-- Leo's gemini proxy
-- Connecting to warp.geminispace.club:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en
This topic is totally new for me and it took additional to understand and get this done. Jails are confined environments to isolate services and/or processes, but you can do whatever you want with jails. The use case here is to mess up with unstable/development software while keep the system clean.
If you trust the source of a software, whereas is git repo or tarball, you probably do not need to jump through all these loopholes to get a simple TUI Gemini client, however it may be worthy to give it a try.
FreeBSD offers a variety of solution which I will not examine here but I'd like to leave a couple links:
By my hand I decided to use "ezjail" for two reason it looks like is well documented anywhere on the internet and it is written in shell hence does not requires additional packages.
> "From Micahel W. Lucas: ezjail – perhaps the best known jail management tool. Written entirely in shell."
The official documentations miss specific parts that might be trivials for expert sysadmins but are complicated to handle for desktop users; so far all the information I needed to complete this documentations are here:
To begin install the software:
doas pkg install ezjail
cloned_interfaces="lo1" ezjail_enable="YES"
doas service netif cloneup
Ezjail can benefit from zfs, create the pool:
doas zfs create zroot/usr/jails
# ZFS options # Setting this to YES will start to manage the basejail and newjail in ZFS ezjail_use_zfs="YES" # Setting this to YES will manage ALL new jails in their own zfs ezjail_use_zfs_for_jails="YES" # The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir ezjail_jailzfs="zroot/usr/jails"
doas service ezjail start
doas ezjail-admin install -p
ifconfig -a
This is the output from this VM:
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether c6:f9:61:62:68:ba inet 192.168.32.213 netmask 0xffffff00 broadcast 192.168.32.255 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
We already knew the interface is ue0 because the tethering, we then chose an IP from the internal network; for the jail I am going to use: 192.168.32.214; just right next the IP of the VM.
I am going to call this "gem":
doas ezjail-admin create gem 'lo1|127.0.1.1,ue0|192.168.32.214'
some errors:
Warning: Some services already seem to be listening on all IP, (including 127.0.1.1) This may cause some confusion, here they are: ntpd ntpd 9197 20 udp6 *:123 *:* ntpd ntpd 9197 21 udp4 *:123 *:* Warning: Some services already seem to be listening on all IP, (including 192.168.32.214) This may cause some confusion, here they are: ntpd ntpd 9197 20 udp6 *:123 *:* ntpd ntpd 9197 21 udp4 *:123 *:*
Here is the fix:
"For syslogd(8) add this to rc.conf:""
syslogd_flags="-ss"
Restart syslogd:
doas service syslogd restart
Allow ping and other stuff modifying:
"/etc/sysctl.conf"
doas sysctl security.jail.allow_raw_sockets=1
Make this setting permanent editing "/etc/sysctl.conf"
#jail security.jail.allow_raw_sockets=1
"/usr/local/etc/ezjail/gem"
doas micro /usr/local/etc/ezjail/gem modify this line: export jail_gem_parameters="allow.raw_sockets=1"
Start the jail
doas ezjail-admin start gem
a warning message:
> /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf.
To begin:
Copy "resolv.conf" file from the host into the jail:
doas cp /etc/resolv.conf /usr/jails/gem/etc/resolv.conf
Go inside the Jail:
doas ezjail-admin console gem
Change root password:
# passwd Changing local password for root New Password: Retype New Password:
Add user, I am going to create the same user I have to my VM, the reason will be explained later:
adduser
Time zone configuration (1/2):
tzsetup
> The jail’s time zone can be set with tzsetup(8). To avoid spurious error messages, the adjkerntz(8) entry in /etc/crontab can be commented or removed. This job attempts to update the computer’s hardware clock with time zone changes, but jails are not allowed to access that hardware.
Time zone configuration (2/2) - edit crontab commenting the voice: "adjkerntz".
ee /etc/crontab
Edit /etc/host:
ee /etc/hosts
Add address and the jail name:
::1 localhost localhost.my.domain 127.0.1.1 localhost localhost.my.domain 192.168.32.214 gem.my.domain gem
Installing dependencies, begin with:
pkg install doas
This will request to install PKG, say: y.
Setup doas as did before:
ee /usr/local/etc/doas.conf
Copy inside:
# Sample file for doas # Please see doas.conf manual page for information on setting # up a doas.conf file. # Permit members of the wheel group to perform actions as root. permit :wheel # Permit user your user to run commands a root user. permit nopass "YOUR-USER" as root
Here finishes the setup of the jail.
Things are getting cocky!
pkg install git libretls ncurses libevent byacc autotools pkgconf
Exit jail and re-enter as normal user with:
doas ezjail-admin console -e "/usr/bin/login -f freezer" gem
Cloning Telescope from git:
git clone https://git.omarpolo.com/telescope.git cd telescope ./autogen.sh ./configure
if it fails hence:
./configure CFLAGS='-I /usr/local/include' LDFLAGS='-L /usr/local/lib' make doas make install telescope
Bind the Telescope to your home editing "/etc/fstab.gem"
/usr/home/freezer/.config/telescope /usr/jails/gem/usr/home/freezer/.config/telescope nullfs rw 0 0
Now the "jailed" Telescope is bound with the real home, since jail and my home share the same name, the process is totally transparent.
Last thing to do is to compile and enabling DucklingProxy. This is exactly why the jail comes handy because I do not code, I do not understand anything about go, and I do not want go installed on my real system but I do not care messing the jail, which is exactly the meaning of all of this documentation!
Duckling-Proxy is a proxy utility that translate HTML pages in GEMTEXT pages, it has many limitations hence pages that rely heavily on javascript and the like will not even rendered but the so called "small web" should be rendered almost readable.
The utility is written in GO thus is necessary install the GO environment.
Go is available as port:
cd /usr/ports/lang/go/ doas make install clean
I was unable to compile it on Linux but on FreeBSD has been a breeze:
git clone https://github.com/LukeEmmet/duckling-proxy.git cd duckling-proxy
Duckling-Proxy requires certificate to work, you can reuse ones that you already have or create brand new certificate
All the information to setup Duckling-Proxy are already available here:
I recently realized that since the connection is using DHCP your IP may change and therefore the jail cannot communicate with the external, if you notice it you can verify running an "ifconfing" command:
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 22:4d:fb:19:d0:b1 inet 192.168.170.198 netmask 0xffffff00 broadcast 192.168.170.255 inet 192.168.32.214 netmask 0xffffffff broadcast 192.168.32.214 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
As you can see the first inet line is your current IP address:
inet 192.168.170.198 netmask 0xffffff00 broadcast 192.168.170.255
While the second inet line is the one that has been setup accordingly to this documentation:
inet 192.168.32.214 netmask 0xffffffff broadcast 192.168.32.214
In order to restore the connection you must follow the following step:
Into the jail modifying "/etc/hosts":
127.0.1.1 localhost localhost.my.domain 192.168.170.199 gem.my.domain gem # this entry has been updated
Since the new current host IP is 192.168.170.198 I used the same rule I used the very first time and I assigned to the jail the next IP number.
Exit and stop the jail:
exit doas service ezjail stop
Recopy again the "resolv.conf" file from the host into the jail:
doas cp /etc/resolv.conf /usr/jails/gem/etc/resolv.conf
Modifying the "/usr/local/etc/ezjail/gem", update this entry "jail_gem_ip" with the new IP after "ue0|":
export jail_gem_ip="lo1|127.0.1.1,ue0|192.168.170.199"
Save the file and start the jail:
doas service ezjail start
Now the connection should be re-enabled!
This is something that I had to deal recently.
Apparently the "good way" to use the jails is building the "world", basically regenerating the whole three ports and therefore using the ports collection rather than the packages.
> Apparently the "good way" to use the jails is building the "world"
I used instead packaging because building the world might be blazing fast on a server class computer but is awfully slow on limited virtual machine. Also the use of packaging help when you try to simulate what you are going to do to your real OS.
I tested all the commands as for the documentation:
But for this case specifically the following one is the correct:
doas ezjail-admin update -u
Which produces a lot of warnings:
Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory mtree: /usr/jails/newjail//boot/kernel: No such file or directory mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory Could not create kernel backup directory
Those warnings should not represent any issues since:
> It's not failing actually, it's only complaining there's no source and no kernel. Both of which can be ignored.
>
> is purely cosmetic.
As reported here:
Now you can test or run development versions of Telescope in jail while using the releases outside the jail, you can also copy the binary of duckling-proxy in your home run it from there while keeping the go dependencies only live in the jail.
I don't think I have anything else to add hence you can come back to Part 03:
For comments or suggestion write me at:
> (last edit February 2, 2022)
-- Response ended
-- Page fetched on Tue May 21 21:58:47 2024