An Ansible connection plugin for remotely provisioning FreeBSD jails separately from their jailhost.

This works by SSHing to the jail host using the standard Ansible SSH connection, moving any files into the jail directory, and using jexec to execute commands in the scope of the jail.

Control node (your workstation or deployment server):

• Ansible 1.9+
• Python 2.7

Jailhost:

• FreeBSD
• At least one configured jail
• Python 2.7
• SSH
• sudo

Target jail:

• Python 2.7

This is a "Connection Type Plugin", as outlined in the Ansible docs.

To install sshjail:

1. Clone this repo.
2. Copy or link sshjail.py to one of the supported locations:

• /usr/share/ansible/plugins/connection_plugins/sshjail.py
• path/to/your/toplevelplaybook/connection_plugins/sshjail.py

Using sshjail, each jail is its own inventory host, identified with a host name of jailname@jailhost. You must also specify ansible_connection=sshjail.

• jailname is the name of the jail. Typically jails are referred to by their hostname, like my-db-jail, but the actual name of the jail (by default) would be my_db_jail. sshjail will attempt to convert any non-word characters ([^a-zA-Z0-9_]) to underscores for the purposes of referring to jails by their actual name.
• jailhost is the hostname or IP address of the jailhost.

Also note that FreeBSD pkgng places Python at /usr/local/bin/python2.7 by default. Make sure to specify this with the ansible_python_interpreter variable!

The following inventory entries are examples of using sshjail:

# bare minimum
my-db-jail@192.168.1.100 ansible_python_interpreter=/usr/local/bin/python2.7 ansible_connection=sshjail

# sample vagrant configuration
my-db-jail ansible_ssh_host=my-db-jail@127.0.0.1 ansible_ssh_port=2222 ansible_python_interpreter=/usr/local/bin/python2.7 ansible_connection=sshjail ansible_ssh_user=vagrant

Adding these hosts dynamically, like after freshly creating them via Ansible, or by iterating over jls output, can be done via the built-in add_host module:

- name: add my-db-jail to ansible inventory
  add_host: name=my-db-jail groups=jails
            ansible_ssh_host=my-db-jail@{{ansible_ssh_host}}
            ansible_ssh_port={{ansible_ssh_port}}
            ansible_python_interpreter=/usr/local/bin/python2.7
            ansible_connection=sshjail

By default in FreeBSD, only root can do things inside jails. This means that when invoking ansible or ansible-playbook, you need to specify --become, and in a playbook, use become: yes/become_method: sudo. If sudo requires a password (shame on you if not, unless it's vagrant!), you'll need --ask-become-pass as well.

This means any commands executed by sshjail roughly translate to sudo jexec $jailName $command.

An alternative to requiring root access is to use the jailme utility. jailme is "a setuid version of jexec to allow normal users access to FreeBSD jails".

If you want to use jailme, you'll need to ensure it's installed on the jailhost, and specify the user to sudo as via --become-user on the command line, or become_user: username in a play or task. Finally, you need to edit sshjail.py, and set SSHJAIL_USE_JAILME = True at the top.

This results in commands similar to sudo -u $becomeUser jailme $jailId $command.

• Fetching files hasn't been tested yet. It may not work.

Let me know if you have any difficulties using this, by creating an issue.

Pull requests are always welcome! I'll try to get them reviewed in a timely manner.