Throw-Away Browser on FreeBSD With "pot" Within 5 Minutes
Overview
pot is a great and relatively new jail management tool. It offers DevOps style provisioning and can even be used to provide Docker-like, scalable cloud services together with nomad and consul (more about this in Orchestrating jails with nomad and pot).
When using FreeBSD on your desktop, you can also use it simply to easily create “throw away” browser jails. That way, the browser environment is reliably and completely erased and reset each time you re-create it with one single, simple command.
Please note that all the pot commands below should be run as root.
Setting up pot
Installing and setting up potis described in detail on pot.pizzamig.dev but it is quite straight-forward if you stick to the sensible defaults:
$ pkg install pot
...
$ pot init -v
Creating the Jail Flavour (Template)
After that, we create a pot flavour that contains all the details about our browser jail in /usr/local/etc/pot/flavours.
The flavour contains of two simple files in this directory.
/usr/local/etc/pot/flavours/browser:
set-attribute -A no-rc-script -V YES
set-attribute -A persistent -V NO
/usr/local/etc/pot/flavours/browser.sh:
#!/bin/sh
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NONE"
sysrc sshd_enable="YES"
echo myjailpassword | pw add user ffoxuser -h 0
mkdir /home/ffoxuser
chown ffoxuser /home/ffoxuser
pkg install -y xauth firefox
pkg clean -y
Make the shell script executable (otherwise it is ignored by pot):
$ chmod ugo+x browser.sh
Of course you could instead of firefox also install chromium or any other browser or application.
Creating a One-Time Jail and Running Your Browser
Now you can simply create the jail with
$ sudo pot create -p onetime-browser -b 12.1 -N public-bridge -t single -f browser
and watch the output:
===> Creating a new pot
===> pot name : onetime-browser
===> type : single
===> base : 12.1
===> pot_base :
===> level : 0
===> network-type: public-bridge
===> ip : 10.192.0.3
===> bridge :
===> dns : inherit
===> flavours : browser
===> Fetching FreeBSD 12.1
...
You will note that pot assigns a private IP address to the jail, in the case above 10.192.0.3.
Start the browser jail with
$ pot start onetime-browser
and then start firefox in the jail with
$ ssh -X ffoxuser@10.192.0.3 firefox
If necessary, replace the IP address with the IP address from your output.
If you copied the configuration from above, the password you will be asked for is myjailpassword.
Clean Up Afterwards…
As soon as you are done browsing and you have closed the browser session, stop the jail with
$ pot stop onetime-browser
and delete the jail with
$ pot destroy -p onetime-browser
All the data associated with your browsing session will be completely removed.
…Or Use Snapshots
A lot more efficient than recreating the jail from scratch each time would be taking a snapshot immediately after creating the jail with
$ pot snapshot -p onetime-browser
and instead of deleting the jail simply roll back to it after having finished browsing:
$ pot revert -p onetime-browser