Bug 142972

Summary: [jail] [patch] Support JAILv2 and vnet in rc.d/jail
Product: Base System Reporter: BERARD David <david>
Component: confAssignee: freebsd-jail mailing list <jail>
Status: Closed FIXED    
Severity: Affects Only Me CC: joeb1, laurent
Priority: Normal    
Version: 8.0-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
jailv2rc.patch
none
jail.diff none

Description BERARD David 2010-01-19 16:00:18 UTC
	The current /etc/rc.d/jail doesn't support the new jail parameter
	style. It doesn't support vnet (VIMAGE) and jail name.

Fix: See the attached patch
How-To-Repeat: 	Try to run a vnet compliant jail with rc.conf
Comment 1 BERARD David 2010-01-19 17:24:21 UTC
/etc/rc.conf example with this patch

jail_list="$jail_list example"
jail_example_hostname="example.nfrance.local"
jail_example_name="example"
jail_example_rootdir="/home/jails/example"
jail_example_vnet_enable="YES"
jail_example_devfs_enable="YES"
jail_example_mount_enable="YES"
jail_example_fstab="/etc/fstab.example"
#network
jail_example_exec_prestart0="ifconfig epair0 create"

jail_example_exec_poststart0="ifconfig epair0b vnet example"
jail_example_exec_afterstart1="ifconfig lo0 127.0.0.1"
jail_example_exec_poststop0="ifconfig epair0a destroy
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2010-01-19 22:34:19 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-jail

Over to maintainer(s).
Comment 3 BERARD David 2010-01-20 09:16:57 UTC
This is a multi-part message in MIME format.
Comment 4 BERARD David 2010-01-20 09:30:13 UTC
Sorry for base64 encoded data

--- jailv2rc_ip6.patch begins here ---
--- /usr/src/etc/rc.d/jail      2009-10-25 02:10:29.000000000 +0100
+++ /usr/src/etc/rc.d/jail      2010-01-20 09:48:04.000000000 +0100
@@ -38,6 +38,7 @@
        _fdescdir="${_devdir}/fd"
        _procdir="${_rootdir}/proc"
        eval _hostname=\"\$jail_${_j}_hostname\"
+       eval _name=\"\$jail_${_j}_name\"
        eval _ip=\"\$jail_${_j}_ip\"
        eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
        eval _exec=\"\$jail_${_j}_exec\"
@@ -95,6 +96,9 @@
                fi
        fi

+       # JAIL new style
+       eval _v2=\"\${jail_v2_enable:-"NO"}\"
+
        # The default jail ruleset will be used by rc.subr if none is specified.
        eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
        eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
@@ -110,18 +114,26 @@
        eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\"
        [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}"
        eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\"
-       [ -z "${_flags}" ] && _flags="-l -U root"
+       if checkyesno _v2; then
+               [ -z "${_flags}" ] && _flags="-l -U root -c"
+       else
+               [ -z "${_flags}" ] && _flags="-l -U root"
+       fi
        eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
        [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log"
        eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\"
+       eval _vnet=\"\${jail_${_j}_vnet_enable:-"NO"}\"

        # Debugging aid
        #
+       debug "$_j v2 enable: $_v2"
        debug "$_j devfs enable: $_devfs"
        debug "$_j fdescfs enable: $_fdescfs"
        debug "$_j procfs enable: $_procfs"
        debug "$_j mount enable: $_mount"
+       debug "$_j vnet enable: $_vnet"
        debug "$_j hostname: $_hostname"
+       debug "$_j name: $_name"
        debug "$_j ip: $_ip"
        jail_show_addresses ${_j}
        debug "$_j interface: $_interface"
@@ -481,6 +493,20 @@
                *)      ;;
                esac

+
+               # Append address to list of addresses for the jail command.
+               case "${_type}" in
+               "inet") case "${_addrlv4}" in
+                       "")     _addrlv4="${_addr}" ;;
+                       *)      _addrlv4="${_addrlv4},${_addr}" ;;
+                       esac;;
+               "inet6") case "${_addrlv6}" in
+                       "")     _addrlv6="${_addr}" ;;
+                       *)      _addrlv6="${_addrlv6},${_addr}" ;;
+                       esac;;
+               esac
+
+
                # Append address to list of addresses for the jail command.
                case "${_addrl}" in
                "")     _addrl="${_addr}" ;;
@@ -567,6 +593,8 @@
                        continue;
                fi
                _addrl=""
+               _addrlv4=""
+               _addrlv6=""
                jail_ips "add"
                if [ -n "${_fib}" ]; then
                        _setfib="setfib -F '${_fib}'"
@@ -634,12 +662,26 @@
                        ${out}
                        i=$((i + 1))
                done
-
-               eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
-                       \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
-
+               if checkyesno _v2; then
+                       _start_cmd="${_setfib} jail -J ${_tmp_jail} ${_flags} path=${_rootdir} host.hostname=${_hostname} \
+                               name=\"${_name}\""
+                       if checkyesno _vnet; then
+                               _start_cmd="${_start_cmd} vnet"
+                       else
+                               _start_cmd="${_start_cmd} ip4.addr=\"${_addrlv4}\" ip6.addr=\"${_addrlv6}\""
+                       fi
+                        _start_cmd="${_start_cmd} command=${_exec_start}"
+                       eval ${_start_cmd} > /dev/null 2>&1
+               else
+                       eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
+                               \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
+               fi
                if [ "$?" -eq 0 ] ; then
-                       _jail_id=$(head -1 ${_tmp_jail})
+                       if checkyesno _v2; then
+                               _jail_id=$(awk -F '=| ' '{print $2}' ${_tmp_jail})
+                       else
+                               _jail_id=$(head -1 ${_tmp_jail})
+                       fi
                        i=1
                        while : ; do
                                eval out=\"\${_exec_afterstart${i}:-''}\"
--- jailv2rc_ip6.patch ends here ---
Comment 5 BERARD David 2010-01-21 17:55:10 UTC
> I did some testing with vnet and I find the way of using _poststart and
> _afterstart to configure ip-addr. inside a vimage jail very impractical.
> First we loose all the nice features of configuring ipaddrs. via
> ipv4_addrs_if in rc.conf from inside the jail and second, more
> important, the jail will be fully bootet before any ipaddr. is
> configured or even interfaces are configured. This will result in
> services not starting correctly, firewalling going nuts, routing-daemons
> not working etc.pp.
> 



I had to patch rc to support this, and use this in rc.conf
jail_example_exec_earlypoststart0="ifconfig epair0b vnet example"
jail_example_exec_afterstart0="ifconfig epair0b x.x.x.x"

--- jailv2rc_earlypoststart.patch begins here ---
--- /usr/src/etc/rc.d/jail      2009-10-25 02:10:29.000000000 +0100
+++ /etc/rc.d/jail      2010-01-20 10:40:57.000000000 +0100
@@ -38,6 +38,7 @@
        _fdescdir="${_devdir}/fd"
        _procdir="${_rootdir}/proc"
        eval _hostname=\"\$jail_${_j}_hostname\"
+       eval _name=\"\$jail_${_j}_name\"
        eval _ip=\"\$jail_${_j}_ip\"
        eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
        eval _exec=\"\$jail_${_j}_exec\"
@@ -51,12 +52,19 @@

        eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\"

-       i=1
+       i=0
        while : ; do
                eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\"
                [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] &&  break
                i=$((i + 1))
        done
+
+       i=0
+       while : ; do
+               eval _exec_earlypoststart${i}=\"\${jail_${_j}_exec_earlypoststart${i}:-\${jail_exec_earlypoststart${i}}}\"
+               [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break
+               i=$((i + 1))
+       done

        i=0
        while : ; do
@@ -95,6 +103,9 @@
                fi
        fi

+       # JAIL new style
+       eval _v2=\"\${jail_v2_enable:-"NO"}\"
+
        # The default jail ruleset will be used by rc.subr if none is specified.
        eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
        eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
@@ -110,18 +121,26 @@
        eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\"
        [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}"
        eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\"
-       [ -z "${_flags}" ] && _flags="-l -U root"
+       if checkyesno _v2; then
+               [ -z "${_flags}" ] && _flags="-l -U root -c"
+       else
+               [ -z "${_flags}" ] && _flags="-l -U root"
+       fi
        eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
        [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log"
        eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\"
+       eval _vnet=\"\${jail_${_j}_vnet_enable:-"NO"}\"

        # Debugging aid
        #
+       debug "$_j v2 enable: $_v2"
        debug "$_j devfs enable: $_devfs"
        debug "$_j fdescfs enable: $_fdescfs"
        debug "$_j procfs enable: $_procfs"
        debug "$_j mount enable: $_mount"
+       debug "$_j vnet enable: $_vnet"
        debug "$_j hostname: $_hostname"
+       debug "$_j name: $_name"
        debug "$_j ip: $_ip"
        jail_show_addresses ${_j}
        debug "$_j interface: $_interface"
@@ -145,7 +164,7 @@

        debug "$_j exec start: $_exec_start"

-       i=1
+       i=0
        while : ; do
                eval out=\"\${_exec_afterstart${i}:-''}\"

@@ -481,6 +500,20 @@
                *)      ;;
                esac

+
+               # Append address to list of addresses for the jail command.
+               case "${_type}" in
+               "inet") case "${_addrlv4}" in
+                       "")     _addrlv4="${_addr}" ;;
+                       *)      _addrlv4="${_addrlv4},${_addr}" ;;
+                       esac;;
+               "inet6") case "${_addrlv6}" in
+                       "")     _addrlv6="${_addr}" ;;
+                       *)      _addrlv6="${_addrlv6},${_addr}" ;;
+                       esac;;
+               esac
+
+
                # Append address to list of addresses for the jail command.
                case "${_addrl}" in
                "")     _addrl="${_addr}" ;;
@@ -567,6 +600,8 @@
                        continue;
                fi
                _addrl=""
+               _addrlv4=""
+               _addrlv6=""
                jail_ips "add"
                if [ -n "${_fib}" ]; then
                        _setfib="setfib -F '${_fib}'"
@@ -634,13 +669,36 @@
                        ${out}
                        i=$((i + 1))
                done
-
-               eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
-                       \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
-
+               if checkyesno _v2; then
+                       _start_cmd="${_setfib} jail -J ${_tmp_jail} ${_flags} path=${_rootdir} host.hostname=${_hostname} \
+                               name=\"${_name}\""
+                       if checkyesno _vnet; then
+                               _start_cmd="${_start_cmd} vnet"
+                       else
+                               _start_cmd="${_start_cmd} ip4.addr=\"${_addrlv4}\" ip6.addr=\"${_addrlv6}\""
+                       fi
+                        _start_cmd="${_start_cmd} command=${_exec_start}"
+                       eval ${_start_cmd} > /dev/null 2>&1
+               else
+                       eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
+                               \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
+               fi
                if [ "$?" -eq 0 ] ; then
-                       _jail_id=$(head -1 ${_tmp_jail})
-                       i=1
+                       if checkyesno _v2; then
+                               _jail_id=$(awk -F '=| ' '{print $2}' ${_tmp_jail})
+                       else
+                               _jail_id=$(head -1 ${_tmp_jail})
+                       fi
+
+                       i=0
+                       while : ; do
+                               eval out=\"\${_exec_earlypoststart${i}:-''}\"
+                               [ -z "$out" ] && break
+                               ${out}
+                               i=$((i + 1))
+                       done
+
+                       i=0
                        while : ; do
                                eval out=\"\${_exec_afterstart${i}:-''}\"

--- jailv2rc_earlypoststart.patch ends here ---

-- 
David BERARD
---------------------------------------
NFrance Conseil
david(at)nfrance.com
GPG|PGP KeyId 0x7FC68EB8
GPG|PGP Key http://tinyurl.com/gpgdavid
---------------------------------------
*     No electrons were harmed in     *
*    the transmission of this email   *
Comment 6 Bjoern A. Zeeb freebsd_committer 2010-01-25 11:12:44 UTC
State Changed
From-To: open->suspended

As was said multiple times before, it is very unlikely that 
the current rc script will be changed for the experimental 
feature and a more complete mgmt solution is being sought of 
for the final support.
Comment 7 mwisnicki+freebsd 2010-06-16 00:04:21 UTC
# man 8 jail | grep -i experimental
Usage: .Va variable_name ... (#71)
#

There is nothing in manual page that this is experimental (but there
is a syntax error?).
Comment 8 johannes 2012-08-25 22:55:30 UTC
Has there been any conclusion to this yet? How this is supposed to be
handled "properly"?
Just looking through jails and vnet on stable/9@r237006...
Comment 9 j.totz07 2012-09-18 23:23:17 UTC
How about something really simple like this.
Works for me on 9-stable (to some extent).
Comment 10 joeb1 2014-07-12 01:30:12 UTC
This pr should be closed. This PR is against the /etc/rc.d/jail script which in 10.0 is depreciated and was replaced in 9.1 and newer with jail(8) program. 
This is dead. lets move on to jail(8) method of jails and vnet jails.
Comment 11 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:45:57 UTC
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Comment 12 Eitan Adler freebsd_committer freebsd_triage 2018-05-29 14:48:03 UTC
See comment #10