-1.1.0
py27-ploy_ezjail-1.1.0
py27-ploy_fabric-1.1.0

This code may be GPLv3.

The license in setup.py should reflect this is Beerware license by the copyright holder, but it's dependent on a gplv3 library. This has to be removed for the project to be permissive Beerware.
#75 seems to be an alternative.

sudo("""cat /etc/rc.digitalocean.d/droplet.conf > /etc/rc.conf""")

this file is gone in the Fbsd11 image, but that's okay, cuz the default rc.conf is already pretty much ready.

 sudo("""echo 'PermitRootLogin without-password' > /etc/ssh/sshd_config""")

This is now the default, however, there's also an Match clause at the end which rejects the root login altogether. And, in addition to that, the root account is also locked out… so we'll need to snip off the last two lines, and then:

 sudo("""pw unlock root""")

This is gone in the new revision:

   # clean up DO cloudinit leftovers
    run("rm /etc/rc.d/digitalocean")
    run("rm -r /etc/rc.digitalocean.d")
    run("rm -r /usr/local/bsd-cloudinit/")
    run("pkg remove -y avahi-autoipd")

Using bsdploy from git d5efe1f

Used the 10.0 mfsbsd image for booting an virtualbox instance like described in the quickstart documentation.

After running ploy bootstrap it ends up waiting for input of the root password of the mfsbsd. The default mfsbsd password (mfsroot) does not work. Login via normal cmdline ssh with the default password does work.

the default quarterly is sensibly conservative, but it should be easier to (permanently) change that to something else, i.e. by setting a paramter in ploy.conf

I am following the tutorial on RTD and there is this snippet I am supposed to put to etc/ploy.conf and do ploy start quickstart

[vb-instance:quickstart]
vm-nic2 = nat
vm-natpf2 = ssh,tcp,,44003,,22
storage =
    --medium vb-disk:defaultdisk
    --type dvddrive --medium http://mfsbsd.vx.sk/files/iso/10/amd64/mfsbsd-se-10.1-RELEASE-amd64.iso --medium_sha1 03af247c1058a78a251c46ad5a13dc7b84a7ee7d

But in my case it errors on this:

Traceback (most recent call last):
  File "/home/smikloso/devel/bsdploy/bsdploy/bin/ploy", line 9, in <module>
    load_entry_point('ploy==1.2.0', 'console_scripts', 'ploy')()
  File "/home/smikloso/devel/bsdploy/bsdploy/lib/python2.7/site-packages/ploy/__init__.py", line 557, in ploy
    return ctrl(argv)
  File "/home/smikloso/devel/bsdploy/bsdploy/lib/python2.7/site-packages/ploy/__init__.py", line 549, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/home/smikloso/devel/bsdploy/bsdploy/lib/python2.7/site-packages/ploy/__init__.py", line 284, in cmd_start
    result = instance.start(overrides)
  File "/home/smikloso/devel/bsdploy/bsdploy/lib/python2.7/site-packages/ploy_virtualbox/__init__.py", line 327, in start
    medium = self.master.disks[medium[8:]].filename(self)
  File "/home/smikloso/devel/bsdploy/bsdploy/lib/python2.7/site-packages/ploy_virtualbox/__init__.py", line 540, in __getitem__
    self._cache[key] = self.klass(key, self.config[key])
KeyError: 'defaultdisk'

Thoughts?

After bootstrapping I am trying to configure a FreeBSD VM on virtualbox, I am not following quick start guide.
So we can consider the VM as a plain instance.

% ploy configure jailhost
WARNING: You are using an untested version 1.9.1 of ansible. The latest tested version is 1.8.X. Any errors may be caused by that newer version.
WARNING: You are using an untested version 1.9.1 of ansible. The latest tested version is 1.8.X. Any errors may be caused by that newer version.

PLAY [jailhost] *************************************************************** 

GATHERING FACTS *************************************************************** 
fatal: [jailhost] => Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor
    exec_rc = self._executor_internal(host, new_stdin)
  File "/usr/local/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal
    return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
  File "/usr/local/lib/python2.7/site-packages/ansible/runner/__init__.py", line 964, in _executor_internal_inner
    conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
TypeError: connect_patch() takes exactly 7 arguments (8 given)


TASK: [jails_host | bind host sshd to primary ip] ***************************** 
FATAL: no hosts matched or all hosts have already failed -- aborting

Following is the content of ploy.conf

[ez-master:jailhost]
ip = 192.168.56.101
#bootstrap-fingerprint = 9e:5a:5d:3f:52:a3:bf:2b:6e:a0:34:f7:e5:20:11:af
#bootstrap-system-devices = ada0
#bootstrap-swap-size = 1
http_proxy = http://vlabcse:[email protected]:3128/
#instance = jail1
roles =
   jails_host

#[instance:jail1]
#master = jailhost
#ip = 172.16.0.1

Is this because of newer version of Ansible?

Setting global variables in [global] section of ploy.conf like

[global]
vm-ostype = FreeBSD_64
vm-memory = 3072

... has no effect on [vb-instance] stanzas. All VirtualBox instances are created using the default memory size, not the custom one from [global].

Any ideas how to change it?

Cheerio,
Chris

I have the following problem.

I am doing ploy bootstrap myinstance and it notifies me that in bootstrap_files there is not any authorized_keys file and it asks if it is ok to add there public key from ~/.ssh.

If I answer yes, this file will be copied over mfsbsd and bootstrap process will use it. It gets passwordless access because bootstrap uses id_dsa / id_dsa files in ~/.ssh while authenticating.

My scenario is that after bootstrapping of that whole environment, I just pack that machine to Vagrant box and I am using that box with vagrant up ...

The thing is that I can not do vagrant ssh into it by default, I have to point vagrant to my identity file (id_dsa) in ~/.ssh so vagrant can pick it up. If I did not set it, it would use some default insecure key and that key is obviously not in authorized_keys so the access will be refused.

Now the problem is that I would have to put my private key to source control which is not obviously what I want so I was thinking that I just use pregenerated keypair and I put public key to authorized_keys in bootstrap_files.

But when I do that, I am not able to bootstrap it anymore because bootstrap does not use that corresponding private key so it asks for password but I can not provide any.

Instead of launching sshd on every jail, allow sshing into various jails by using jexec. One approach to accomplish this is to add dedicated users on the host system (use either user name or gecos to define jail name).

E.g.

• host
  • jail1
  • jail2
  • potentiallyverylongjailname

/etc/group on host:

jexec:*:2000:

/usr/local/etc/sudoers on host:

%jexec  ALL=(root) NOPASSWD: /usr/sbin/jexec

/etc/master.passwd on host:

jail1:*:2001:2000::0:0:jail1:/home/jexec/jail1:/usr/local/bin/jexecsh
jail2:*:2002:2000::0:0:jail2:/home/jexec/jail2:/usr/local/bin/jexecsh
potentiallyveryl:*:2003:2000::0:0:potentiallyverylongjailname:/home/jexec/potentiallyveryl:/usr/local/bin/jexecsh

The following shell script could be used in the example above (/usr/local/bin/jexecsh):

#!/bin/sh

JAILNAME="$USER"
jls -j "$USER" >/dev/null 2>&1 || JAILNAME=`pw usershow "$USER" | cut -d ':' -f 8 | sed "s/[^a-z0-9_]//g"`

if [ "x$JAILNAME" != "x$USER" ]; then
        echo "Jail \"$JAILNAME\" not found" 2>&1
        jls -j "$JAILNAME" >/dev/null 2>&1 || exit 1
fi

exec sudo jexec -n "$JAILNAME" sh "$@"

This takes advantage of jail names being defined in FreeBSD 10 (my.jail.name turns into my_jail_name).

Instead of using name/gecos, different mechanisms could be used to determine which jail to use to execute commands, including the users home directory (pwd) or storing it in a dedicated configuration file like $HOME/.jexec or simply adding dedicated commands to .ssh/authorized_keys.

One could think of other mechanisms of multiplexing jexec calls for multiple jails over a single user (or various users for accountability). The advantage of the approach above is, that is allows for a relatively natural syntax when accessing the jail from the outside:

ssh jail1@host
ssh jail2@host

Yet another approach could be playing with Match rules in the host's /etc/ssh/sshd_config.

Discuss ;)

Hey,

I'm sorry if I missed something, but I can't find a single part of the docs that explains how to setup ssh keys for a jail host without having done the 'bootstrap' step. I tried doing 'ssh-agent zsh && ssh-add ~/.ssh/jailhostname', and although this makes regular ssh work fine, bsdploy gives some error messages and dies whenever attempting to do 'ploy ssh' or 'ploy configure'. It also appears that ploy hits an error while trying to print the 'connection failed' error message:

matt@openbsdvbox ~/ansible-stuff (git)-[master] % ploy ssh vboxjailhost   
Traceback (most recent call last):
  File "/usr/local/bin/ploy", line 9, in <module>
    load_entry_point('ploy==1.0.0', 'console_scripts', 'ploy')()
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/__init__.py", line 520, in ploy
    return ctrl(argv)
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/__init__.py", line 514, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/__init__.py", line 402, in cmd_ssh
    ssh_info = instance.init_ssh_key(user=user)
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/plain.py", line 186, in init_ssh_key
    log.error('Failed to connect to %s (%s)' % (self.config_id, hostname))
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/common.py", line 214, in config_id
    return "%s:%s" % (self.sectiongroupname, self.id)
AttributeError: 'Instance' object has no attribute 'sectiongroupname'
1 matt@openbsdvbox ~/ansible-stuff (git)-[master] %

What steps do I need to take to make bsdploy use my key?

the below output was reproducable on a setup where the tutorial was followed during the training at europython.

venv was installed with python -m virtualenv
bin/activate was called
ploy ssh webserver / demo_jail both work without a problem

pkg install nginx worked without a problem inside the jail, so internet connection is not the problem.

pip freeze
Fabric==1.9.0
Jinja2==2.7.3
MarkupSafe==0.23
PyYAML==3.11
ansible==1.6.6
bsdploy==1.0.0
ecdsa==0.11
execnet==1.2.0
lazy==1.2
paramiko==1.14.0
ploy==1.0.0
ploy-ansible==1.0.0
ploy-ezjail==1.0.0
ploy-fabric==1.0.0
ploy-virtualbox==1.0.0
pycrypto==2.6.1
wsgiref==0.1.2

(lala)Retina Wolfgang 2012:ploy-quickstart wpfnuer$ ploy configure webserver
INFO: Using playbook at '/Users/wpfnuer/lala/ploy-quickstart/jailhost-webserver.yml'.

PLAY [jailhost-webserver] *****************************************************

GATHERING FACTS ***************************************************************
Write failed: Broken pipe
fatal: [jailhost-webserver] => Traceback (most recent call last):
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/init.py", line 536, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/init.py", line 638, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/init.py", line 832, in _executor_internal_inner
result = handler.run(conn, tmp, module_name, module_args, inject, complex_args)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/action_plugins/normal.py", line 57, in run
return self.runner._execute_module(conn, tmp, module_name, module_args, inject=inject, complex_args=complex_args)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/init.py", line 419, in _execute_module
tmp = self._make_tmp_path(conn)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/init.py", line 1046, in _make_tmp_path
result = self._low_level_exec_command(conn, cmd, None, sudoable=False)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ansible/runner/init.py", line 974, in _low_level_exec_command
in_data=in_data)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ploy_ansible/execnet_connection.py", line 90, in exec_command
rc, stdout, stderr = self.rpc.exec_command(remote_cmd)
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/ploy_ansible/execnet_connection.py", line 17, in call
self.channel.send((name, args, kw))
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/execnet/gateway_base.py", line 681, in send
self.gateway._send(Message.CHANNEL_DATA, self.id, dumps_internal(item))
File "/Users/wpfnuer/lala/lib/python2.7/site-packages/execnet/gateway_base.py", line 950, in _send
raise IOError("cannot send (already closed?)")
IOError: cannot send (already closed?)

TASK: [install nginx] *********************************************************
FATAL: no hosts matched or all hosts have already failed -- aborting

I'm new to bsdploy and jails.

When I create a new virtualbox instance and jail (like when following the quickstart), I am unable to build any ports after SSHing into the jail. To make the ports available I first have to connect to the ezjail master and fetch and extract the ports tree into the base jail with portsnap fetch and portsnap -p /usr/jails/basejail/usr/ports extract. Then the ports are available within the jail, but I get errors when I try to build anything due to /usr/ports being a read-only file system. After some searching I found that I could fix that by adding options to /etc/make.conf in the jail. At that point everything works fine.

My question is, what is the proper workflow for doing all of this in bsdploy? I am guessing that editing /etc/make.conf every time I create a new jail is not the answer. Isn't this something bsdploy should do by default, or do I need to create an ansible task to make the proper edits and always assign it to every jail?

:)

@tomster @fschulze

I firstly noticed that after bootstrapping, the boot process of provisioned FreeBSD machine takes relatively long time and after some investigation, I noticed it is pending on sendmail.

The reason it is pending there is that sendmail tries to resolve DNS entries / hostnames / IP addresses and it fails do to it, in logs, it looks like this:

Aug 19 11:49:10 myhost sm-mta[696]: gethostbyaddr(192.168.56.100) failed: 2
Aug 19 11:49:25 myhost sm-mta[696]: gethostbyaddr(10.0.3.15) failed: 2

You see that it takes like 15 - 20 seconds to resolve it and it makes boot of the machine very very long.

In order to resolve this, you have to put valid stuff to /etc/hosts, I did it like this:

10.0.3.15   myhost  myhost.local
192.168.56.100  internal        internal.local
::1     myhost  myhost.local
::1     internal        internal.local

These IPv6 records have to be there as well.

What is quite interesting is that without this change in /etc/hosts, the invocation of some Ansible playbook via ploy playbook path/to/playbook.yml takes very long time to execute as well because I think that Ansible internally on FreeBSD machine (that script in /root/.ansible) does some host resolution as well and it can not resolve it and it causes delays as in case of sendmail.

The solution would be to be able to specify custom /etc/hosts file while bootstrapping and be able to say what hostnames will be assigned to what IP addresses and this should be quite configurable so it adds them all there.

I would be satisfied with the ability to provide my custom /etc/hosts file where I hardcode these values but in the current state I do not see any way to do it becase in bootstrapping process, you are taking into consideration a lot of files but /etc/hosts.

Hello.
I was going through the quick start guide step by step and I encountered ansible related error.
When I'm trying to configure (ploy configure) ansible complains that it can't connect to host by it's name jailhost, so I put jailhost to my hosts file and it worked fine until I tried to provision a jail.
As far as I understand, jails do not expose ssh and ploy ssh connects through the jailhost, using ssh -W and I do not know how to tell ansible to do the same.

System info

Mac os 10.10.1

$ ploy -v
bsdploy 1.3 (/usr/local/lib/python2.7/site-packages)
ploy 1.0.2 (/usr/local/lib/python2.7/site-packages)
ploy-ansible 1.2.0 (/usr/local/lib/python2.7/site-packages)
ploy-ezjail 1.1.0 (/usr/local/lib/python2.7/site-packages)
ploy-fabric 1.1.0 (/usr/local/lib/python2.7/site-packages)
ploy-virtualbox 1.0.0 (/usr/local/lib/python2.7/site-packages)

Ploy output

$ ploy configure demo_jail

PLAY [jailhost-demo_jail] *****************************************************

GATHERING FACTS ***************************************************************
fatal: [jailhost-demo_jail] => {'msg': 'FAILED: [Errno 8] nodename nor servname provided, or not known', 'failed': True}

TASK: [install nginx] *********************************************************
FATAL: no hosts matched or all hosts have already failed -- aborting

Is this an active project ?
Any thoughts regarding License ?

Waiting for upstream paramiko support for sha256 based hmac and kexgex
https://github.com/paramiko/paramiko/pull/356/files

When configuring a fresh host for the first time, everything worked perfectly. However, after playing around a bit more, and later re-bootstrapping and attempting to reconfigure, ploy configure would fail with:

< TASK: jails_host | Setup data zpool >
 ------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||


failed: [sarah] => {"failed": true}
msg: Failed to create zpool with the following arguments:
create -o version=28 -m none tank mirror gpt/tank_ada0.nop gpt/tank_ada1.nop                                                         
cannot open 'gpt/tank_ada1.nop': no such GEOM provider                                                                               
must be a full path or shorthand device name                                                                                         


FATAL: all hosts have already failed -- aborting                                                                                     

This seemed to correspond with the tank_ada1.nop device disappearing (on the kernel messages). Debugging a little bit, it seems like it was caused by the zpool import -f call in the zpool module.

It seems like that call triggers a write, or some sort of access which causes FreeBSD to remove the gnop device, and thus the later call that tries to create the pool to fail. A simple way to fix this is to zero out the first few and last few sectors of the partition, and verify that zpool can't find any pools by running zpool import manually.

currently, during bootstrapping, if there is no ssh server key amongst the host's bootstrap files, the cert is generated on the server and its fingerprint is printed for the user to enter into the configuration file (ploy.conf).

It would be more convenient, if in that case the key was generated on the client side, then transferred and its fingerprint was automatically added to the configuration.

IOW if a local cert is specified but no explicit fingerprint, we should generate the fingerprint from that and set it, instead.

currently, all fabric files must the shell: env.shell = '/bin/sh -c' (because freebsd does not have bash installed by default as Fabric assumes)

Setting this in augment_instance however, produces

Traceback (most recent call last):
  File "/Users/tomster/Development/tools/bin/ploy", line 39, in <module>
    sys.exit(ploy.ploy())
  File "/Users/tomster/Development/bsdploy/src/ploy/ploy/__init__.py", line 490, in ploy
    return ctrl(argv)
  File "/Users/tomster/Development/bsdploy/src/ploy/ploy/__init__.py", line 484, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/Users/tomster/Development/bsdploy/src/ploy_fabric/ploy_fabric/__init__.py", line 209, in __call__
    instance.do(args.task, *task_args, **task_kwargs)
  File "/Users/tomster/Development/bsdploy/src/ploy_fabric/ploy_fabric/__init__.py", line 231, in do
    return tasks[task](*args, **kwargs)
  File "/usr/local/Cellar/python/2.7.6/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/Users/tomster/Development/bsdploy/src/ploy_fabric/ploy_fabric/__init__.py", line 226, in callables
    yield callables
  File "/usr/local/Cellar/python/2.7.6/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/Users/tomster/Development/bsdploy/src/ploy_fabric/ploy_fabric/__init__.py", line 122, in fabric_integration
    yield
  File "/usr/local/Cellar/python/2.7.6/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/Users/tomster/Development/bsdploy/src/ploy_fabric/ploy_fabric/__init__.py", line 100, in fabric_env
    if connections.opened(env.host_string):  # pragma: no cover
AttributeError: 'HostConnectionCache' object has no attribute 'opened'

After the ploy start ploy-demo I add the mentioned lines to the ploy.conf and run ploy bootstrap. It doesn't ask me for an SSH-Key, it just throws the following error:

The following files will be downloaded on the host during bootstrap:
http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/Latest/pkg.txz -> /mnt/var/cache/pkg/All/pkg.txz


Found the following disk devices on the system:
    cd0 ada0

Found the following network interfaces, now is your chance to update your rc.conf accordingly!
    em0 em1
Traceback (most recent call last):
  File "bin/ploy", line 9, in <module>
    load_entry_point('ploy==1.0.2', 'console_scripts', 'ploy')()
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/ploy/__init__.py", line 540, in ploy
    return ctrl(argv)
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/ploy/__init__.py", line 532, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/bsdploy/__init__.py", line 42, in __call__
    instance.do('bootstrap', **{'bootstrap-yes': args.yes})
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/ploy_fabric/__init__.py", line 281, in do
    return tasks[task](*args, **kwargs)
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/bsdploy/fabfile_mfsbsd.py", line 143, in bootstrap
    _bootstrap()
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/bsdploy/fabfile_mfsbsd.py", line 68, in _bootstrap
    rc_conf = bu.bootstrap_files['rc.conf'].read(template_context)
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/bsdploy/bootstrap_utils.py", line 79, in read
    result = self.template_from_file(dirname(self.local), self.local, context)
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/lazy/lazy.py", line 28, in __get__
    value = self.__func(inst)
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/bsdploy/bootstrap_utils.py", line 73, in template_from_file
    inject_ansible_paths()
  File "/Users/fh/src/ploy/lib/python2.7/site-packages/ploy_ansible/__init__.py", line 41, in inject_ansible_paths
    C.DEFAULT_MODULE_PATH = pathsep.join([pathsep.join(extra_library), C.DEFAULT_MODULE_PATH])
TypeError: sequence item 1: expected string, NoneType found

As ezjail still does not support new /etc/jail.conf style and the day comes closer where FreeBSD will drop support for legacy rc-jail-conf what is the solution for the not so far future?

One less dependency in the FreeBSD port

<3

At the moment, you have to manually specify the drive's size, when the program should be able to figure that out and use the whole drive for ZFS. I may take a shot at writing this functionality myself, though I can't promise quality.

When creating a jail, we should be able to have multiple IP addresses.

In the Server Requirements section must be clearer than zfs is required.

Exception in thread Thread-5 (most likely raised during interpreter shutdown):
Traceback (most recent call last):
File "/usr/lib64/python2.7/threading.py", line 801, in __bootstrap_inner
File "/home/samson/MyRepos/GIT/bsdploy/eggs/paramiko-1.18.2-py2.7.egg/paramiko/transport.py", line 1803, in run
<type 'exceptions.AttributeError'>: 'NoneType' object has no attribute 'error'

we should check the value during bootstrapping and if true simply run ezjail-admin update -u.

(this is more of a note-to-self)

@tomster @fschulze

I have set firstboot-update = true and after ploy configure, Ansible task produces this error:

TASK: [jails_host | Initialize ezjail (may take a while)] ********************* 
failed: [] => {"changed": true, "cmd": ["ezjail-admin", "install", "-h", "ftp.freebsd.org", "-r", "10.1-RELEASE-p16"], "delta": "0:00:09.344013", "end": "2015-08-19 22:24:40.206795", "rc": 1, "start": "2015-08-19 22:24:30.862782", "warnings": []}
stderr: fetch: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE-p16/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/snapshot/amd64/amd64/10.1-RELEASE-p16/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/amd64/amd64/10.1-RELEASE-p16/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/releases/amd64/amd64/10.1-RELEASE-p16/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/snapshots/amd64/amd64/10.1-RELEASE-p16/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/amd64/10.1-RELEASE-p16/base.txz: File unavailable (e.g., file not found, no access)

Could not fetch base from ftp://ftp.freebsd.org.
  Maybe your release (10.1-RELEASE-p16) is specified incorrectly or the host ftp.freebsd.org does not provide that release build.
  Use the -r option to specify an existing release or the -h option to specify an alternative ftp server.
stdout: Querying your ftp-server... The ftp server you specified (ftp.freebsd.org) seems to provide the following builds:
total 8
lrwxr-xr-x  1 1006  1006   18 Nov 12  2014 10.1-RELEASE -> amd64/10.1-RELEASE
lrwxr-xr-x  1 1006  1006   18 Aug 12 18:59 10.2-RELEASE -> amd64/10.2-RELEASE
lrwxr-xr-x  1 1006  1006   17 Jul 11  2014 9.3-RELEASE -> amd64/9.3-RELEASE
-rw-rw-r--  1 1006  1006  637 Nov 23  2005 README.TXT
drwxrwxr-x  6 1006  1006  512 Aug 13 20:09 amd64

FATAL: all hosts have already failed -- aborting

lrwxr-xr-x  1 1006  1006   18 Aug 12 18:59 10.2-RELEASE -> amd64/10.2-RELEASE
lrwxr-xr-x  1 1006  1006   17 Jul 11  2014 9.3-RELEASE -> amd64/9.3-RELEASE
-rw-rw-r--  1 1006  1006  637 Nov 23  2005 README.TXT
drwxrwxr-x  6 1006  1006  512 Aug 13 20:09 amd64

FATAL: all hosts have already failed -- aborting

It is obvious that it can not find resources because it put p16 string into URL and such URL does not exist.

However, it is questionable what is the solution to this.

While running ploy configure I get an error at the Enable gateway in rc.conf step (using the latest master build):

gateway does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)

msg: unable to determine rcvar

I am a complete beginner in FreeBSD (and in BSD systems in general) so my findings may be obvious to you.

The ansible service module tries to get the service status before enabling/disabling it and as there is no gateway file in /etc/rc.d/ this fails.

This happens only after the recent change to pf.yml as seen in this changeset.

After resetting to this commit everything works as described.

When configuring a jailhost on digitalocean, its network may end up looking like this

root@meenix:~ # pfctl -s nat
nat on vtnet0 inet from 10.0.0.2 to any -> (vtnet0) round-robin
…

This will cause the jails' networking to be an order of magnitude slower, than on the body. I don't know what this is caused by; it could have something to do with digitalocean's default private network:

root@meenix:~ # ifconfig
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 3a:0c:c6:47:2f:12
        inet6 fe80::380c:c6ff:fe47:2f12%vtnet0 prefixlen 64 scopeid 0x1 
        inet6 2a03:b0c0:3:d0::3585:b001 prefixlen 64 
        inet 207.154.239.110 netmask 0xfffff000 broadcast 207.154.239.255 
        inet 10.19.0.6 netmask 0xffff0000 broadcast 10.19.255.255 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 1e:4f:85:54:53:2c
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo 
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.0.0.2 netmask 0xffffffff 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo 
root@meenix:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            207.154.224.1      UGS      vtnet0
10.0.0.2           link#4             UH          lo1
10.19.0.0/16       link#1             U        vtnet0
10.19.0.6          link#1             UHS         lo0
127.0.0.1          link#3             UH          lo0
207.154.224.0/20   link#1             U        vtnet0
207.154.239.110    link#1             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
default                           2a03:b0c0:3:d0::1             UGS      vtnet0
::1                               link#3                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2a03:b0c0:3:d0::/64               link#1                        U        vtnet0
2a03:b0c0:3:d0::3585:b001         link#1                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%vtnet0/64                  link#1                        U        vtnet0
fe80::380c:c6ff:fe47:2f12%vtnet0  link#1                        UHS         lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0
root@meenix:~ #

i changed the nat rule to nat on vtnet0 from lo1:network to any -> (vtnet0:0) and this made it worked!

i don't know if changing the pf.conf template to:

{% for network in pf_nat_jail_networks %}
nat on {{ pf_nat_interface }} from {{ network }} to any -> ({{ pf_nat_interface }}:0)
{% endfor %}

would make it work for everyone.