-- Leo's gemini proxy

-- Connecting to omg.pebcak.club:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;lang=en

Telescope on FreeBSD 13 Inside a Jail


This topic is totally new for me and it took additional to understand and get this done. Jails are confined environments to isolate services and/or processes, but you can do whatever you want with jails. The use case here is to mess up with unstable/development software while keep the system clean.

If you trust the source of a software, whereas is git repo or tarball, you probably do not need to jump through all these loopholes to get a simple TUI Gemini client, however it may be worthy to give it a try.

FreeBSD offers a variety of solution which I will not examine here but I'd like to leave a couple links:

FreeBSD Handbook: Jail.

Michael W. Lucas - FreeBSD Jail Management Tools

By my hand I decided to use "ezjail" for two reason it looks like is well documented anywhere on the internet and it is written in shell hence does not requires additional packages.

> "From Micahel W. Lucas: ezjail – perhaps the best known jail management tool. Written entirely in shell."

Let's Start

The official documentations miss specific parts that might be trivials for expert sysadmins but are complicated to handle for desktop users; so far all the information I needed to complete this documentations are here:

EZJail: quick start





Setup ezjail

To begin install the software:

doas pkg install ezjail

Add a loopback interface in /etc/rc.conf


Enable the loopback interface:

doas service netif cloneup

Create a pool for the jail

Ezjail can benefit from zfs, create the pool:

doas zfs create zroot/usr/jails

Modify the /usr/local/etc/ezjail.conf

# ZFS options

# Setting this to YES will start to manage the basejail and newjail in ZFS

# Setting this to YES will manage ALL new jails in their own zfs

# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir

Start the service:

doas service ezjail start

Populate the jail with "a basejail based on the FreeBSD RELEASE matching that of the host computer":

doas ezjail-admin install -p

Before to create the jail we should look about the network interfaces:

ifconfig -a

This is the output from this VM:

ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether c6:f9:61:62:68:ba
	inet netmask 0xffffff00 broadcast

We already knew the interface is ue0 because the tethering, we then chose an IP from the internal network; for the jail I am going to use:; just right next the IP of the VM.

Create the jail

I am going to call this "gem":

doas ezjail-admin create gem 'lo1|,ue0|'

some errors:

Warning: Some services already seem to be listening on all IP, (including
  This may cause some confusion, here they are:
ntpd     ntpd       9197  20 udp6   *:123                 *:*
ntpd     ntpd       9197  21 udp4   *:123                 *:*
Warning: Some services already seem to be listening on all IP, (including
  This may cause some confusion, here they are:
ntpd     ntpd       9197  20 udp6   *:123                 *:*
ntpd     ntpd       9197  21 udp4   *:123                 *:*

Here is the fix:


"For syslogd(8) add this to rc.conf:""


Restart syslogd:

doas service syslogd restart

Allow ping and other stuff modifying:


doas sysctl security.jail.allow_raw_sockets=1

Make this setting permanent editing "/etc/sysctl.conf"



doas micro /usr/local/etc/ezjail/gem

modify this line:

export jail_gem_parameters="allow.raw_sockets=1"

Start the jail

doas ezjail-admin start gem

a warning message:

> /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf.

Admin the Jail

To begin:

Copy "resolv.conf" file from the host into the jail:

doas cp /etc/resolv.conf /usr/jails/gem/etc/resolv.conf

Go inside the Jail:

doas ezjail-admin console gem

Change root password:

# passwd
Changing local password for root
New Password:
Retype New Password:

Add user, I am going to create the same user I have to my VM, the reason will be explained later:


Time zone configuration (1/2):


> The jail’s time zone can be set with tzsetup(8). To avoid spurious error messages, the adjkerntz(8) entry in /etc/crontab can be commented or removed. This job attempts to update the computer’s hardware clock with time zone changes, but jails are not allowed to access that hardware.

Time zone configuration (2/2) - edit crontab commenting the voice: "adjkerntz".

ee /etc/crontab

Edit /etc/host:

ee /etc/hosts

Add address and the jail name:

::1             localhost localhost.my.domain		localhost localhost.my.domain  gem.my.domain gem

Installing dependencies, begin with:

pkg install doas

This will request to install PKG, say: y.

Setup doas as did before:

ee /usr/local/etc/doas.conf

Copy inside:

# Sample file for doas
# Please see doas.conf manual page for information on setting
# up a doas.conf file.

# Permit members of the wheel group to perform actions as root.
permit :wheel

# Permit user your user to run commands a root user.
permit nopass "YOUR-USER" as root

Here finishes the setup of the jail.

Install Telescope dependencies:

Things are getting cocky!

pkg install git libretls ncurses libevent byacc autotools pkgconf

Exit jail and re-enter as normal user with:

doas ezjail-admin console -e "/usr/bin/login -f freezer" gem

Cloning Telescope from git:

git clone https://git.omarpolo.com/telescope.git
cd telescope

if it fails hence:

./configure CFLAGS='-I /usr/local/include' LDFLAGS='-L /usr/local/lib'
doas make install

Bind the Telescope to your home editing "/etc/fstab.gem"

/usr/home/freezer/.config/telescope /usr/jails/gem/usr/home/freezer/.config/telescope	nullfs rw 0 0

Now the "jailed" Telescope is bound with the real home, since jail and my home share the same name, the process is totally transparent.

Last thing to do is to compile and enabling DucklingProxy. This is exactly why the jail comes handy because I do not code, I do not understand anything about go, and I do not want go installed on my real system but I do not care messing the jail, which is exactly the meaning of all of this documentation!


Duckling-Proxy is a proxy utility that translate HTML pages in GEMTEXT pages, it has many limitations hence pages that rely heavily on javascript and the like will not even rendered but the so called "small web" should be rendered almost readable.

The utility is written in GO thus is necessary install the GO environment.

Installing GO

Go is available as port:

cd /usr/ports/lang/go/
doas make install clean

Installing Duckling-Proxy

I was unable to compile it on Linux but on FreeBSD has been a breeze:

git clone https://github.com/LukeEmmet/duckling-proxy.git
cd duckling-proxy

Duckling-Proxy requires certificate to work, you can reuse ones that you already have or create brand new certificate

All the information to setup Duckling-Proxy are already available here:

Watching the Gemini-space through a "Telescope" (part 3)

If Internet is not working anymore!

I recently realized that since the connection is using DHCP your IP may change and therefore the jail cannot communicate with the external, if you notice it you can verify running an "ifconfing" command:

ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 22:4d:fb:19:d0:b1
    inet netmask 0xffffff00 broadcast
    inet netmask 0xffffffff broadcast

As you can see the first inet line is your current IP address:

inet netmask 0xffffff00 broadcast

While the second inet line is the one that has been setup accordingly to this documentation:

inet netmask 0xffffffff broadcast

In order to restore the connection you must follow the following step:

Into the jail modifying "/etc/hosts":		localhost localhost.my.domain		gem.my.domain	gem # this entry has been updated

Since the new current host IP is I used the same rule I used the very first time and I assigned to the jail the next IP number.

Exit and stop the jail:

doas service ezjail stop

Recopy again the "resolv.conf" file from the host into the jail:

doas cp /etc/resolv.conf /usr/jails/gem/etc/resolv.conf

Modifying the "/usr/local/etc/ezjail/gem", update this entry "jail_gem_ip" with the new IP after "ue0|":

export jail_gem_ip="lo1|,ue0|"

Save the file and start the jail:

doas service ezjail start

Now the connection should be re-enabled!

Updating the Jail

This is something that I had to deal recently.

Apparently the "good way" to use the jails is building the "world", basically regenerating the whole three ports and therefore using the ports collection rather than the packages.

> Apparently the "good way" to use the jails is building the "world"

I used instead packaging because building the world might be blazing fast on a server class computer but is awfully slow on limited virtual machine. Also the use of packaging help when you try to simulate what you are going to do to your real OS.

I tested all the commands as for the documentation:

FreeBSD Handbook: 15.6. Managing Jails with ezjail

But for this case specifically the following one is the correct:

doas ezjail-admin update -u

Which produces a lot of warnings:

Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory
mtree: /usr/jails/newjail//boot/kernel: No such file or directory
mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory
touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory
Could not create kernel backup directory

Those warnings should not represent any issues since:

> It's not failing actually, it's only complaining there's no source and no kernel. Both of which can be ignored.


> is purely cosmetic.

As reported here:

FreeBSD Forum: Updating jails with ezjail-admin fails

Wrapping This Up!

Now you can test or run development versions of Telescope in jail while using the releases outside the jail, you can also copy the binary of duckling-proxy in your home run it from there while keeping the go dependencies only live in the jail.

I don't think I have anything else to add hence you can come back to Part 03:

↩ Go back to "Part 03"

For comments or suggestion write me at:

freezr AT disroot DOT org

↩ go back

> (last edit February 2, 2022)

-- Response ended

-- Page fetched on Sat Jun 1 07:57:18 2024