Overview
This is a flavour containing the vault
security storage platform.
You can e.g. store certificates, passwords etc to be used with the nomad-server pot
flavour on this site.
The flavour expects a local consul
agent instance to be available that it can connect to (see configuration below). You can e.g. use the consul pot
flavour on this site to run consul
. If no consul
instance is available at first, make sure it’s up within an hour and the certificate renewal process will restart consul
. You can also connect to this host and service consul restart
manually.
pro tip
Start vault
cluster with the IP addresses of consul
servers, which aren’t live. Then start loki
instance. Then start a consul
cluster. Restart consul on vault
and loki
instances or wait for first certificate renewal after an hour.
Installation
Unseal node
- [unseal node] Create a ZFS data set on the parent system beforehand:
zfs create -o mountpoint=/mnt/vaultunseal zroot/vaultunseal
- Create your local jail from the image or the flavour files.
- Mount in the ZFS data set you created:
pot mount-in -p <jailname> -m /mnt -d /mnt/vaultunseal
- Optionally export the ports after creating the jail:
pot export-ports -p <jailname> -e 8200:8200
- Adjust to your environment:
sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> -E IP=<IP address of this vault node> -E VAULTTYPE=unseal
Vault leader
- [cluster node] Create a ZFS data set on the parent system beforehand:
zfs create -o mountpoint=/mnt/vaultdata zroot/vaultdata
- Create your local jail from the image or the flavour files.
- Mount in the ZFS data set you created:
pot mount-in -p <jailname> -m /mnt -d /mnt/vaultdata
- Optionally export the ports after creating the jail:
pot export-ports -p <jailname> -e 8200:8200
- Adjust to your environment:
sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \ -E IP=<IP address of this vault node> -E VAULTTYPE=leader \ -E UNSEALIP=<unseal vault IP> -E UNSEALTOKEN=<wrapped token generated on unseal node> \ -E CONSULSERVERS=<correctly-quoted-array-consul-IPs> \ -E SFTPUSER=<username> -E SFTPNETWORK="<list of comma-space separated IP addresses>" \ -E GOSSIPKEY=<32 byte Base64 key from consul keygen> [-E REMOTELOG=<remote syslog IP>] [-E DNSFORWARDERS=<none|list of IPs>]
The SFTPUSER parameter is used to create a user with SSH private keys, where you will need to export the private key to the host systems for follower nodes.
The SFTPNETWORK parameter is a list of IP addresses in comma_space format ( “10.0.0.1, 10.0.0.2, 10.0.0.3”) to pre-generate 2h SSL certificates for, for initial vault logins by follower nodes and other images making use of vault.
The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"'
or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"'
or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'
The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.
The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki
flavour on this site.
The DNSFORWARDERS parameter is a space delimited list of IPs to forward DNS requests to. If set to none
or left out, no DNS forwarders are used.
Important: the leader boot can take a while with certificate generation. Let it complete before adding followers.
Once booted you will need to run ./cli-vault-auto-login.sh
for a login token to use on follower nodes, and export /home/certuser/.ssh/id_rsa
to a file to import to follower nodes and other types of pot images.
To re-generate the temporary certificates for the array of initial IP addresses, run ./gen-temp-certs.sh
.
To generate a single certificate for an IP address, run ./single-temp-cert.sh <IP address>
, for example: ./single-temp-cert.sh 10.0.0.1
.
You will need to generate new temporary certificates if two hours have passed since setting up the vault
leader.
Vault follower
- [cluster node] Create a ZFS data set on the parent system beforehand:
zfs create -o mountpoint=/mnt/vaultdata zroot/vaultdata
- Create your local jail from the image or the flavour files.
- Mount in the ZFS data set you created:
pot mount-in -p <jailname> -m /mnt -d /mnt/vaultdata
- Copy in the SSH private key for the user on the Vault leader:
pot copy-in -p <jailname> -s /root/sshkey -d /root/sshkey
- Optionally export the ports after creating the jail:
pot export-ports -p <jailname> -e 8200:8200
- Adjust to your environment:
sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \ -E IP=<IP address of this vault node> -E VAULTTYPE=follower \ -E UNSEALIP=<unseal vault node> -E UNSEALTOKEN=<wrapped token generated on unseal node> -E VAULTLEADER=<IP> -E LEADERTOKEN=<token> -E CONSULSERVERS=<correctly-quoted-array-consul-IPs> \ -E SFTPUSER=certuser -E GOSSIPKEY=<32 byte Base64 key from consul keygen> [-E REMOTELOG=<remote syslog IP>]
The SFTPUSER parameter is used on the follower node to login to the vault leader, to get temporary certificates for a further login.
The SFTPNETWORK parameter is only used by the Vault leader node.
The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"'
or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"'
or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'
The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.
The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki
flavour on this site.
Architecture
- vault-unseal: is initialized and unsealed. The root token creates a transit key that enables the other Vaults auto-unseal. This Vault server is not a part of the cluster.
- vault-clone-1: is initialized and unsealed automatically with the passed in wrapped unseal key. Joins raft cluster after unsealing, sets up PKI and generates a bunch of temporary certificates.
- vault-clone-2: is initialized and unsealed automatically with the passed in NEW wrapped unseal key. Joins raft cluster after unsealing, sets up PKI. Needs to have SSH key from vault leader.
- vault-clone-n+: is initialized and unsealed automatically with the passed in NEW wrapped unseal key. Joins raft cluster after unsealing, sets up PKI. Needs to have SSH key from vault leader.
Usage
vault
is then running on port 8200 of your jail IP address.
Unseal Node
(This stage of development of the pot image doesn’t yet include HTTPS on the unseal node. Please include the parameter -address=http://<IP>:8200
to any vault
commands```)
This vault instance exists to generate unseal keys. It must first be initialised. Please save this information securely.
$ pot term vault-unseal
$ vault operator init -address=http://<IP>:8200
Unseal Key 1: key1
Unseal Key 2: key2
Unseal Key 3: key3
Unseal Key 4: key4
Unseal Key 5: key5
Initial Root Token: s.token
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
$ vault operator unseal -address=http://<IP>:8200 "key1"
$ vault operator unseal -address=http://<IP>:8200 "key2"
$ vault operator unseal -address=http://<IP>:8200 "key3"
$ vault login -address=http://<IP>:8200
(using Initial Root Token)
$ ./setup-autounseal.sh
Success! Enabled the file audit device at: file/
Success! Enabled the transit secrets engine at: transit/
Success! Data written to: transit/keys/autounseal
Success! Uploaded policy: autounseal
$ ./issue-unseal.sh
Key Value
--- -----
wrapping_token: s.newtoken
wrapping_accessor: REDACTED
wrapping_token_ttl: 24h
wrapping_token_creation_time: 2021-05-29 13:52:13.743971005 +0000 UTC
wrapping_token_creation_path: auth/token/create
wrapped_accessor: REDACTED
This new token s.newtoken
can be used to unseal the cluster nodes. A new token must be generated for each node in the vault cluster.
Important note
If the unseal node is restarted you will need to unseal and login again. Shut down your vault
cluster first, starting with followers, then leader. Start unseal node, unseal and login, then start leader and followers.
You did save the keys and login token right?
Cluster leader node using raft storage
To unseal a cluster leader, make use of a wrapped key generated on the unseal node. Pass it in with -E UNSEALTOKEN=<wrapped token>
Once running, you can login and run the script /root/cli-vault-auto-login.sh
to automatically login to vault in the CLI and return a token for use in additional vault instances, in addition to an unseal token.
To generate a token for PKI, run pot term vault-clone
and then /root/issue-pki-token.sh
.
To run other vault
commands pass in the extra parameters -address=https://<IP-being-queried>:8200
and one of:
-tls-skip-verify
to skip verifying the certificate; or-ca-cert=/mnt/certs/combinedca.pem
to verify with the CA certificate obtained (if everything working)
Example vault command with parameters
vault status -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft list-peers -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft autopilot state -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
Cluster follower follower using raft storage
To unseal a cluster follower, make use of a wrapped key generated on the unseal node. Pass it in with -E UNSEALTOKEN=<wrapped token>
A leader node should already exist, and must be passed in with the parameter -E VAULTLEADER=<IP>
.
A leader token is also required and must be passed in with the parameter -E LEADERTOKEN=<login token from unsealed leader>
. You can get this token from /root/cli-vault-auto-login.sh
on the leader.
The SSH key created for the SFTPUSER on the Vault leader needs to be made available during pot setup of the follower node.
The cluster node will be automatically unsealed and join the cluster. It will automatically retrieve a temporary certificate with 2h TTL from the Vault leader via SFTP, and use this to perform a client-tls-validated login to vault, to retrieve proper certificates with a longer TTL of 24h.
Repeat for all additional nodes in the vault cluster.
To run other vault
commands pass in the extra parameters -address=https://<IP-being-queried>:8200
and -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
to verify with the CA certificate obtained (if everything working)
Example vault command with parameters
vault status -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft list-peers -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft autopilot state -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
Default cluster usage
This cluster will generate, issue, renew certificates.
Other example cluster usage
This cluster can be used as a kv store.
vault secrets enable -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -path=kv kv-v2
vault kv -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem put kv/testkey webapp=TESTKEY
vault kv -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem get kv/testkey
Getting Started
- Image Readme
- How To Use The Ready-Made Image
- Alternatively: Create a Jail With This Flavour Yourself
- Version History
- Manual Image Download Links
- Jenkins Pot Creation Logs
How To Use The Ready-Made Image
FreeBSD 14.1:
pot import -p vault-amd64-14_1 -t 2.5.2 -U https://potluck.honeyguide.net/vault
With Signify Verification:
fetch https://potluck.honeyguide.net/potluck.pub; pot import -p vault-amd64-14_1 -t 2.5.2 -C potluck.pub -U https://potluck.honeyguide.net/vault
If you don’t want to use the default pot
bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P vault-amd64-14_1 -p my-cloned-jail -N alias -i "em0|10.10.10.10"
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Alternatively: Create a Jail With This Flavour Yourself
1. Create Flavour Files
Save all files and directories from https://github.com/hny-gd/potluck/tree/master/vault to /usr/local/etc/pot/flavours/
2. Create Jail From Flavour
Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update
with your FreeBSD version (e.g. 14.1) and the name your jail should get.
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Version History
2.5.2
- Enable milliseconds in syslog-ng for all log timestamps
2.5.1
- Version bump for new base image 14.1
- Extra steps to trim image size
2.4.2
- Set autotidy policy when creating PKIs
2.4.1
- Version bump for new base image
2.3.1
- Version bump for FBSD14 base image
2.2.17
- Make consul-template retry more often
2.2.16
- Increase dead-server-last-contact-threshold to 24h
2.2.15
- Update consul configuration to new version
2.2.14
- Disable QNAME minimization in unbound (consul can’t handle it)
2.2.13
- Add new parameter DNSFORWARDERS to allow controlling how unbound is configured
- Add scripts to support recovering a vault cluster
- Improve image resiliance
2.2.12
- Version bump for layered images
2.2.11
- Make consul node_names non-FQDN
2.2.10
- Fix nomad-client metrics retrieval
2.2.9
- Version bump to match ini, downgrading ini would still push version up
2.2.8
- Major rework of templates, certificate issuing, and token/entity/group/role structure
2.2.7
- Major rework of templates, certificate issuing, and token/entity/group/role structure
2.2.6
- Improve metrics collection
2.2.5
- Merged PR 26, incrementing version in changelog
2.2.4
- Dummy entry, missing version increment
2.2.3
- Dummy entry, missing version increment
2.2.2
- Dummy entry, missing version increment
2.2.1
- Incrementing version number after pull request 25
2.2.0
- Many improvements to service mesh components
2.1.10
- Rebuild for FreeBSD 12_3 and 13 & pot 13
2.1.9
- Updating version for merge
2.1.8
- Fixing missing directory creation for /mnt/certs
2.1.7
- Enabling syslog-ng
2.1.6
- Updating metric certificate names
2.1.5
- Adding metrics pki to be used by loki, grafana, prometheus, node_exporter
2.1.4
- Fixing missing pipes in cook scripts from TTL changes
2.1.3
- Setting ATTL and BTTL variables for consul templates to pass in as TTL value where BTTL must be longer
2.1.2
- Setting a variable for consul templates to pass in a TTL
2.1.1
- Updating for postgres-patroni certificates
2.1
- Setting version numbers to sync with ini for potman
2.0.47
- Complete image revamp
2.0.46
- Setting stricter permissions on key.pem
2.0.45
- Further adjustments from diff output of improved cook script
2.0.44
- Fix audit.log location in unseal image. Adjust consul sysrc parameters.
2.0.43
- Consul fixes
2.0.42
- Typo escaping variable in temporary certificates script
2.0.41
- Fixup to generate temporary certificates script
2.0.40
- Security updates and improvements to strategic delay approach using Michael’s new cook script
2.0.39
- Parameter adjustment to remove unnecessary variable checks from vault type
2.0.38
- Bug-fix on gossip key
2.0.37
- Implementing mandatory variables
2.0.36
- Improving temporary certificate generation to use list of IPs passed in, single-tem–cert script
2.0.35
- Updating consul agent to tls-client-validation
2.0.34
- Switch to using jo to generate json files for vault certificate payload.json. Minor fixes.
2.0.33
- Minor fixes to script to remove duplication. Added admin script to re-generate temp certificates.
2.0.32
- Implementing solution to force always-on client tls validation temporary short-lived certificates and keys via sftp
2.0.31
- Vault client TLS verification improvements and bug fixes, certificate validation as step
2.0.30
- Vault TLS verification working, with initial leader login ignoring tls-validation and leader having it as optional
2.0.29
- Turning off consul tls verification
2.0.28
- Turning off flow-control in syslog-ng, setting 120s time_reopen, and reducing log-fifo parameter
2.0.27
- Automation scripts and pki improvements. tls-verify doesn’t work, syslog-ng with verification slows things down, raft cluster may be slow or not work
2.0.26
- Clearing syslog-ng /dev/console entries to remove log spam
2.0.25
- Updating syslog-ng and standardised cert.pem key.pem ca.pem
2.0.24
- Implementing syslog-ng with tls for remote logging
2.0.23
- Switched to quarterly package sources
2.0.22
- Optional remote syslog capability added
2.0.21
- Node-exporter TLS
2.0.20
- Telemetry improvements
2.0.19
- Fixing cron job for cert rotation
2.0.18
- Using pkg vault
2.0.17
- Improvements for consul
2.0.16
- Added missing role, fixing rotation scripts
2.0.15
- Fixes to vault policy permissions, fixing typos in docs, longer sleep timers to avoid occassional lockup
2.0.14
- New and improved git-lite build process from sparse package source
2.0.13
- Using /mnt for vault AND template and certificate store. Requires a mount-in dataset for persistence. Using latest vault from port sources instead of package version.
2.0.12
- Follower generate certificates for self, reload with TLS
2.0.11
- Generate certificates for self, reload with TLS
2.0.10
- Enabling audit.log, split to case statement for three server types unseal, leader, cluster
2.0.9
- More adjustments to vault policies
2.0.8
- Adjustments for policy and CA
2.0.7
- Removed autostart from vault file
2.0.6
- Vault login and setup raft cluster for PKI and self-signed CA
2.0.5
- Fixups for raft storage cluster with automatic unseal based on wrapped token
2.0.4
- Unseal or cluster type with raft storage, along with persistent mount-in dataset at /mnt
2.0.3
- Adjusting parameters for node-exporter service
2.0.2
- Adding prometheus node_exporter and setting up as consul service
2.0.1
- Updated to use pre-generated consul encryption key for gossip, planning for TLS
2.0
- Updated to use local consul agent and a consul cluster for data store
1.0.1
- Rebuild for FreeBSD 13 & new packages
1.0
- initiate file
These images were built on Thu Oct 31 21:48:23 UTC 2024
Manual Image Download Links
vault-amd64-14_1_2.5.2.xz (
)
vault-amd64-14_1_2.5.2.xz.skein (
)
vault-amd64-14_1_2.5.2.xz.skein.sig (
)
vault-amd64-14_1_2.5.2.xz.meta (
)
Jenkins Pot Creation Logs
vault-amd64-14_1_2.5.2:
vault/vault:
copy-in -s /usr/local/etc/pot/flavours/vault.d/local -d /root/.pot_local
vault/vault.sh:
#!/bin/sh
# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
# make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
# contains the copy-in commands for the config files from <flavour>.d/
# Remember that the package directories don't exist yet, so likely copy
# to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
# Configure the config files that have been copied in where necessary
# Set this to true if this jail flavour is to be created as a nomad
# (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script
# is installed appropriately at the end of this script
RUNS_IN_NOMAD=false
# set the cook log path/filename
COOKLOG=/var/log/cook.log
# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
echo "Creating $COOKLOG" | tee -a $COOKLOG
else
echo "WARNING $COOKLOG already exists" | tee -a $COOKLOG
fi
date >> $COOKLOG
# -------------------- COMMON ---------------
STEPCOUNT=0
step() {
STEPCOUNT=$(("$STEPCOUNT" + 1))
STEP="$*"
echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}
exit_ok() {
trap - EXIT
exit 0
}
FAILED=" failed"
exit_error() {
STEP="$*"
FAILED=""
exit 1
}
set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT
# -------------- BEGIN PACKAGE SETUP -------------
step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# only modify repo if not already done in base image
# shellcheck disable=SC2016
test -e /usr/local/etc/pkg/repos/FreeBSD.conf || \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
>/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
step "Touch /etc/rc.conf"
touch /etc/rc.conf
# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
# shellcheck disable=SC2015
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true
step "Disable sendmail"
service sendmail onedisable
step "Disable sshd"
service sshd onedisable || true
step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d
step "Clean freebsd-update"
rm -rf /var/db/freebsd-update
mkdir -p /var/db/freebsd-update
# we need consul for consul agent
step "Install package consul"
pkg install -y consul
step "Install package sudo"
pkg install -y sudo
step "Install package node_exporter"
pkg install -y node_exporter
step "Install package jq"
pkg install -y jq
step "Install package jo"
pkg install -y jo
step "Install package curl"
pkg install -y curl
step "Install package openssl"
pkg install -y openssl
step "Install package syslog-ng"
pkg install -y syslog-ng
step "Install package nginx"
pkg install -y nginx
step "Install package vault"
pkg install -y vault
step "Add vault user to daemon class"
pw usermod vault -G daemon
step "Install package consul-template"
pkg install -y consul-template
step "Patching consul-template rc scripts"
sed -i '' 's/^\(start_precmd=consul_template_startprecmd\)$/\1;'\
'extra_commands=reload/' /usr/local/etc/rc.d/consul-template || true
step "Clean package installation"
pkg autoremove -y
pkg clean -ay
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# this runs when image boots
# ----------------- BEGIN COOK ------------------
step "Clean cook artifacts"
rm -rf /usr/local/bin/cook /usr/local/share/cook
step "Install pot local"
tar -C /root/.pot_local -cf - . | tar -C /usr/local -xf -
rm -rf /root/.pot_local
step "Set file ownership on cook scripts"
chown -R root:wheel /usr/local/bin/cook /usr/local/share/cook
chmod 755 /usr/local/share/cook/bin/*
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
chmod u+x /usr/local/bin/cook
else
exit_error "there is no /usr/local/bin/cook to make executable"
fi
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG
# shellcheck disable=SC2016
echo '#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name="cook"
rcvar="cook_enable"
load_rc_config $name
: ${cook_enable:="NO"}
: ${cook_env:=""}
command="/usr/local/bin/cook"
command_args=""
run_rc_command "$1"
' > /usr/local/etc/rc.d/cook
step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
chmod u+x /usr/local/etc/rc.d/cook
else
exit_error "/usr/local/etc/rc.d/cook does not exist"
fi
if [ "$RUNS_IN_NOMAD" != "true" ]
then
step "Enable cook service"
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot
# flavour
echo "enabling cook" | tee -a $COOKLOG
service cook enable
fi
# -------------------- DONE ---------------
exit_ok
vault/vault+1:
vault/vault+1.sh:
vault/vault+2:
vault/vault+2.sh:
vault/vault+3:
vault/vault+3.sh:
vault/vault+4:
vault/vault+4.sh:
=====> Create conf dir (/mnt/srv/pot/jails/vault-amd64-14_1/conf)
=====> Cloning freebsd-potluck-amd64-14_1_0_0_31 with snap
=====> clone zroot/srv/pot/jails/freebsd-potluck-amd64-14_1_0_0_31/m@1730306249 into zroot/srv/pot/jails/vault-amd64-14_1/m
=====> Flavour: fbsd-update
=====> Starting vault-amd64-14_1 pot for the initial bootstrap
=====> mount /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot vault-amd64-14_1
=====> Pot vault-amd64-14_1 jail params are: allow.set_hostname=false allow.raw_sockets allow.socket_af allow.chflags exec.clean mount.devfs enforce_statfs=2 sysvshm=new sysvsem=new sysvmsg=new children.max=0 devfs_ruleset=4 stop.timeout=10 name=vault-amd64-14_1 host.hostname=vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net osrelease=14.1-RELEASE-p6 path=/mnt/srv/pot/jails/vault-amd64-14_1/m persist vnet vnet.interface=epair0b
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg
32-bit compatibility ldconfig path: /usr/lib32 /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:58:4f:b1:84:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Clearing /tmp (X related).
Updating /var/run/os-release done.
Creating and/or trimming log files.
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting cron.
Thu Oct 31 21:45:22 UTC 2024
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on vault-amd64-14_1
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update2.freebsd.org... done.
Fetching metadata signature for 14.1-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 14.1-RELEASE-p6.
No updates are available to install.
=====> Stop the pot vault-amd64-14_1
=====> Remove p46723fa71126cc epair network interfaces
=====> unmount /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp
=====> unmount /mnt/srv/pot/jails/vault-amd64-14_1/m/dev
=====> Flavour: vault
=====> Executing vault pot commands on vault-amd64-14_1
=====> mount /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp
=====> Source /usr/local/etc/pot/flavours/vault.d/local copied in the pot vault-amd64-14_1
=====> unmount /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp
=====> /mnt/srv/pot/jails/vault-amd64-14_1/m/dev is already unmounted
=====> Starting vault-amd64-14_1 pot for the initial bootstrap
=====> mount /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot vault-amd64-14_1
=====> Pot vault-amd64-14_1 jail params are: allow.set_hostname=false allow.raw_sockets allow.socket_af allow.chflags exec.clean mount.devfs enforce_statfs=2 sysvshm=new sysvsem=new sysvmsg=new children.max=0 devfs_ruleset=4 stop.timeout=10 name=vault-amd64-14_1 host.hostname=vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net osrelease=14.1-RELEASE-p6 path=/mnt/srv/pot/jails/vault-amd64-14_1/m persist vnet vnet.interface=epair0b
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg
32-bit compatibility ldconfig path: /usr/lib32 /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:77:2f:2a:10:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Clearing /tmp (X related).
Updating /var/run/os-release done.
Creating and/or trimming log files.
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting cron.
Thu Oct 31 21:45:59 UTC 2024
/usr/local/etc/pot/flavours/vault.sh -> /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp/vault.sh
=====> Executing vault script on vault-amd64-14_1
WARNING /var/log/cook.log already exists
Step 1: Bootstrap package repo
pkg already bootstrapped at /usr/local/sbin/pkg
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Disable sshd
sshd disabled in /etc/rc.conf
Step 6: Create /usr/local/etc/rc.d
Step 7: Clean freebsd-update
Step 8: Install package consul
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
consul: 1.19.2
Number of packages to be installed: 1
The process will require 124 MiB more space.
24 MiB to be downloaded.
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Fetching consul-1.19.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Installing consul-1.19.2...
===> Creating groups
Creating group 'consul' with gid '469'
===> Creating users
Creating user 'consul' with uid '469'
===> Creating homedir(s)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Extracting consul-1.19.2: ..... done
Step 9: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 10: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
node_exporter: 1.8.2
Number of packages to be installed: 1
The process will require 11 MiB more space.
4 MiB to be downloaded.
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.8.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.8.2...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.8.2: .......... done
=====
Message from node_exporter-1.8.2:
--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 11: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 12: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 13: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 14: Install package openssl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 15: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
e2fsprogs-libuuid: 1.47.1
glib: 2.80.5,2
ivykis: 0.43.2
json-c: 0.18
libffi: 3.4.6
mpdecimal: 4.0.0
pcre2: 10.43
py311-packaging: 24.1
python311: 3.11.10
syslog-ng: 4.8.0_2
Number of packages to be installed: 10
The process will require 241 MiB more space.
34 MiB to be downloaded.
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/10] Fetching ivykis-0.43.2.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [2/10] Fetching mpdecimal-4.0.0.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [3/10] Fetching py311-packaging-24.1.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [4/10] Fetching glib-2.80.5,2.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [5/10] Fetching syslog-ng-4.8.0_2.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [6/10] Fetching pcre2-10.43.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [7/10] Fetching libffi-3.4.6.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [8/10] Fetching json-c-0.18.pkg: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [9/10] Fetching e2fsprogs-libuuid-1.47.1.pkg: ...... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [10/10] Fetching python311-3.11.10.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/10] Installing mpdecimal-4.0.0...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/10] Extracting mpdecimal-4.0.0: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [2/10] Installing libffi-3.4.6...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [2/10] Extracting libffi-3.4.6: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [3/10] Installing python311-3.11.10...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [3/10] Extracting python311-3.11.10: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [4/10] Installing py311-packaging-24.1...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [4/10] Extracting py311-packaging-24.1: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [5/10] Installing pcre2-10.43...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [5/10] Extracting pcre2-10.43: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [6/10] Installing ivykis-0.43.2...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [6/10] Extracting ivykis-0.43.2: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [7/10] Installing glib-2.80.5,2...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [7/10] Extracting glib-2.80.5,2: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [8/10] Installing json-c-0.18...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [8/10] Extracting json-c-0.18: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [9/10] Installing e2fsprogs-libuuid-1.47.1...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [9/10] Extracting e2fsprogs-libuuid-1.47.1: .......... done
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [10/10] Installing syslog-ng-4.8.0_2...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [10/10] Extracting syslog-ng-4.8.0_2: .......... done
==> Running trigger: gio-modules.ucl
Generating GIO modules cache
==> Running trigger: glib-schemas.ucl
Compiling glib schemas
No schema files found: doing nothing.
=====
Message from python311-3.11.10:
--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:
py311-gdbm databases/py-gdbm@py311
py311-sqlite3 databases/py-sqlite3@py311
py311-tkinter x11-toolkits/py-tkinter@py311
=====
Message from syslog-ng-4.8.0_2:
--
syslog-ng is now installed! To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:
1. Create a configuration file named /usr/local/etc/syslog-ng.conf
(a sample named syslog-ng.conf.sample has been included in
/usr/local/etc). Note that this is a change in 2.0.2
version, previous ones put the config file in
/usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
move that file in the right place
2. Configure syslog-ng to start automatically by adding the following
to /etc/rc.conf:
syslog_ng_enable="YES"
3. Prevent the standard FreeBSD syslogd from starting automatically by
adding a line to the end of your /etc/rc.conf file that reads:
syslogd_enable="NO"
4. Shut down the standard FreeBSD syslogd:
kill `cat /var/run/syslog.pid`
5. Start syslog-ng:
/usr/local/etc/rc.d/syslog-ng start
Step 16: Install package nginx
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
nginx: 1.26.2_5,3
Number of packages to be installed: 1
The process will require 2 MiB more space.
558 KiB to be downloaded.
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Fetching nginx-1.26.2_5,3.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Installing nginx-1.26.2_5,3...
===> Creating groups
Using existing group 'www'
===> Creating users
Using existing user 'www'
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Extracting nginx-1.26.2_5,3: .......... done
=====
Message from nginx-1.26.2_5,3:
--
Recent version of the NGINX introduces dynamic modules support. In
FreeBSD ports tree this feature was enabled by default with the DSO
knob. Several vendor's and third-party modules have been converted
to dynamic modules. Unset the DSO knob builds an NGINX without
dynamic modules support.
To load a module at runtime, include the new `load_module'
directive in the main context, specifying the path to the shared
object file for the module, enclosed in quotation marks. When you
reload the configuration or restart NGINX, the module is loaded in.
It is possible to specify a path relative to the source directory,
or a full path, please see
https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/ and
http://nginx.org/en/docs/ngx_core_module.html#load_module for
details.
Default path for the NGINX dynamic modules is
/usr/local/libexec/nginx.
Step 17: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vault: 1.17.1
Number of packages to be installed: 1
The process will require 301 MiB more space.
52 MiB to be downloaded.
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Fetching vault-1.17.1.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Installing vault-1.17.1...
===> Creating groups
Creating group 'vault' with gid '471'
===> Creating users
Creating user 'vault' with uid '471'
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Extracting vault-1.17.1: ..... done
=====
Message from vault-1.17.1:
--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:
pw usermod -L daemon -n vault
or delete the user and reinstall the package.
You may also need to increase memorylocked for the daemon class in
/etc/rc.conf to more than 1024M (the default) or more:
vault_limits_mlock="2048M"
Or to disable mlock, add:
disable_mlock = 1
to /usr/local/etc/vault.hcl
Step 18: Add vault user to daemon class
Step 19: Install package consul-template
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
consul-template: 0.39.1_1
Number of packages to be installed: 1
The process will require 13 MiB more space.
4 MiB to be downloaded.
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Fetching consul-template-0.39.1_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Installing consul-template-0.39.1_1...
[vault-amd64-14_1.vsf00002.cpt.za.honeyguide.net] [1/1] Extracting consul-template-0.39.1_1: ..... done
Step 20: Patching consul-template rc scripts
Step 21: Clean package installation
Checking integrity... done (0 conflicting)
Nothing to do.
The following package files will be deleted:
/var/cache/pkg/vault-1.17.1.pkg
/var/cache/pkg/consul-1.19.2.pkg
/var/cache/pkg/libffi-3.4.6~fd98d45274.pkg
/var/cache/pkg/py311-packaging-24.1.pkg
/var/cache/pkg/nginx-1.26.2_5,3~c661473bb4.pkg
/var/cache/pkg/python311-3.11.10~cb79fb66a1.pkg
/var/cache/pkg/glib-2.80.5,2~38b600c6e1.pkg
/var/cache/pkg/e2fsprogs-libuuid-1.47.1~0fb76de6b2.pkg
/var/cache/pkg/pcre2-10.43.pkg
/var/cache/pkg/json-c-0.18.pkg
/var/cache/pkg/glib-2.80.5,2.pkg
/var/cache/pkg/node_exporter-1.8.2.pkg
/var/cache/pkg/consul-template-0.39.1_1~977bca05de.pkg
/var/cache/pkg/vault-1.17.1~e133bde09b.pkg
/var/cache/pkg/consul-template-0.39.1_1.pkg
/var/cache/pkg/syslog-ng-4.8.0_2.pkg
/var/cache/pkg/json-c-0.18~2f6d027e36.pkg
/var/cache/pkg/e2fsprogs-libuuid-1.47.1.pkg
/var/cache/pkg/pcre2-10.43~3eed9a902f.pkg
/var/cache/pkg/python311-3.11.10.pkg
/var/cache/pkg/ivykis-0.43.2.pkg
/var/cache/pkg/py311-packaging-24.1~89090d9923.pkg
/var/cache/pkg/ivykis-0.43.2~16184ec884.pkg
/var/cache/pkg/mpdecimal-4.0.0.pkg
/var/cache/pkg/consul-1.19.2~1237b5e508.pkg
/var/cache/pkg/nginx-1.26.2_5,3.pkg
/var/cache/pkg/node_exporter-1.8.2~3a2970bf22.pkg
/var/cache/pkg/libffi-3.4.6.pkg
/var/cache/pkg/syslog-ng-4.8.0_2~fffb3d9bd1.pkg
/var/cache/pkg/mpdecimal-4.0.0~bea21de105.pkg
The cleanup will free 118 MiB
Deleting files: .......... done
Step 22: Clean cook artifacts
Step 23: Install pot local
Step 24: Set file ownership on cook scripts
Step 25: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 26: Create rc.d script to start cook
creating rc.d script to start cook
Step 27: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 28: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====> Stop the pot vault-amd64-14_1
=====> Remove p46723fa97126cc epair network interfaces
=====> unmount /mnt/srv/pot/jails/vault-amd64-14_1/m/tmp
=====> unmount /mnt/srv/pot/jails/vault-amd64-14_1/m/dev
===> exporting vault-amd64-14_1 @ 1730411207 to /tmp/vault-amd64-14_1_2.5.2.xz