Author: Michael Lucas

Writer. Sysadmin. Owns this site.
Posted on

October’s Ostrogothic Sausage

[This article contains RYOMS gift spoilers for print-level sponsors and Patronizers. I think everyone has their packages, but just in case, you’ve been warned.]

[This post went to Patronizers at the beginning of October, and the public at the beginning of November. Not a Patronizer? You could be, for the low price of $12 a year all thee way up to the high price of “however much money you want to dispose of.”]

It’s Halloween Month, and there was much rejoicing.

I perform one experiment with every project I do. Sometimes, like with RYOMS, I do two. I’ll discuss the boring experiment at the end of this post, but let’s start with the one that bit me.

For the Run Your Own Mail Server Kickstarter, my experiment was “drop shipping.” A reader buys the book from me, I order it from the printer and have it shipped directly to the reader. Seems fine, right? I discussed the problems with the EU’s IOSS last month, but this month has uncovered new wrinkles.

Dropship books might take weeks to deliver. If I’m lucky.

They might or might not get tracking numbers, depending on the recipient’s country, but the form email the printer sends includes the text “Here is your tracking number.” If they won’t give a tracking number, that space is blank. People are understandably confused. I can say “give me a tracking number for all shipments,” but printers charge a great deal for that. Some destinations are only $20 in shipping, but some are over a hundred dollars! There’s no way to tell before you order. It’d be cheaper to give up on dropshipping altogether.

I’ve said many times that I believe in incremental progress, not virality. Expecting that your project will go viral is a great way to fail. While I don’t believe in virality, virality believes in me. Suddenly I was performing my little dropship experiment on hundreds of people. A smarter author would have limited the number of dropships to a manageable level, but “smarter author” goes in the same heap as “jumbo shrimp” and “Trump’s intelligence.” I suspect the dropships were part of why this campaign went viral, though.

So now I’m managing expectations for hundreds of people, and I’m not entirely sure when the books will arrive or where the are. Because no tracking numbers.

The next time I do an experiment with something that runs a risk of going viral, I’ll be labeling that option “experimental” and add text like, “I have learned how this is done and understand the mechanical process, but have no personal experience with it in the real world. I have no idea what the problems will be, but I will work through them and communicate.”

New words proceed slowly, thanks to me shipping about five hundred signed books this month and various family emergencies. While I can have my job as long as I do the work, I also have the most flexible schedule. This means that if a parent winds up in the hospital, I’m elected to deal with it. Lucky me!

But initial feedback on RYOMS is mostly positive. Except for the dropshippers, and they’re complaining about delivery rather than the book itself. Publishing is hard, y’all.

So then there’s my second experiment. It affects sponsors. I talked about my Reader Acquisition Funnel over a year ago, but as a quick reminder: that’s the process I use to lure readers into a closer tie with my work. It has nine layers, just like Dante’s Inferno.

  1. Read my free or discounted samples (articles in magazines, free first in series, sample pages in bookstore, library check-out)
  2. Buy my books through retail channels
  3. Social media follow
  4. Sign up for my mailing list
  5. Buy books directly from me
  6. Kickstarter
  7. Sponsor
  8. Regular monthly contributor (you folks!)
  9. You do all my chores so I can write more

My goal is to lure people down into the deepest layers so it’s harder for them to escape to cut out middleman fees. But if I’m offering backer-exclusive special editions on Kickstarter, I need to offer something something to entice those people to descend into sponsorship. The special editions are exclusive to prepublication backers, but what do the sponsors get?

For RYOMS, the sponsors got this.

It’s the RYOMS Challenge Coin! It’s weighty. The rat is solidly three-dimensional, looming out of the coin. Plus, I firmly believe that SIGYIKES would be a valuable addition to Unix.

Which is perhaps the daftest thing I’ve ever done–other than the Manly McManface edition of Ed Mastery, of course.

And the Networknomicon.

Okay, yeah, fine, there’s the systemd satirical erotica.

And the blockchain dystopian erotica.

Look, we could be here all day. Let’s move on.

The minimum cost-effective press run is 100 coins. The only way to get this is to be a print sponsor or print-level Patronizer. I do have a few extra coins that I’ll use to solve fulfillment problems. Any survivors will be auctioned off for charity. The coins seem to amuse people, so if I ever have another book with 100 print sponsors I’ll probably do it again. I must offer something unique to lure people deeper down the funnel, after all!

I must once again thank y’all for hanging out in Malbolge with me. I’m not saying that my career is a fraud–no, wait, I say that all the freaking time. At least I’m honest about it. I’m sure that’ll count for something when I reach the Afterlife. Not that I believe in an Afterlife, but if it’s a real thing I’ll be able to shout “Yay, I was proven wrong!” which is infinitely better than not having the chance to lament being correct as the neural network I call me dissolves into the Void. It’s Pascal’s Wager in reverse.

On the 15th of this month I’ll be launching the Dear Abyss Kickstarter and sponsorships for Networking for Systems Administrators, 2nd Edition. Because a sane release schedule is something that happens to neurotypical neural networks.

And with that, I better go make some words.

Posted on

“Dear Abyss” live on Kickstarter

Confession time: I don’t love Kickstarter. I don’t love money either, but it does seem to be a dependency when living in capitalism.

When I release a book on my site, I sell a few copies. When I launch it on Kickstarter, sales go up tenfold.

So: Dear Abyss is live on Kickstarter. The book exists, and the moment I get paid it goes to everyone.

Backers immediately get a copy of Letters to ed(1), the out-of-print three-year compilation.

Posted on

New short story in Pulphouse? I read the opening

My short story “The Rats’ Man’s Lackey and the Bringer of Leaves” is in issue #33 of Pulphouse Magazine. I’m sharing the issue with folks like Kevin J. Anderson and Nina Kiriki Hoffman.

I’ve missed a couple episodes of “60 Seconds of WIP” because of the Kickstarter fulfillment, which is only a problem as I’ve fallen behind on my reading practice. So I recorded the opening of my story.

To save the sanity of us all, I learned how to capture a single frame of a video and make Youtube use it as a thumbnail. Otherwise, merely clicking on the link would show you my stupid face.

Grab Pulphouse #33 at your favorite bookstore.

Posted on

“Networking for Systems Administrators, 2nd ed” open for sponsorship

TLDR: “Networking for Systems Administrators, 2nd Edition” is open for sponsorships at https://www.tiltedwindmillpress.com/product/n4sa2e-sponsor/ and I would appreciate your support.

Longer version:

Every large company I’d ever worked in since 1995 suffered from a continuous feud between the sysadmins and the network team. One team would demand an inch, the other would insist on 25.4 millimeters, and battle was declared. As someone with an ankle shackled in each world, I quickly reached two conclusions.

One, the job is hard enough without us arguing past each other.

Two, everybody involved needed a short sharp visit from the Slap Fairy.

About ten years ago I achieved my lifelong goal of becoming a full-time writer, and promptly lost my mind. I could keep being a writer so long as I kept bringing in money. If I didn’t bring in money, I’d get stuffed back in a cubicle. I had to write books, and quickly. I had made a list of titles I could spew fast. One of them was “Networking for Systems Administrators,” meant to end that feud or at least bring about a ceasefire.

Because my other goal was “pay the mortgage before I get stuffed back into a cubicle,” I slammed out that manuscript in about a month.

To my surprise, it was well-received. Managers bought the book in bulk to distribute to their staff. Network administrators bought it to give to select colleagues. Sysadmins bought so they could successfully argue with their network administrators.

It’s been ten years, and that book needs updating. Some of the commands have been changed. 100Mb Ethernet is rare, while 10G and 100G are almost common. There’s all those tidbits I could have done better, if I hadn’t been driving myself too hard. Let’s Encrypt made TLS omnipresent, so I need to add that. And of course it must have a proper Eddie Sharam cover.

If I get ~100 print sponsors I’ll do another challenge coin, like the one I did for Run Your Own Mail Server (https://mwl.io/archives/23836).

So, yeah. https://www.tiltedwindmillpress.com/product/n4sa2e-sponsor/ is my effort to bring a tiny peace to IT departments around the world. I would be grateful for your sponsorship, and your support with the mortgage part.

Thank you for your consideration.

PS: I should also mention that my collected FreeBSD Journal advice columns, Dear Abyss, is going to kickstarter soon. “Dear Abby for Sysadmins” isn’t going to sponsorship, but if you’re interested you might check it out. (https://mwl.io/ks)

Posted on

Patronizers, Sponsors, and Kickstarter Backers

People can support my work by buying my books, through whatever channels they prefer. I also have my Patronizer program, offer sponsorships of individual titles, and take early orders via Kickstarter. Folks ask me what the differences are between these three things.

Patronizers send me money every month, either through Patreon or my store. They get everything that sponsors and Kickstarter backers get. If you receive my books in print, and I send sponsors a physical gift, you get that gift. Patronizers who receive digital rewards get any digital rewards that sponsors and Kickstarter backers get. Patronizers are thanked by name in the Acknowledgements in the front of everything. Any print books are signed with a personal thank-you note.

Sponsors back a particular book. I offer sponsorships only for tech books. If you don’t want to back every daft thing I do, or fear I will soil your name by thanking you for atrocities, or you have enough fiscal responsibility to not send me money monthly for no good reason, sponsorships are for you. When the book comes out, sponsors receive a gift. The gift might or might not be the book. It might be related to the book. It might amuse only me. Sponsors are thanked in the back of the book. Any print books are signed with a personal thank-you note.

Kickstarter is basically pre-orders. Backers get a chance to purchase any limited editions I create. Their name doesn’t go in the books. I sign print books but don’t personalize.

Practically, how does this work? Now that everyone’s had a chance to get their gifts, here’s what I did for Run Your Own Mail Server.

Print sponsors received a special edition of the book, (Ruin Your Mail By Running It Yourself). It will never be in stores, although I have a few extras that will wind up in charity auctions.

They also got a metal challenge coin. I’m quite pleased with how these came out. This coin will never be re-issued. I have a few extras that will, again, go to charity.

Why these? Because they amused me. Seriously. That’s it.

Print-level Patronizers got both. They also didn’t know what was coming.

Kickstarter backers could get the RYOMS Special Edition. They didn’t know what it was either. They did not get the challenge coin, however.

Why do it this way? My second business goal is to lure people into buying direct from me, eliminating middlemen like Amazon. (My first business goal is to pay the mortgage.) The more direct our relationship, the more crap I give you. Or, if you prefer: the further you descend down the Reader Acquisition Funnel, the more I try to weigh you down so that you can never climb out.

Or:

If you buy my books, I appreciate you.

If you preorder my books at release time, I appreciate you more.

If you back a book before I’ve finished writing the silly thing, I gotta make it worth your while.

If you send me money every month, I must show my sincere gratitude.

Posted on

Building Mastodon Bots is Stupid Easy

I just updated the footnote fortune file for Patronizers. Yes, my Patronizers get a Unix fortune file containing all the footnotes from my nonfiction books. I thought it was daft, but apparently a few readers actually use the dang thing. My exhausted brain wondered, “How hard would it be to build a Mastodon bot that posted one of these every few hours?” Turns out: not hard at all.

First, install toot (https://toot.bezdomni.net/). FreeBSD packages it as py311-toot.

Then register an account for your bot, using the regular Mastodon web interface. I registered @quotebot@io.mwl.io. (Yes, I have my own fedi instance. My main account is @mwl@io.mwl.io. No, you can’t have an account on it.)

$ toot login
Enter instance URL [https://mastodon.social]: https://io.mwl.io
This authentication method requires you to log into your Mastodon instance in
your browser, where you will be asked to authorize toot to access your
account. When you do, you will be given an authorization code which you need
to paste here.

Login URL:
https://io.mwl.io/oauth/authorize/?response_type=code&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=read+write+follow&client_id=FPzkCcqnGBLNO5Vo4V95CvfilcyRlMIrOSN1ncgxZmI
Open link in default browser? [Y/n]: n

This server’s default browser is Lynx. For whatever reason it can’t display the entire authorization code. Lynx is used for low-vision accessibility testing, so I suspect that the masto interface has an accessibility problem. I copied the link, opened it in my desktop’s Firefox, and copied the authorization code.


Authorization code: i6OsrQq77knbO4Gq.....

✓ Successfully logged in.

I can now toot from the command line.

$ toot post "test from toot cli"
Toot posted: https://io.mwl.io/@quotebot/113249574738108310

Go look in the web interface, and you’ll see the post. Easy enough.

Posting from a program is easy enough.

$ quote-source | toot post

Now I need a quote source. I could use something database-driven but I happen to have the mwlfortune file handy, so I’ll stick it in a mwlquotes directory. I’d like more than the footnotes so here’s a sample of another quotes file. Each quote is plain text, separated by a percent sign. I won’t be methodically adding to this, but if I’m digging through something old and see a suitable line I’ll add it.


Someone had brought cake. Someone was a bastard.
%
The only universal configuration language is despair.

Now build the fortune data files.

$ strfile -c '%' mwlfortune
"mwlfortune.dat" created
There were 582 strings
Longest string: 421 bytes
Shortest string: 6 bytes
$ strfile -c '%' bodyquotes
"bodyquotes.dat" created
There were 2 strings
Longest string: 54 bytes
Shortest string: 49 bytes

If you give the directory as an argument to fortune(1), it will pick a fortune at random from the combined files.

$ fortune /home/mwl/mwlquotes
Yes, that's megabytes--you know, the unit below gigabytes. Yes,
megabytes can apply to disks.

Try it a couple more times and you’ll see we get random quotes.

Dumping this into our bot is pretty simple.

$ fortune mwlquotes/ | toot post

Initial tests show a problem, though. Fortunes respect terminal standards, and include mid-sentence newlines. Fediverse posts do not. We need to get rid of the newlines. I wound up with this bot script.

#!/bin/sh

fortune /usr/local/share/mwlquotes/ | tr '\n' ' ' | toot post

Why put this in a script? So I can edit it easily later.

Now put this in my personal cron. Most folks said posting every six hours would be reasonable, so that’s where I’m starting.

13 */6 * * * /usr/local/scripts/quotebot.sh

That’s it. Every six hours, at thirteen minutes past the hour, the bot followers get a random quote from one of my books. Took about two hours to fully implement, including writing this post.

Posted on

Mail Talk 8 October 2024, with bonus Craig Maloney Memorial Charity Auction starting–NOW

Next Tuesday, 8 October 2024, I’ll be talking about Running Your Own Mail Server at mug.org, 6:30PM EDT. MUG is my local “hard-core Unixy People” group. Giving a talk during a book release is bad planning, but I am crap at scheduling.

One of its members was Craig Maloney. Many years ago Craig asked me if I was the same Michael Lucas who had written a couple RPG books in the 1990s. I admitted my guilt. He pulled an obviously-read plastic-bagged copy of Gatecrasher out of his backpack and asked me to sign it. The dude had friends across the world and did his best to boost us all. An all-around great guy, who sadly lost his life to cancer earlier this year.

Craig had sponsored Run Your Own Mail Server. I am now left with his sponsor gifts. I’ve checked with Craig’s family, and they’re okay with me auctioning them off for charity. The Craig Maloney Memorial Auction runs on this page from now until my MUG talk ends1.

The sponsor gifts will never be available in bookstores, at least not new. (I do have a few extras that I will auction off for charity over the rest of my life, but I’ll stretch those out.) I don’t want to describe them here because not all the sponsors have their gifts yet and I’d rather not spoil the surprise, but you can see photos at link 1 and link 2.

I’m going to end this auction a little differently, though. The auction will close at the end of Tuesday’s mug.org talk. I’ll ask live, online for any last bids. You can bid by posting on the page or in the video session. The auction will close when bidding stops. Comment on this post to bid. Once the auction ends, I’ll notify the winner. The winner sends me the donation receipt and I ship the gifts. I pay for shipping.

The beneficiary is Mutual Aid Disaster Relief. They’re as close to the ground as you can get these days, and donations are tax-deductible in the US. You can choose from several donation targets. I don’t care if you donate cash, fill an Amazon shipment with the North Carolina wishlist, target Puerto Rico, or whatever. Just get them the money and get a receipt.

Anyway, leave a comment to bid. Good cause. Ridiculous prize.

Posted on

September’s Sibilant Sausage

[this post went to Patronizers at the beginning of September, and to the public at the beginning of October.]

Pretty sure August was eating locoweed.

The “Run Your Own Mail Server” Kickstarter owned most of my hide this last month. Not all of it. A patch on the back of my neck remains freehold. I managed to make a few words on what I’m calling #projectIDGAF, but mostly it’s been investing in production stuff. Which means spreadsheets.

My main printer, IngramSpark has facilities in the US, UK, Australia, and Italy. When I launched the RYOMS Kickstarter, I intended to dropship copies through them. Turns out, it’s not quite that easy. Part of the problem was scale. Based on previous Kickstarters, I thought I might need to dropship to thirty, perhaps fifty people. I got over seven hundred. The IngramSpark ordering interface is tortuous. I am not capable of correctly entering seven hundred orders in that interface. I began looking for a virtual assistant. Found one.

Then I discovered a way out.

Turns out that IngramSpark has a secret industrial-scale ordering system that accepts orders via spreadsheet. Gaining access to it requires you have a friend who already has access, who is willing to vouch for you. Fortunately, I have such a friend. You also need to be submitting several hundred orders. I barely qualified. (Random people on the Internet, please don’t contact me asking me to vouch for you. I don’t endorse random Internet people.) It’s an Excel spreadsheet, complete with macros, that must be filled out in a very specific manner. You know, like every application written in-house by non-programmers. Once you grow accustomed to its quirks, though, it’s infinitely better than entering orders by hand.

I’m keeping the virtual assistant info, though. With luck, I’ll need them later.

When it came to ordering books for backers in the EU, the plan fell apart. The EU has VAT. I have never worried about VAT. I don’t have to worry about VAT until I hit ten thousand euros of EU business per year. Even with RYOMS, I didn’t hit that. When I ship from the US, recipients pay VAT as part of the delivery. It varies by country, but the general pattern seems to be “recipient is contacted, recipient goes to a web site to pay, carrier delivers package.” My sponsors and Patronizers are pretty familiar with how that works.

When I cross ten thousand euros a year, I have to register for the Internet One Stop Shop VAT. This is expensive, but if I’m doing over ten thousand euros a year it would start to be worth it. That’s very much a First World Author problem, though.

If I print books inside the EU, the books would be mailed to recipients without those fees. The problem is getting people to print books in the EU. IngramSpark’s interface to their Italian plant is in the UK, and is legally treated as a UK entity. (I don’t pretend to understand the details, but presumably they have the contracts and lawyers to make it legit.) Brexit fubar’d everything for me there. There are other printers in the EU, however. Some of them would print a few hundred books for me! Except every one of them wants my IOSS paperwork beforehand. It doesn’t matter that I don’t need IOSS. Printers run quite conservative businesses, and take zero risks. It doesn’t matter that even with the lightning strike of RYOMS I don’t meet IOSS limits.

So I’m shipping most backers globally from IngramSpark. Based on the advice of assorted experienced folks, I’m using BookVault to fulfill EU orders. The books will be shipped from the UK, which is greener than shipping from the US.

I started fulfilling dropship orders in Australia, mostly because I needed a smaller group to test Ingram’s spreadsheet ordering but also because Australia is traditionally last in everything. The Australian copies have started to arrive. The rest of the world should follow shortly.

Then there’s books for me to sign. I have four crates of paperbacks in my living room to sign, pack, and ship. Hoping the hardcovers arrive soon, as well as the backer-exclusive special editions. I have something special for print level sponsors and Patronizers this time. Silly, but special. I’m hoping I can tell you about that next month, but the recipients need to receive them first.

Once those go out, I can launch the Dear Abyss Kickstarter. Quite a few people are telling me that the RYOMS Kickstarter is my new normal. As much as I’d love to trade up to that problem, I have no reason to believe that’s so. And seriously, Dear Abyss is not going to push me over the IOSS limit. If the new edition of Networking for Systems Administrators was to also experience explosive crowdfunding I’d look more seriously at IOSS, but not before. I don’t act based on lightning strikes until I start consistently attracting lightning.

Am I ignoring the success of RYOMS in my planning? Nope. There’s clearly a market for crowdfunding tech books. I’m hoping it will raise $20k, but will leave headroom for more. Hope for the best and plan for WTF, that’s the business.

After all these big projects, I need to write a palate cleanser. Something daft, and quick, and fun. I’m starting something I won’t talk about in public, yet, but if you’re curious you could follow #projectIDGAF on the fediverse. Why that hashtag? I have no idea if this thing will work, or even if it can work, but I’m going to have fun with it and that’s all that matters. I’d like to knock a full draft off by the end of September, but we all know that’s not going to happen. After a few years of these heavy projects like RYOMS, SNMP, TLS, and so on, my spirit needs a quick hit of weirdness.

In unrelated news, I sold five short stories to various anthologies at the beginning of the month. They include a new Aidan Redding tale, a Rats’ Man’s Lackey tale, and some one-offs. Look for those to escape in 2025. I’ll also have a new Rats’ Man’s Lackey tale in the next issue of Pulphouse.

Anyway. Off to sign a bunch of paperbacks, and maybe even get them mailed!

Posted on

“Run Your Own Mail Server” is leaking out

My latest tech book, Run Your Own Mail Server, is starting to creep into bookstores. The book entry on my web site links to various stores that carry it, and will be updated as more stores appear.

Paperbacks are available on Amazon and will reach other stores shortly. They’ll be in the Ingram catalog, so you can have your local bookstore order them via ISBN 9781642350784.

Hardcovers are pending. Once the Ingram databases finish churning, they’ll also be available everywhere. Ask your bookstore to order ISBN 9781642350791.

I’m working with BookVault to manage direct print sales from my web site, but their Woocommerce plugin hit my store and promptly soiled itself. In their defense very few authors have been running direct sales for over ten years, and most of those don’t have as many features as tiltedwindmillpress.com.

Speaking of my bookstore, you can get the ebook there.

Posted on

Moving Virtual Machines to Jails

I recently learned that I could rent a dedicated machine from bloom.host for less than I’ve been paying for my virtual machines. Time to move some VMs to jails! Here’s the notes I’ve left for myself. All of my VMs run ZFS.

First, clean up unneeded boot environments, remove any unnecessary crap that lingered on the VM, apply all security updates, and in general tidy up the source VM.

Then decide how you want to flip services over. The cleanest way is to shut down all services and start the migration, but you might need to guarantee uptime. It’s up to you. I chose to leave services running during an initial replication, shut down services, do an final snapshot with an incremental replication, start the new jail, and change DNS to the new addresses. Figure out your own uptime requirements.

Start by creating a recursive snapshot of the system.

# zfs snapshot -r zroot@bloom

At a convenient time, I’d go to destination host and pull the snapshots over. The snapshots need to go into a directory on the zroot/jails dataset, named after the VM the jail will replace.

$ ssh mwlucas@www.mwl.io zfs send -Rc zroot@bloom | zfs recv -v -o mountpoint=/www zroot/jails/www

This might take a while, so follow up with an incremental right before you want the actual the migration.

$ ssh mwlucas@www.mwl.io zfs send -Rci zroot@bloom2 zroot@bloom3 | zfs recv -v -o mountpoint=/jails/mail zroot/jails/www

if you’ve tampered with new datasets between copies, you’ll get an error.

receiving incremental stream of www/ROOT@bloom3 into zroot/jails/www/ROOT@bloom3
cannot receive incremental stream: destination zroot/jails/www/ROOT has been modified
since most recent snapshot
warning: cannot send 'www/ROOT/default@bloom3': signal received
Broken pipe

Roll back the problem dataset.

# zfs rollback zroot/jails/mail/ROOT@bloom2

Data’s moved over, but there’s trouble.

$ zfs list
...
zroot/www 39.6G 776G 132K /www
zroot/www/ROOT 22.5G 776G 132K /www/ROOT
zroot/www/ROOT/default 22.5G 776G 21.8G /www/ROOT/default
zroot/www/usr 10.9G 776G 132K /www/usr
zroot/www/usr/home 9.37G 776G 384K /www/usr/home
zroot/www/usr/home/acme 7.10M 776G 7.10M /www/usr/home/acme ...

The jail boots from the boot environment /www/ROOT/default, but the jail’s root dataset is /zroot/www. It’s empty. Shuffling datasets and rearranging inheritance is a pain. I just duplicated the contents

# zfs mount zroot/jails/mail/ROOT/default

$ tar cfC - /jails/www/ROOT/default/ . | tar xvpfC - /jails/www/

# zfs list zroot/www
NAME USED AVAIL REFER MOUNTPOINT
zroot/www 41.4G 774G 132K /www
zroot/www/ROOT 22.5G 774G 132K /www/ROOT
zroot/www/usr 10.9G 774G 132K /www/usr
zroot/www/var 7.96G 774G 132K /www/var

Go into the jail’s root directory. Edit /etc/sysctl.conf to remove non-jail settings. You can also edit rc.conf for the new network interface and the new IP.

I’m using VNET, because otherwise I must configure on-system daemons to avoid binding to localhost. (Remember, in a non-VNET jail localhost is aliased to the public IP!) That means I need a bridge interface. This host has one live Ethernet, igb0 so I make it a bridge.

autobridge_interfaces="bridge0"
autobridge_bridge0="igb*"
cloned_interfaces="bridge0"
ifconfig_igb0="UP"

I then add a public IP to the bridge, for the host’s use.

Now for jail.conf for a VNET install. I need to allow devfs for running named(8) on some of the VMs, and I want raw sockets.

path = "/jails/$name";
mount.devfs;
devfs_ruleset=5;
exec.clean;
allow.mount.devfs=1;
allow.raw_sockets=1;

exec.consolelog="/jails/$name/var/log/console.log";

vnet;
exec.prestart += "/sbin/ifconfig epair${jid} create up";
exec.prestart += "/sbin/ifconfig epair${jid}a descr 'vnet-${name}'";
exec.prestart += "/sbin/ifconfig bridge0 addm epair${jid}a up";
vnet.interface="epair${jid}b";

exec.start = "sh /etc/rc";

exec.created="logger jail $name has started";

exec.stop = "sh /etc/rc.shutdown";
exec.poststop += "ifconfig epair${jid}a destroy";
exec.poststop +="logger jail $name has stopped";

.include "/etc/jail.conf.d/*.conf";

This reduces individual jail.conf entries to this.


www {
jid = 80 ;
}

At this point, I could start the jail and see what broke. Some common errors included /tmp losing the sticky bit and MariaDB directories being owned by root rather than mysql.

Change the DNS, and watch traffic shift to the new host.

Am I confident in this process? No. That’s why I make sure I have a last backup in Tarsnap, and wait 30 days to delete the source VM.