Summary: | [jail] [patch] Support JAILv2 and vnet in rc.d/jail | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | BERARD David <david> | ||||||
Component: | conf | Assignee: | freebsd-jail (Nobody) <jail> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | joeb1, laurent | ||||||
Priority: | Normal | ||||||||
Version: | 8.0-RELEASE | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Description
BERARD David
2010-01-19 16:00:18 UTC
/etc/rc.conf example with this patch jail_list="$jail_list example" jail_example_hostname="example.nfrance.local" jail_example_name="example" jail_example_rootdir="/home/jails/example" jail_example_vnet_enable="YES" jail_example_devfs_enable="YES" jail_example_mount_enable="YES" jail_example_fstab="/etc/fstab.example" #network jail_example_exec_prestart0="ifconfig epair0 create" jail_example_exec_poststart0="ifconfig epair0b vnet example" jail_example_exec_afterstart1="ifconfig lo0 127.0.0.1" jail_example_exec_poststop0="ifconfig epair0a destroy Responsible Changed From-To: freebsd-bugs->freebsd-jail Over to maintainer(s). This is a multi-part message in MIME format. Sorry for base64 encoded data --- jailv2rc_ip6.patch begins here --- --- /usr/src/etc/rc.d/jail 2009-10-25 02:10:29.000000000 +0100 +++ /usr/src/etc/rc.d/jail 2010-01-20 09:48:04.000000000 +0100 @@ -38,6 +38,7 @@ _fdescdir="${_devdir}/fd" _procdir="${_rootdir}/proc" eval _hostname=\"\$jail_${_j}_hostname\" + eval _name=\"\$jail_${_j}_name\" eval _ip=\"\$jail_${_j}_ip\" eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _exec=\"\$jail_${_j}_exec\" @@ -95,6 +96,9 @@ fi fi + # JAIL new style + eval _v2=\"\${jail_v2_enable:-"NO"}\" + # The default jail ruleset will be used by rc.subr if none is specified. eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" @@ -110,18 +114,26 @@ eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags="-l -U root" + if checkyesno _v2; then + [ -z "${_flags}" ] && _flags="-l -U root -c" + else + [ -z "${_flags}" ] && _flags="-l -U root" + fi eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" + eval _vnet=\"\${jail_${_j}_vnet_enable:-"NO"}\" # Debugging aid # + debug "$_j v2 enable: $_v2" debug "$_j devfs enable: $_devfs" debug "$_j fdescfs enable: $_fdescfs" debug "$_j procfs enable: $_procfs" debug "$_j mount enable: $_mount" + debug "$_j vnet enable: $_vnet" debug "$_j hostname: $_hostname" + debug "$_j name: $_name" debug "$_j ip: $_ip" jail_show_addresses ${_j} debug "$_j interface: $_interface" @@ -481,6 +493,20 @@ *) ;; esac + + # Append address to list of addresses for the jail command. + case "${_type}" in + "inet") case "${_addrlv4}" in + "") _addrlv4="${_addr}" ;; + *) _addrlv4="${_addrlv4},${_addr}" ;; + esac;; + "inet6") case "${_addrlv6}" in + "") _addrlv6="${_addr}" ;; + *) _addrlv6="${_addrlv6},${_addr}" ;; + esac;; + esac + + # Append address to list of addresses for the jail command. case "${_addrl}" in "") _addrl="${_addr}" ;; @@ -567,6 +593,8 @@ continue; fi _addrl="" + _addrlv4="" + _addrlv6="" jail_ips "add" if [ -n "${_fib}" ]; then _setfib="setfib -F '${_fib}'" @@ -634,12 +662,26 @@ ${out} i=$((i + 1)) done - - eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 - + if checkyesno _v2; then + _start_cmd="${_setfib} jail -J ${_tmp_jail} ${_flags} path=${_rootdir} host.hostname=${_hostname} \ + name=\"${_name}\"" + if checkyesno _vnet; then + _start_cmd="${_start_cmd} vnet" + else + _start_cmd="${_start_cmd} ip4.addr=\"${_addrlv4}\" ip6.addr=\"${_addrlv6}\"" + fi + _start_cmd="${_start_cmd} command=${_exec_start}" + eval ${_start_cmd} > /dev/null 2>&1 + else + eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ + \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 + fi if [ "$?" -eq 0 ] ; then - _jail_id=$(head -1 ${_tmp_jail}) + if checkyesno _v2; then + _jail_id=$(awk -F '=| ' '{print $2}' ${_tmp_jail}) + else + _jail_id=$(head -1 ${_tmp_jail}) + fi i=1 while : ; do eval out=\"\${_exec_afterstart${i}:-''}\" --- jailv2rc_ip6.patch ends here --- > I did some testing with vnet and I find the way of using _poststart and > _afterstart to configure ip-addr. inside a vimage jail very impractical. > First we loose all the nice features of configuring ipaddrs. via > ipv4_addrs_if in rc.conf from inside the jail and second, more > important, the jail will be fully bootet before any ipaddr. is > configured or even interfaces are configured. This will result in > services not starting correctly, firewalling going nuts, routing-daemons > not working etc.pp. > I had to patch rc to support this, and use this in rc.conf jail_example_exec_earlypoststart0="ifconfig epair0b vnet example" jail_example_exec_afterstart0="ifconfig epair0b x.x.x.x" --- jailv2rc_earlypoststart.patch begins here --- --- /usr/src/etc/rc.d/jail 2009-10-25 02:10:29.000000000 +0100 +++ /etc/rc.d/jail 2010-01-20 10:40:57.000000000 +0100 @@ -38,6 +38,7 @@ _fdescdir="${_devdir}/fd" _procdir="${_rootdir}/proc" eval _hostname=\"\$jail_${_j}_hostname\" + eval _name=\"\$jail_${_j}_name\" eval _ip=\"\$jail_${_j}_ip\" eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _exec=\"\$jail_${_j}_exec\" @@ -51,12 +52,19 @@ eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" - i=1 + i=0 while : ; do eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\" [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break i=$((i + 1)) done + + i=0 + while : ; do + eval _exec_earlypoststart${i}=\"\${jail_${_j}_exec_earlypoststart${i}:-\${jail_exec_earlypoststart${i}}}\" + [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break + i=$((i + 1)) + done i=0 while : ; do @@ -95,6 +103,9 @@ fi fi + # JAIL new style + eval _v2=\"\${jail_v2_enable:-"NO"}\" + # The default jail ruleset will be used by rc.subr if none is specified. eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" @@ -110,18 +121,26 @@ eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags="-l -U root" + if checkyesno _v2; then + [ -z "${_flags}" ] && _flags="-l -U root -c" + else + [ -z "${_flags}" ] && _flags="-l -U root" + fi eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" + eval _vnet=\"\${jail_${_j}_vnet_enable:-"NO"}\" # Debugging aid # + debug "$_j v2 enable: $_v2" debug "$_j devfs enable: $_devfs" debug "$_j fdescfs enable: $_fdescfs" debug "$_j procfs enable: $_procfs" debug "$_j mount enable: $_mount" + debug "$_j vnet enable: $_vnet" debug "$_j hostname: $_hostname" + debug "$_j name: $_name" debug "$_j ip: $_ip" jail_show_addresses ${_j} debug "$_j interface: $_interface" @@ -145,7 +164,7 @@ debug "$_j exec start: $_exec_start" - i=1 + i=0 while : ; do eval out=\"\${_exec_afterstart${i}:-''}\" @@ -481,6 +500,20 @@ *) ;; esac + + # Append address to list of addresses for the jail command. + case "${_type}" in + "inet") case "${_addrlv4}" in + "") _addrlv4="${_addr}" ;; + *) _addrlv4="${_addrlv4},${_addr}" ;; + esac;; + "inet6") case "${_addrlv6}" in + "") _addrlv6="${_addr}" ;; + *) _addrlv6="${_addrlv6},${_addr}" ;; + esac;; + esac + + # Append address to list of addresses for the jail command. case "${_addrl}" in "") _addrl="${_addr}" ;; @@ -567,6 +600,8 @@ continue; fi _addrl="" + _addrlv4="" + _addrlv6="" jail_ips "add" if [ -n "${_fib}" ]; then _setfib="setfib -F '${_fib}'" @@ -634,13 +669,36 @@ ${out} i=$((i + 1)) done - - eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 - + if checkyesno _v2; then + _start_cmd="${_setfib} jail -J ${_tmp_jail} ${_flags} path=${_rootdir} host.hostname=${_hostname} \ + name=\"${_name}\"" + if checkyesno _vnet; then + _start_cmd="${_start_cmd} vnet" + else + _start_cmd="${_start_cmd} ip4.addr=\"${_addrlv4}\" ip6.addr=\"${_addrlv6}\"" + fi + _start_cmd="${_start_cmd} command=${_exec_start}" + eval ${_start_cmd} > /dev/null 2>&1 + else + eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ + \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 + fi if [ "$?" -eq 0 ] ; then - _jail_id=$(head -1 ${_tmp_jail}) - i=1 + if checkyesno _v2; then + _jail_id=$(awk -F '=| ' '{print $2}' ${_tmp_jail}) + else + _jail_id=$(head -1 ${_tmp_jail}) + fi + + i=0 + while : ; do + eval out=\"\${_exec_earlypoststart${i}:-''}\" + [ -z "$out" ] && break + ${out} + i=$((i + 1)) + done + + i=0 while : ; do eval out=\"\${_exec_afterstart${i}:-''}\" --- jailv2rc_earlypoststart.patch ends here --- -- David BERARD --------------------------------------- NFrance Conseil david(at)nfrance.com GPG|PGP KeyId 0x7FC68EB8 GPG|PGP Key http://tinyurl.com/gpgdavid --------------------------------------- * No electrons were harmed in * * the transmission of this email * State Changed From-To: open->suspended As was said multiple times before, it is very unlikely that the current rc script will be changed for the experimental feature and a more complete mgmt solution is being sought of for the final support. # man 8 jail | grep -i experimental Usage: .Va variable_name ... (#71) # There is nothing in manual page that this is experimental (but there is a syntax error?). Has there been any conclusion to this yet? How this is supposed to be handled "properly"? Just looking through jails and vnet on stable/9@r237006... How about something really simple like this. Works for me on 9-stable (to some extent). This pr should be closed. This PR is against the /etc/rc.d/jail script which in 10.0 is depreciated and was replaced in 9.1 and newer with jail(8) program. This is dead. lets move on to jail(8) method of jails and vnet jails. batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed. See comment #10 |