Linux Jails (sandboxes / containers) with Jailmaker

In your testing, does the new Apps support VLAN’s? I have VLAN’s tagged on my NAS’s ports and would love to put certain apps into their own VLAN’s.

Sorry, haven’t tested that.

I’ll have to spin up a VM and give it a shot. Thanks!

hi, I’m able to acces other lan ips, but the one on which server is running.

Schermafbeelding 2024-08-23 om 15.11.11970×1122 73 KB

… I’ve set it up following you tips with these flags:
tailscale up --advertise-routes=192.168.0.0/24 --advertise-exit-node

and this is the config

  GNU nano 7.2                                            /mnt/ssd-storage/jailmaker/jails/tailscale/config                                                     
startup=1
gpu_passthrough_intel=0
gpu_passthrough_nvidia=0
# Turning off seccomp filtering improves performance at the expense of security
seccomp=1

# Below you may add additional systemd-nspawn flags behind systemd_nspawn_user_args=
# To mount host storage in the jail, you may add: --bind='/mnt/pool/dataset:/home'
# To readonly mount host storage, you may add: --bind-ro=/etc/certificates
# To use macvlan networking add: --network-macvlan=eno1 --resolv-conf=bind-host
# To use bridge networking add: --network-bridge=br1 --resolv-conf=bind-host
# Ensure to change eno1/br1 to the interface name you want to use
# To allow syscalls required by docker add: --system-call-filter='add_key keyctl bpf'
systemd_nspawn_user_args=--capability=CAP_NET_ADMIN

# Specify command/script to run on the HOST before starting the jail
# For example to load kernel modules and config kernel settings
pre_start_hook=
# pre_start_hook=#!/usr/bin/bash
#     set -euo pipefail
#     echo 'PRE_START_HOOK_EXAMPLE'
#     echo 1 > /proc/sys/net/ipv4/ip_forward
#     modprobe br_netfilter
#     echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
#     echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

# Specify command/script to run on the HOST after starting the jail
# For example to attach to multiple bridge interfaces
# when using --network-veth-extra=ve-myjail-1:veth1
post_start_hook=
# post_start_hook=#!/usr/bin/bash
#     set -euo pipefail
#     echo 'POST_START_HOOK_EXAMPLE'
#     ip link set dev ve-myjail-1 master br2
#     ip link set dev ve-myjail-1 up

^G Help         ^O Write Out    ^W Where Is     ^K Cut          ^T Execute      ^C Location     M-U Undo        M-A Set Mark    M-] To Bracket  M-Q Previous
^X Exit         ^R Read File    ^\ Replace      ^U Paste        ^J Justify      ^/ Go To Line   M-E Redo        M-6 Copy        ^Q Where Was    M-W Next

Need a little expert Unix help. Got jailmaker / dockge up and working thanks to your awesome video. The only thing I cannot get working correctly is the startup script. For whatever reason, it doesn’t start dockge automatically.

Capture423×629 11.9 KB

I have tried the three scripts, but I think I am missing up some stupid syntax. After rebooting like 10+ times with different variants of this, I gave up and came here.

/mnt/software/jailmaker/jailmaker/./jlmkr.py startup

/mnt/software/jailmaker/jailmaker/ ./jlmkr.py startup
(put a space)

/mnt/software/jailmaker/jailmaker/./jlmkr.py start docker

/mnt/software/jailmaker/jailmaker/ ./jlmkr.py start docker
(added a space)

Anyway its not the end of the world if I have to manually fire this up every time I reboot, but I was wondering if there is some kind of magic to the Truenas INIT script to mimic the following actions that 100% work every time. (Its not a timeout issue too because I even set it to 180 seconds to check)

I can 100% confirm that when I go to shell and type:

cd /mnt/software/jailmaker/jailmaker/

then type:

./jlmkr.py start docker

it starts up and works as intended.

Appreciate the feedback

Change that to:
/mnt/software/jailmaker/jailmaker/jlmkr.py startup
(Removing the period and slash, since it isn’t used when you give the absolute path)

Also, there shouldn’t be a jailmaker/jailmaker

My guess there is you forgot the “.” When doing the git clone

Thanks. I can live with the double /jailmaker file structure per Stux. I guess I dropped something somewhere.

Notwithstanding the fact that both of you have forgotten more about Unix commands than I will ever know, I would like to raise a point of contention to the following quote:

Change that to:
/mnt/software/jailmaker/jailmaker/jlmkr.py startup
(Removing the period and slash, since it isn’t used when you give the absolute path)

The new format of the jailmaker not in the video seems to require “./jlmkr.py” even in the very same directory it was installed in. Its not a folder issue, apparently the authors of this want you to type this each and every time you use it.

For example see the shell command history here:

Look, as I said, I’ll go with what you wrote. But what you are writing is not compatible with the “new and improved” version of jailmaker. I am 100% certain it will work with the STUX version of jailmaker shown in the video, but not so sure it will work with the new version.

Maybe I have to torture the alias part of this program to make ./ go away (is that the reason we have to create the alias on the new version - I’m too noob to know), but I am at a loss as to why we couldn’t stick with the original “Stux” version of jailmaker shown in the video.

Yes, setting up a jlmkr alias will make it go away.

And yes, I agree.

If you type: echo $PATH on the command line, do you see /mnt/software/jailmaker/jailmaker in the list of directories?

If not you can typically go to the shell.rc file in your $HOME directory and add a quick configuration to remove the need for the ./.

PATH="$PATH:/mnt/software/jailmaker/jailmaker:"
export PATH

If you use BASH you can look for similar lines and add something like that to the file called .bashrc.

BASH = .bashrc
ZSH  = .zshrc
CSH  = .cshrc
etc.

The formula is the colon is the directory seperator.

PATH="$PATH:/a/loction/you/need/to/add:"
So, if you look at that statement:

1. Use the variable called PATH
2. Add whatever definition that PATH variable currently has and
3. Append a new path
4. Add a another colon to save your self from forgetting to add it next time you add another directory.
5. export means “make this available for use”.

NOTE: Go slow and make sure you understand what you are doing before editing that file.

This ended up being a bit wordy, if the contents below isn’t useful to you, I misread your post.

The usage of ./ is part of most *nix-based operating systems, there is nothing unique about it’s interactions with jailmaker.

When you type a command like cd, ls or nano, the operating system searches for said command in the places defined in the PATH environment variable, as described by @John. If the command is not found in any of those locations, you get an error message, for example “command not found”.

Not looking in the current directory by default is a good security feature, reducing the risk of you running a rogue ls someone put in an directory you happen to navigate through. You can always find out where a command defined in the PATH resides by typing “which command” like so:

% which ls
/usr/bin/ls

So what do you do when you specifically want to run a command or a script in this case, from a folder you are currently in, a place not defined in the current PATH environment^[1]? That’s when the prefix ./ comes into the picture. The period . is shorthand for the current directory, so the combination with the separator slash / results in ./ which gives you the relative path pointing to the directory you are in.

Other places this shows up is if you ever use the ls-command in list format ls -al.
Take a look at the very top two rows of this sample ls -al output:

total 373
drwx------ 6 admin  admin      18 Aug 27 18:55 .
drwxr-xr-x 4 root   root        4 Mar 26 18:32 ..
-rw-r--r-- 1 admin  admin     220 May  4  2022 .bash_logout
-rw-r--r-- 1 admin  admin    3526 May  4  2022 .bashrc
drwx------ 3 admin  admin       3 May 23  2022 .config

The top row with the trailing . shows the owner and permissions of the current directory.
The second row gives a hint of the sibling to . namely .. which shows the owner and permissions of the parent directory.

The double period can also be used in relative paths. Typing ls .. will show you the contents of the the parent directory. It’s also an integral part of the cd command, since you use it to go back up one level with cd ... Using mv samplefile.txt ../../Downloads will attempt to move samplefile.txt from the current directory up two levels and then into the Downloads-directory.

The jailmaker script follows the same rules. Traversing to the jailmaker directory in a shell and typing ./jlmkr tells the shell to try to run a command called jlmkr in the directory you are in. Great for when you want to run it manually without having to go through the hassle of adding it to a PATH, not so good when you want to run it in a POSTINIT event where the “current directory” is a trickier matter.

Bonus bits
Other similar shorthands you probably stumbled over are:
~ (Tilde) This points to the user’s home directory and can be used in most commands as shorthand in paths and the like, like so: ls ~/Downloads will show me the contents of the Downloads directory in my home folder, no matter what my current working directory is.
/ (A single slash) This is shorthand for the very top level of the file system. This can be very helpful but is also associated with risks if you accidentally put a lone slash in an rm-command or similar. Sample usage cd / immediately navigates you to the top level of the file system.

1. Another options is to use the absolute paths, like you were trying to do, but with the corrections added.
   
   Lastly, you could put the command/script in a location already in the PATH variable or update the PATH to also include the location of the command.
   
   For the purpose of running a script, the absolute path is likely going to be one of the more stable options since the defined PATH at any specific moment can sometimes surprise you. ↩︎

Hi John / Neofusion,
I appreciate the help and support. In terms of unix commands, I feel like a Chem 101 student being explained the nuances of brain surgery from the dean of Harvard medical school (you, John, Stux). I’m going to take it real slow.

I really appreciate the basic explanation of the unix commands. Up until this point, my googling of explanations of these commands leads me to way off topic, special use case examples on reddit, discord, etc. I pretty much just copy and paste a lot of the youtube help.

I actually feel really bad because my OP was originally trying to save me time by not having to hard reboot my system 20+ times trying get dockge to start on boot. For whatever reason I could not get it to work with or without the start. That said I have burnt through a lot of YOUR time explaining basic unix command shortcuts to me here. For what its worth I apologize.

From my reading of both your posts, editting the shell.rc file to do pretty much allows me to use jlmkr.py in ANY directory outside of the one it was installed in with the alias systems. (in my case the /mnt/software…/jailmaker directory)

That said, what I am not clear on is what to write in the INIT script to get it start.

In the event I leave it as is, my understanding is that this command will work

/mnt/software/jailmaker/jailmaker/./jlmkr.py startup

or

/mnt/software/jailmaker/jailmaker/./jlmkr.py start docker

If I get this BASH change to work I would then type either

/mnt/software/jailmaker/jailmaker/jlmkr.py startup
(^^ what Stux used in his instance)
or

/mnt/software/jailmaker/jailmaker/jlmkr.py start docker

I do not. I don’t even have a shell.rc file anywhere.

I feel bad. I am certain you are used to high level unix guys who just know to create custom installs of Truenas their own way using only a terminal, and just know to do this by default.

I have a confession: I followed this video to a T to install Truenas Dragonfish.

I promise you, EVERY setting with the exception of the password, is identical to what this IX guy did, with the exception being the double jailmaker brainfart setting you pointed out. Maybe I fast forwarded it, but I never saw Chris in his videos create, edit or manage a shell.rc file. I don’t know what else to say. I even ran a full system scan with WinSCP and don’t have a single instance of shell.rc anywhere on the computer. Maybe I’m just not ready for the big leagues.

For now I am just going to politely and with utmost humility back out of this conversation and get down to focus understanding unix basics and best practices before I post anything else. I feel like “y” in this video on this forum:

Sincerely appreciate the support and help. I just managed to get this far being a hack copy and paster.

No problem from my end (I spent 10-15 minutes sofar but neofusion looks to have spent a few more on that nice write up).

Yes, things like this should get installed somewhere on your PATH because then issuing commands is very much easier.

I like to create a folder in my home directory called bin and place scripts/programs/whatnot in there. The $(HOME)/bin directory is in my $PATH already so after I place stuff in there I can use it right away.

Now, I did some homework on this but you’ll have to bear with me because I do not use SCALE.

1. It looks like the default shell for ADMIN is zsh so you would edit the .zshrc file.
2. I found this ‘alias’ you mentioned, on the jailmaker github page.
   2a. I’d like to propose a slight modification to that instruction line
   (this is where a Linux user might point out any mistakes I may make
   in this because I am not much of a Linux user and my instruction
   may be slightly “off”).
   2b. I’d propose posting that alias to the “global alias” group with something like:

echo "alias jlmkr=\"sudo -E '/mnt/mypool/jailmaker/jlmkr.py'\"" >> ~/etc/profile.d/global.alias.sh

Now, that said, if I were you, I would do the $(HOME)/bin method because it could save you from having to do the alias thing for every “helper thing” you grab from the internet.

And, that aside, scripts like this should have a method to (un)install. I sent a message to Stux but now that I look at that github repo I don’t think he’s the author of jailmaker (Sorry for the message then, Stux I thought you were the author). I whipped up a quick makefile/configure script I can send to someone with git to create a pull request if they want. Hit me up.

You are 100pct correct in taking it slow. Ask questions (no question is dumb).

lol …sounds good. *thumbs-up*

And I suppose you shouldn’t need to.
But there’s no reason for that single dot to appear in an absolute path…

I suggest getting familiar with the most basic Unix commands (cd, ls, pwd: just enough to always know where you’re working), and then creating another sandbox, taking it slowly and double checking every step.

Not quite.

• Simplified I’d say that an “absolute path” is a path that starts with a slash. It often results in longer paths, but the upside is that they always point to exactly where something is.
• Relative paths point to a place in the file system relative to where you currently are. Less to type, but more geared to when you’re typing things out by hand, not in scripts.
  That single dot should never be used in an absolute path, it only makes sense when working with relative paths, to save time.

Almost.

You don’t need to muck around with PATHs and rc-files. They just make it easier when you manually work in a shell and type commands.

The two paths you wrote here are valid absolute paths. The first one especially would work fine in the POSTINIT event, assuming that is the location you have jailmaker installed. If you feel you are out of your depth, just do that one. (for reference, compare it to the official text instructions in the github. Note how Jip-Hop showcases how to autostart jails on boot using a basic absolute path.)

Thanks. I’ll digest a lot of this and lurk in the shadows for a bit while longer. This was very informative.

Thanks

This fixed mine as well. I’d tried it when I first setup Dockge to replace TrueCharts, but hit this issue. It wasn’t a showstopper to me at the time as I was using the native PiHole app rather than a TrueCharts one (I was trying to get a backup of all my apps in Dockge just in case).

Is there a way to pass a USB serial device to jailmaker? Im trying to get a zwave device working with homeassistant.