Running poudriere in ezjail

Ever since poudriere was published, I felt the obligation to run a public repository with packages tuned to my needs (i.e. without X11, without Java, with a certain TLS library as default, etc). But considering this tool's complexity, I never felt comfortable running it on a production system's host. So naturally I've been looking for a way to jail it away and only 2 years after this tutorial outlined how that works, I managed to acutally try it out. Long story short: This guide kinda works and I got poudriere running in a jail. But I want the jail to automatically start up, get the correct dataset attached and receive all permissions needed to do zfs stuff and creating its own builder jails, in other words: I wanted to embed it as an ezjail.

Now, turns out, that's actually not so hard: If you're running ezjail with zfs enabled, you first create the dataset for poudriere to work on:

zfs create -o jailed=on tank/poudriere

then you just create your poudriere jail, making sure to pass it an ::1 IP address:

ezjail-admin create -c zfs poudriere 127.0.0.1,lo0|::1

and then manually edit the two config lines in /usr/local/etc/ezjail/poudriere to read:

export jail_poudriere_parameters="children.max=10 allow.mount=1 allow.mount.devfs=1 allow.mount.procfs=1 allow.mount.zfs=1 allow.mount.nullfs=1 allow.raw_sockets=1 allow.socket_af=1 allow.sysvipc=1 allow.chflags=1 enforce_statfs=1"
export jail_poudriere_zfs_datasets="tank/poudriere"

dont forget that this jail needs a resolv.conf, too and now you can just:

ezjail-admin console -f poudriere

and follow the FreeBSD handbook section on poudriere to get your poudriere jobs running. Since I wanted the web server jail to serve the packages, I exposed them in /etc/fstab.www_domain.com by adding a line:

/usr/jails/poudriere/tank/poudriere/data/packages /usr/jails/www.domain.com/packages nullfs ro 0 0

and after an ezjail-admin restart www.domain.com, you should be able to use the packages built by adding a /usr/local/etc/pkg/repos/www.conf of:

www: {
  url: "file:///packages/103amd64-local-workstation/",
  enabled: yes
}

Update: Should you be missing the file systems inside your poudriere jail, make sure to mount them in your periodic script that runs poudriere (using zfs mount -a, before running poudriere), or take a look at the thread on the ezjail mailing list regarding rc.d/zfs not finding the dataset when it's run.