 This talk is going to be about CBC, which is, sorry, cool. Which is Alcoholic Isolation Manager. It manages behalf of JOS and Zen. And basically the layout of the talk is a new to BSD communities. I think it might be beneficial to say who I am and where I come from to then present current features of a CBC and what it can do for you and me a little. And what do we plan to do in the future? So my name is Gordon Minkic. I am web developer by day and mostly Python and React and by night. I am a free BSD hacker since EuroBusiness 2016. So I am a bit green. And I am also a musician which kind of sticks in this slide but that's what got me into most of my troubles. And I started, of course, with Linux and Docker. And Docker was a way for me to... So I'm being real loud so we're going to try something. And I'm blind. That's right like this. Okay, is it better? Any better? Okay, okay. Just wing in a funny way. I started with Linux and Docker was a way, among other things, for my system to be clean and my audio apps to be only on the host, almost. And it basically... It basically avoided dependency hell as most of the software is not on the host. So I showed up at EuroBusiness and it was in Serbia which is where I come from so it was on my doorstep. I had to go. And obviously it was a good conference. I'm a free BSD user now and I have free BSD on all my machines. So it was successful. And the free BSD 11 came with Docker support and I thought there was going to be a champagne or celebration and what not. And nobody talked about Docker and that was kind of weird. So I reexamined my assumptions. Maybe Docker is not the best thing in the free BSD world. So I had to research and research told me that I need a different approach. As Lucas said, Linux has one set of features. So you kind of are not made but you have to do it that way because those are the features. You can use that or nothing, right? And jail ended up in my head while it's also a security feature. It's not so easy to escape a jail compared to Docker. Actually, I don't know anyone who escaped the jail. Free BSD jail. And I was really mind blown once I realized that a jail can have other jails. Wow, it's babushkas all the way down. And it was wonderful, right? So I did kind of a new tool and I tried a couple and CB is the one of them. So I was first using it for a hyperspace I co-founded. So it wasn't quite production yet for me. Although the CBSD is, I don't know if four years is old, but for a manager I think it's mature. And I realized I have to learn some stuff how it's done. It's not Docker composed anymore. So what's really, really pleasantly surprised is how easy it is to start with CBSD. So we have this construct. Construct is basically what creates your jail if you prefix it with jail. So jconstruct builds your jail, but if you're in new black hours, you have no idea what the jail actually does and how to connect it to a network and what is available. There's a dash 2e for every command. So I'm going to show you how it looks. But it's a dialogue-based command and you enter stuff and it does the magic. So for me it was easy that changing the first letter will create what you want or maybe you made a mistake. It's a consistent set of commands between jails, b-hyves, and zen. Of course you cannot run everything because of the technological reasons, but still we really, really try to make it... Well, I don't like to use my brain when I don't have to, so CBSD is helping. CBSD also supports nodes, multiple nodes, virtual machines or bare metal or whatever you want to use for, I don't know, for example, jails. And all communication between jails is based on SSH. If you log into any node and tell it, okay, I want this jail and this node and I don't know where I'm logged in and I don't care, it's going to do the right stuff for you. It's going to send the command to the right node and set up network if needed and all the stuff that manager should do. And I'm still trying to grasp all the networking technologies built into freeBSD and me not having to, well, read about them, but just run the command like to your command and it will tell you what are my options and if I choose some options, there are sub-options. It's much easier for nodes, for newcomers. So this is basically how jconstruct 2E looks like and what it says here is a profile. I'm going to talk about that more later. Basically, you can have different stuff based on a profile and the rest is basically the self-explanatory except if you don't want anything like an empty string, it's a zero. Empty string is kind of hard to show script so it's easier if you have some value like a null in C. So we chose zero and the rest is pretty much self-explanatory with this being a drop-down menu where you can choose an interface to stack your jail into. And basically, all three commands cover basic needs for isolation management of networking stuff of Wallace Ritch, of whatever CBSD can do. It's basically commands and three commands for a few of them that are most important. So once I was happy with how I used it, how it works for me, I was kind of not happy with small bits and pieces. I wanted it to be perfect for me personally and I found that CBSD implementation is really hard to read. So for example, if you have a CBSD jconstruct, you're going to have a script called jconstruct. It's going to be tool slash jconstruct, but when you're experienced enough for it, a CBSD, you know where to search for implementation of the command you just ran. And it has really, really minimal amount of seeds basically for term I.O. And some arithmetics that we need in a shell script. So CBSD comes with its own shell script to manage the commands, but it's like 99% shell, I mean pure shell. It has the same syntax and we didn't invent anything. Also we're struck to make it as minimal as possible when dependencies are involved. So it really has minimal set of dependencies, I think on a clean system, packaging still will pull in 11 packages, something like that. But the implementation changes and we released a week and a half we released new versions, so that might be a lie. I haven't checked the dependencies of a new version, so things might change. And it also supports what I call advanced features. You can have hooks which basically fire when you start and stop a jail inside a jail or on a host, or pre-post, stop, start, blah, blah, blah, a bunch of hooks that will help you, for example, like to register my jails in DNS using a hook, but you can use it for anything. You think it's appropriate. And it has profiles as I promised and profiles are what if you have CB as the set of commands, you can put them all in a profile and once you're in a jconstruct tree, the dialog, you can just choose the profile and OK, create it. So you can put all your common stuff in a profile so you don't have to type it over time, or we even automate it with some other tool. Profiles also include, not include, they use skeleton for jails, which, well, I'm going to give you one example I use it for. I use a lot of development in a jail, web development in jail, and I want to run commands as root in a jail. So scale creates my development user inside a jail and whatever it needs from packages or configuration and stuff. And when I joined the project, which was, I think, six months ago as a developer, I tried to make CBSD use existing infrastructure more because it can manage your firewall, whatever firewall you're using, it can manage your ZFS data sets, it can manage your NAT, and a lot of things are automated just when you create a jail. But old-timers, not that I'm one of them, but more experienced, CBSD administrators don't like magic, and actually any administrator doesn't like magic. So if you have existing infrastructure, that was kind of my job to make it, okay, what if something else or you're managing your own PF, how do I stick CBSD into something existing? That's what I was mostly interested as a developer. And I think we're getting to a point where you can literally use it everywhere, but I'll take you with a grain of salt because, as I said, I'm still green. I don't know what everything means in freeBSD. So this little slide is for what we did to support Beehive. Well, basically, when you're building a manager, you're not inventing anything, you're using the existing stuff. And yeah, this is not a whole list. I just picked a few that I find interesting, and especially PCI passthrough for driver development or whatever you want to use it for. I'm hacking some small hardware, so I kind of love it. It has a weird, kind of weird option of Plan 9 virtual P9 folder sharing, which is abnormally fast. It's not yet, it will come up with a 12, but we have support for it already in place. Yeah, you can basically do all kinds of stuff with it, but what it provides for me personally when I hook a Beehive to a network, it can be a network that also some jail uses. So you can interact between jails and Beehive in an easy way. And we're planning on, besides wall switch to support OpenVswitch, that's coming really soon, I hope. If our free time remains as it is, it's coming soon. So, and yeah, virtual disk management. Currently, when we only create a full Z-Wall, so we want to experiment with a shallow, how it's called, when Z-Wall doesn't allocate whole space, but allocates when it's needed. Yeah, Tim, thanks. So that's for the Beehive also. For Z-Wall, I think it's a minus-S to add, but it's more of a testing how it works in some of the environments. And for the jails, it started as a jail manager, I think. Why say I think is because I'm not the original author of a CBSD, so I came a bit later. And I tried in the six months that I'm developer to get as much information and history of CBSD as I could. So jail has, it's a normal list of features that we support right now. These are, I don't know, I find them interesting. Data encryption, while a jelly, that sounds sweet. That's something that if you're on a shared hosting, you probably, well, you don't have a CBSD then, but a sharing machine where a total of people while your jelly is encrypted is kind of adds to the security. I'm not going to go through all this, but a V image is already in corp, RCTL, per jail traffic account, it goes to infinity. Well, now, literally, the list is like this. Basically, what CBSD can do with a jail is abnormally flexible. And one of the things I really, really love is this. I haven't tried it excessively, but having a build in a jail that's going to become an image for ISO or memstick, that's perfect. And basically, you can have VNC in a jail. It's also supported and whatever you know, probably whatever you know about a jail is supported. Even, for example, V image is a 12-current feature, but it's already there. And it kind of works. Kind of being the... DHC client has a problem with V image, so that's the reason why it's kind of. And Zen, okay, this is the even secure slide for two reasons. First, to support Zen, we need hardware, and it's not easy to come by a hardware that is just, okay, we're just going to put this box in a corner and we're going to develop our Zen on it. And you can do it on your laptop compared to Beehive in jail. So Zen support is slightly lagging behind Jails in Beehive. But I might be lying because Alec, who is a team lead, had more Zen support two weeks ago and I didn't get the time to check it out what's in there. We got two weeks of someone's hardware to do whatever we can with Zen, so I'm not yet sure what we did with that. But basically, like Jails and Beehive, you can create them, destroy them, hook them to a network and the rest is easy. The rest is up to you, log into it and whatever you want to do, just do it. And we didn't stop there. There's a web interface to CBSD which is currently in alpha version so it's slightly annoying to install. We are working on that becoming, actually I want to work on that becoming package install command so we don't have to hassle so much. And what basically distribution does is, so it should do everything as CBSD, command line CBSD does. And it should have, when I say should, it's an alpha software. We plan on, whenever you do something from a CLI, you should be notified through a web interface right away. So some web sockets are behind it. And whatever you can do with CBSD, you should be able to do it with Climax, but it's going to change slightly. I'm going to come to that slide. So I'm just going to run through some of the screenshots of the distro and how it looks. But you wouldn't expect much, like filling the fields and create it or edit it. But what it has is also images. You can use that are pre-built. CBSD has export, sorry, export and import of Jails, actually Jails and Beehive, but I'm going to talk mostly about the Jails for now. You can pick some of them and just say, okay, I don't know how to install something from the list, but pick it and it will be in your network on your host. You can peek into the Jails for Beehive, and I think this is Beehive, yeah, it's a bootloader. You can peek into it and do stuff. Currently it's VNC, but Alec ported Spice, I think a month ago. So we're going to try how the Spice works with Jails and Beehive, and maybe switch depending on what we find. And yeah, there's a list of your networks that you use with the CBSD. They normally have to be all on the same network, and it can manage multiple, for example, local images, oh, not images, sorry, interfaces or bridges or whatever you need. So this is a list of all your networks that are configured, and this is small. So this basically is... CBSD doesn't have a concept of a user. It doesn't care about that, but if you're delegating work among different system administrators, you probably want user names and authentication. So the web port has authentication, but command line doesn't. I think SSH is just fine. And finally, what's in the future? The future is bright, because when we got some attention lately, we could take screenshots. And it will become more... easier to install and easier to use over time, but up until now we only had one alpha release. So it's pretty rough around edges. There is a CBSD forms, which is if you're a web developer, you know that the web form is basically key value. What it allows you to do, what Alec does with that, is he likes Puppet I like Ansible. So he inputs some of the Puppet variables into the CBSD forms, and then when he runs a Puppet, CBSD has a feature to run a Puppet now. It will gather the information from those key values. By the way, we use SQLite to store our information, so it's really light. Whatever you find useful to be variable for maybe all your jails, for example, you can put it in there and extract it and put it into a playbook or whatever is called in a Puppet world. Reggae is... It's the same idea, only trying to use Ansible to provision stuff, to provision jails. And Reggae is only bound to jails because the way Ansible works, virtual machines are a piece of cake to set up. And what awaits us in the future is testing the features to use a build bot. We use Python, so we both know how to develop on it. There will be... What we want to work on is multiple instances of CBSD, so for example, if you're hosting provider, you can expose your VPS by giving access to your clients to a CBSD instance. Currently, only one CBSD can be on a host, but having multiple CBSDs, maybe you can host VPS or segregate them differently or whatever you find useful. And what's going to help in that effort is that I will work on socket-based communication between command line and daemon. Currently, the shell script does basically everything. What we want to do is make daemon do the stuff that is needed for creating a ZFS dataset or networking or whatever it needs to do. And then you communicate with a socket. And that's why I said that the web part is probably going to change to use a socket to become easier. I successfully broke this laptop with CBSD to have more support in CBSD for hard-on-BSD. So that's something I'm continuously working on and it's still not there. There are some hard-on-BSD-specific general options that they're working on. I think they're definitely master of the GitHub. I just don't know if they are included in any of the images, like all the stuff that hard-on-BSD brings on top of free-BSD that can be turned on and off for a jail. And we already have this commit. We are just waiting for hard-on-BSD to actually ship with images, which may be actually happening in these few weeks. And documentation, although the documentation is really, really good, I found everything I needed when I started with CBSD in documentation. We need to work on making documentation more searchable. It's a static site right now, so if you don't know where a certain document is, you probably will have a hard time finding it. So a bit of documentation management is needed to really kick off the CBSD for nubes. And I don't have much to add in that. These are some useful links about CBSD. The first one is CBSD official site, although it sounds a bit weird. But a BSD store for images of beehive and jails is in order, so this domain will once become a place where, like a Docker hub, you can pull images from it or build yourself. We're on GitHub, of course, and please do check out the GitHub, write issues and stuff, whatever you find bothering, please just let us know. And the last one is my site. I really try to cover CBSD from weird perspectives. Being a musician is just one part of it. So I'm trying to fit CBSD where it originally doesn't fit so we can make it more flexible. And for the end, I would like to thank Fosden for inviting us. It was really a pleasure to come and talk to all these people. I would like to officially thank Oleg Isburg, who is a lead developer of CBSD for having so much time for my whining, why it is done at work, how do I learn this and stuff. He's a wonderful mentor, so thank you. FreeBSD for doing everything, basically, compared to the small part we did. And for the last, but not least, Tilda Center is a hackerspace. I co-founded that is hosting some CBSD-related stuff, namely I think the most important is a mailing list, which is kind of scarce at this point, but as a new developer I'm going to obviously become a guy who goes around and tells people about it and screams that people use it, use it. That will be all on my side. So if you have any questions, I will be more than glad to answer them. Are jail-related to isolate shared memory access from jail? Is it possible that if you activate this shared memory for jail, each jail can access there is no isolation in the standard in jail configuration. Is it possible with CBSD to isolate it? So the question was, can CBSD separate shared memory? And I don't know. I'm really too green. Maybe it can, but it's a bit lower level. I was preparing the slides, not so much technology, sorry. On a mailing list, if you ask, Oleg definitely knows the answer. Anyone else? Hacker space. It's in Serbia. Sorry, the question is, where is the hacker space? It's in Serbia in a town called Nausad, which is almost on the north. Yeah, come by. Is it possible to run CBSD and OpenBSD? No. There are no jails. VMM is drastically different than Beehive, and there was no point. We would end up, we discussed it, and we realized we would actually write a second manager. But it has, for example, a dragonfly and hammer support. So it's not so much free BSD. Obviously, I'm trying to expand it a bit. But just non-free BSD systems are not that, I can't call them not that good, but not so fitting to our needs. More questions. Just shoot. Playing signal and you'll hear from someone the other question about the system fly shift memory and you can turn it out. You can modify that and you can isolate that. It's on the man page. So it's from... Yeah. Hello, mom. Just to repeat the question you were next. The question was... Actually, there was no question. The signal angel told us that it's in a man page, so I really didn't read. Shame on me. Can you be a little bit louder? Q and moon. So the question is, are we planning on supporting Q and moon? There are bits and pieces that are already working for... Okay, let me start from the beginning. What we have with Q and moon and gels is running, for example, your laptop, running your arm-based gel using Q and moon. I never tried it. I saw a video of Oleg post it, so I know it's possible, but it didn't get much attention, so it's really, really alpha, and it needs more love. Anyone else? Can I use CBSD to fully manage Zanguato machines? Is it a full-featured management tool to work only with Zanguato machines? So the question is, can CBSD fully manage Zanguato? The reason I don't know is that Zanguato management in freeBSD is changing right now. So what we're going to end up... Well, basically it's going to be in 12, so if you're years 11, you probably don't care about that. But to best of my knowledge, there are no pieces of Zen that are unsupported, but take it with a grain of salt. I'm going to definitely have to explore Zen more. I just didn't find time, but the documentation is such that I didn't find anything that I couldn't do with Zen with CBSD. So we got less than 10 minutes, or we can discuss or whatever. Okay, that's all. Thank you all, and see you soon.