pot is a great and relatively new jail management tool. It offers DevOps style provisioning and can even be used to provide Docker-like, scalable cloud services together with
consul (more about this in Orchestrating jails with nomad and pot).
When using FreeBSD on your desktop, you can also use it simply to easily create “throw away” browser jails. That way, the browser environment is reliably and completely erased and reset each time you re-create it with one single, simple command.
Please note that all the
pot commands below should be run as
Installing and setting up
potis described in detail on pot.pizzamig.dev but it is quite straight-forward if you stick to the sensible defaults:
$ pkg install pot ... $ pot init -v
Creating the Jail Flavour (Template)
After that, we create a pot flavour that contains all the details about our browser jail in
The flavour contains of two simple files in this directory.
set-attribute -A no-rc-script -V YES set-attribute -A persistent -V NO
#!/bin/sh [ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf ASSUME_ALWAYS_YES=yes pkg bootstrap touch /etc/rc.conf sysrc sendmail_enable="NONE" sysrc sshd_enable="YES" echo myjailpassword | pw add user ffoxuser -h 0 mkdir /home/ffoxuser chown ffoxuser /home/ffoxuser pkg install -y xauth firefox pkg clean -y
Make the shell script executable (otherwise it is ignored by
$ chmod ugo+x browser.sh
Of course you could instead of
firefox also install
chromium or any other browser or application.
Creating a One-Time Jail and Running Your Browser
Now you can simply create the jail with
$ sudo pot create -p onetime-browser -b 12.1 -N public-bridge -t single -f browser
and watch the output:
===> Creating a new pot ===> pot name : onetime-browser ===> type : single ===> base : 12.1 ===> pot_base : ===> level : 0 ===> network-type: public-bridge ===> ip : 10.192.0.3 ===> bridge : ===> dns : inherit ===> flavours : browser ===> Fetching FreeBSD 12.1 ...
You will note that
pot assigns a private IP address to the jail, in the case above
Start the browser jail with
$ pot start onetime-browser
and then start firefox in the jail with
$ ssh -X firstname.lastname@example.org firefox
If necessary, replace the IP address with the IP address from your output.
If you copied the configuration from above, the password you will be asked for is myjailpassword.
Clean Up Afterwards…
As soon as you are done browsing and you have closed the browser session, stop the jail with
$ pot stop onetime-browser
and delete the jail with
$ pot destroy -p onetime-browser
All the data associated with your browsing session will be completely removed.
…Or Use Snapshots
A lot more efficient than recreating the jail from scratch each time would be taking a snapshot immediately after creating the jail with
$ pot snapshot -p onetime-browser
and instead of deleting the jail simply roll back to it after having finished browsing:
$ pot revert -p onetime-browser