Network services that should bind to the epari0b interface fail because the interface is added after rc start.

Develop or find a tool that can manage/assign network addresses to pots like DHCP, but at creation time

A needed features is to be able to import single files to a pot.
It's like add-fscomp, but instead of being a ZFS dataset or a directory, it's just a single file.

It would be possible to clone a pot
Cloning its configuration and datasets

95% of the features need to run as root, currently
Find a way to make it more user friendly

Currently, the environment of a jail is inherited from the system. It shouldn't.
Example:

• a pot running salt_minion (py27-salt)
• a system root with bash or zsh as shell

When salt_minion start inside a jail, it tries to spawn commands using $SHELL value, crashing.
The problem is that the system user uses a shell that's not installed in the jail.
In general, the environment inside a jail should be independent of the hosting system.

Thank you for the talk at FOSDEM 2018.

Creating this issue as a placeholder for people who get pointed to the repo but may have missed your talk, please link to it when it is available?

Pot supported 2 levels.
But I want to test:

• two pots: nginx and apache - first level;
• two pots: mysql and postgresql - second level;
• three pots CMS-s: drupal, joomla, wordpess - third level;
• nine pots whit three sites on each CMS: 1dp,2dp,3dp,1jm,2jm,3jm,1wp,2wp,3wp - fourth level.

Is it possible to solve such a problem with the possibilities of pot?

Grazie!

if not yet loaded, the pf.ko kernel module is not automatically added
and pf is not enabled

add option to remove former snapshot

The one thing missing from pot, I think, is making pot either capable of using either or both IPFW and IPF, since both have people who actively use and maintain them.

Another option which is arguably better but may involve more work (and changing ABI/KBI and would thus probably involve a major version bump?) would be to adopt a principle similar to that of blacklistd.
It uses a firewall-agnostic API where the sysadmin supplies the commands necessary for certain functions, and then that command is simply executed.
This would have the added benefit that if, say, npf (NetBSD Packet Filter by rmind@netbsd) was ever ported to FreeBSD, or another 4th firewall was added, it would be trivial to add support for these.

Misprint in https://github.com/pizzamig/pot/archive/0.5.6.tar.gz :

$ cat pot-0.5.6/bin/pot | grep POT_VERSION
_POT_VERSION=0.5.0

Add the ability to have a static IP (external) as network configuration, like a standard jail

# cat /opt/pot/jails/salt-work/conf/pot.conf 
pot.level=2
pot.type=multi
pot.base=11.1
pot.potbase=salt-base
pot.dns=inherit
pot.cmd=sh /etc/rc
host.hostname="salt-work.pots11.fbsd"
osrelease="11.1-RELEASE"
ip4=inherit
vnet=false

but

# pot config -g salt-work
###>  NO salt-work is not a valid name
pot config [-h][-v][-q] [-g name ]
  -h -- print this help
  -v verbose
  -q quiet
  -g name : get name value
    possible names are fs_root zfs_root gateway syslogd

or

# pot start salt-work
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
/etc/rc: WARNING: $hostname is not set -- see rc.conf(5).
Creating and/or trimming log files.
Starting syslogd.
syslogd: child pid 3179 exited with return code 1
/etc/rc: WARNING: failed to start syslogd
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Sat Jun 30 22:06:02 UTC 2018
===>  The pot salt-work started

# pot config -g salt-work
###>  NO salt-work is not a valid name
pot config [-h][-v][-q] [-g name ]
  -h -- print this help
  -v verbose
  -q quiet
  -g name : get name value
    possible names are fs_root zfs_root gateway syslogd

Thanks.

Remember everything is quite annoying
Implements a proper autocompletion of zsh

https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org

freebsd-release-manifests contains tarballs' hashes.
It can be useful to validate the downloaded tarballs.

Add the possibility to use ZFS dataset out of pot (pot/fscomp dataset) to be used as external components

Hi Luca,

are you still working on the manual page for pot?

It should be possible to provide resource limits to pot.
For instance, how much memory or CPU.
It should be based on rctl.

Hi,

I'm trying out pot for the first time and I got the following error:

$ sudo pkg install pot
$ sudo pkg init
$ sudo pot create-base -r 11.1
===>  Create a base with release 11.1
/tmp/11.1_base.txz                            100% of   99 MB  741 kBps 02m18s
===>  Create the zfs datasets for base release zroot/pot/bases/11.1
sed: /opt/pot/jails/base-11_1/custom/etc/crontab: No such file or directory
sed: /opt/pot/jails/base-11_1/custom/etc/crontab: No such file or directory

Then I tried to run create-base again:

$ sudo pot create-base -r 11.1
===>  Create a base with release 11.1
===>  Create the zfs datasets for base release zroot/pot/bases/11.1
./sbin/init: Can't restore time
./lib/libcrypt.so.5: Can't restore time
./lib/libthr.so.3: Can't restore time
./lib/libc.so.7: Can't restore time
./usr/lib/librt.so.1: Can't restore time
./usr/bin/crontab: Can't restore time
./usr/bin/su: Can't restore time
./usr/bin/chpass: Can't restore time
./usr/bin/passwd: Can't restore time
./usr/bin/opieinfo: Can't restore time
./usr/bin/login: Can't restore time
./usr/bin/opiepasswd: Can't restore time
./libexec/ld-elf.so.1: Can't restore time
tar: Error exit delayed from previous errors.
cp: cannot overwrite directory opt/custom/etc/unbound with non-directory etc/unbound
cp: symlink: ../usr/sbin/rmt: File exists
cp: utimensat: opt/custom/var/empty: Operation not permitted
cp: symlink: ../usr/sbin/rmt: File exists
cp: symlink: ../var/unbound: File exists
cp: cannot overwrite directory opt/custom/var/db/etcupdate/current/usr/share/man/en.ISO8859-15 with non-directory var/db/etcupdate/current/usr/share/man/en.ISO8859-15
cp: symlink: ../man4: File exists
cp: symlink: ../man9: File exists
cp: symlink: ../man3: File exists
cp: symlink: ../man7: File exists
cp: symlink: ../man2: File exists
cp: symlink: ../man8: File exists
cp: symlink: ../man5: File exists
cp: symlink: ../man1: File exists
cp: symlink: ../man6: File exists
cp: symlink: ../man6: File exists
cp: symlink: ../man1: File exists
cp: symlink: ../man5: File exists
cp: symlink: ../man8: File exists
cp: symlink: ../man2: File exists
cp: symlink: ../man7: File exists
cp: symlink: ../man3: File exists
cp: symlink: ../man9: File exists
cp: symlink: ../man4: File exists
cp: symlink: C: File exists
cp: symlink: C: File exists
cp: cannot overwrite directory opt/custom/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15 with non-directory var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
cp: symlink: ../man3: File exists
cp: symlink: ../man1: File exists
cp: symlink: usr/src/sys: File exists

sudo pot create -p shield -b 11.1 worked just fine, however, and now I'm in jail's shell.

Details:

• FreeBSD 12.0-CURRENT r333659 amd64
• pot: 0.5.5
• ZFS

depending on when start fails, it can leave pot partition mounted

Support IPv6 networks

Add a command that has the reverse effect of 'init'
It could be extremely useful also for tests

In general, improve the validation of create-base

I'm new here and didn't have time to review the code but is there any support to attach sort of a pre, post hooks during start and stop commands? If so how can this be done.

And second question how can I pass a list of env variables to the script as well as inside pot container?

pot create-base should perform a check, before to download sources and then discover that it cannot create a base
pot create-fscomp also, I suppose

I was playing on the pot_slides.pdf file on page 15:

pot init
pot create-base -r 11.1
pot create-fscomp -f repository
pot create -p saltmaster -b 11.1
pot add-fscomp -p saltmaster -f repository -m /mnt
pot create-fscomp -f repo-work
pot create-fscomp -f repo-home
pot create -p salt-base -b 11.1
pot create -p salt-work -P salt-base -l 2
###>  no snapshot found for zroot/pot/jails/salt-base/custom

VBox FreeBSD both 11.1 and 12

😕

Add a proper rc script that properly manage to start a set of pot during the boot phase

a pot can need a service provided by another pot
the dependency could be automatically fulfilled by pot start

Here's what I've done:

sudo pot init
sudo pot create-base -r 11.2
sudo pot create -p committer-pot -b 11.2
sudo pot create-fscomp -f svn-ports
sudo pot create-fscomp -f svn-src
sudo pot create-fscomp -f svn-doc
sudo pot add-fscomp -p committer-pot -f svn-src -m ~/freebsd/svn/src/
sudo pot add-fscomp -p committer-pot -f svn-ports -m ~/freebsd/svn/ports/
sudo pot add-fscomp -p committer-pot -f svn-doc -m ~/freebsd/svn/doc/
sudo pot snapshot -p committer-pot
sudo pot start committer-pot

As a result of the last command I got:

mount_nullfs: /opt/pot/jails/committer-pot/m/home: No such file or directory
###>  Error mounting /opt/pot/fscomp/svn-src
ifconfig: interface destroy does not exist
###>  Mount failed

It happens every time I try to run sudo pot start committer-pot.

Implementation of the revert command, to restore a previous snapshot of a pot

Configure syslog to not log locally, but on the hosting machine.
Put the pot name before every log entry

Add an option to create a pot the will uses the internal consul-dns pot instead of copy the resolv.conf from the host

I get:

pfctl: /dev/pf: No such file or directory

as an output of pot stop mypot.

I didn't configure anything in particular, just pot init and pot create.

Also, the pf kernel module is not loaded (which is most likely the reason for this warning to be printed).

When destroying a level 1 pot, used by a level 2 pot, a proper error message should notice that the -r option is needed

Try to understand how to organize pot migration

Use the amount of CPU needed instead of which one

create -b 123
the parameter 123 is not validated

after pot create-base -r 11.2 and pot create -p foo1 -b 11.2 I ran pot ls and it shows only base-11_2, after running pot create -p foo2 -b 11.2 it shows base-11_2 and both pots foo1 and foo2.

Currently, there's no input validation in a pot flavor script.

Write a promote command, where a "beta" cloned pot take the place of a "stable" pot

pot snapshot -p stable
pot clone -p beta -P stable
[ beta is good ]
pot promote -p beta -P stable -n old-stable

• stable renamed as old-stable
• beta renamed as stable

Trying to create-base -r 12.0, exploded

===>  Automatically use 12.0 as base name
===>  Create a base with release 12.0
===>  Create the zfs datasets for base release zroot/pot/bases/12.0
tar: Error opening archive: Failed to open '/tmp/12.0_base.txz'
cp: root: No such file or directory
cp: etc: No such file or directory
cp: var: No such file or directory
chflags: var/empty: No such file or directory
cd: ../../opt/custom/var/db: No such file or directory
===>  Create the related pot [base-12_0]
getopt: invalid option -- F

renaming the txz in /tmp to from 12.0-RELEASE_base.txz to 12.0_base.txz worked on the second run (after manually destroying the datasets that were created before the unpacking failed)

currently, the rename of a pot doesn't affect potential dependencies and or lvl 2 pots based on the renamed one

Currently, no checks are in place to verify the presence of those key features

Some other programs (like 'poudriere image') are able to generate FreeBSD images.
Add the possibility to use/import those images

Hello.
I have pot with base 11.1, but I want update base to 11.2 of my pot. How can I do that?

check and activate ip forwarding, if needed (vnet-start?)

net.inet.ip.forwarding=1

Would it be possible to set a flag on a pot so that it will start at boot time.
If one has many pots, a line in /etc/rc.conf with pot_list=" " would become a little messy.
A on boot flag on a pot is a nicer option in my opinion.

Thanks for all your work on pot.