From owner-freebsd-current@FreeBSD.ORG Sat Apr 19 17:55:22 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5516D37B401 for ; Sat, 19 Apr 2003 17:55:22 -0700 (PDT) Received: from mail.westbend.net (ns1.westbend.net [216.47.253.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7014A43F75 for ; Sat, 19 Apr 2003 17:55:21 -0700 (PDT) (envelope-from hetzels@westbend.net) Received: from WBIw009.westbend.net (wbiw009 [216.47.253.29]) by mail.westbend.net (8.12.9/8.12.9) with ESMTP id h3K0tKJJ085735; Sat, 19 Apr 2003 19:55:20 -0500 (CDT) (envelope-from hetzels@westbend.net) Received: from WBIw009.westbend.net (localhost [127.0.0.1]) by WBIw009.westbend.net (8.12.9/8.12.9) with ESMTP id h3K0tIji005596; Sat, 19 Apr 2003 19:55:19 -0500 (CDT) (envelope-from hetzels@westbend.net) Received: (from root@localhost) by WBIw009.westbend.net (8.12.9/8.12.9/Submit) id h3K0tHJB005595; Sat, 19 Apr 2003 19:55:17 -0500 (CDT) Date: Sat, 19 Apr 2003 19:55:17 -0500 (CDT) Message-Id: <200304200055.h3K0tHJB005595@WBIw009.westbend.net> From: "Scot W. Hetzel" To: FreeBSD-Current , Mike Makonnen X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Subject: Enhancements to the new rc.d/jail script X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 00:55:22 -0000 Attached are patches for the new rc.d/jail script. I moved the jail variables out of the "Miscellaneous administrative options" section and placed them into their own section ("Jail Configuration") in /etc/defaults/rc.conf. I also added definitions for the jail_*_[rootdir,hostname,ip,exec] variables found in /etc/rc.d/jail. I also made a change to rc.d/jail. I added the ability to mount the devfs and procfs on the jail, and to apply a devfs ruleset to the jails dev directory (see the jail_*_[devfs,devfs_ruleset,procfs] variables). Currently rc.d/devfs starts after rc.d/jail, we need devfs rulesets defined before the jail is started (devfs added to rc.d/jail REQUIRE). Added a standard jail ruleset to rc.d/devfs. Scot Index: defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.172 diff -u -r1.172 rc.conf --- defaults/rc.conf 16 Apr 2003 16:29:51 -0000 1.172 +++ defaults/rc.conf 20 Apr 2003 00:07:06 -0000 @@ -426,11 +426,28 @@ harvest_ethernet="YES" # Entropy device harvests ethernet randomness harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot + +############################################################## +### Jail Configuration ####################################### +############################################################## + jail_enable="NO" # Set to NO to disable starting of any jails jail_list="" # Space separated list of names of jails jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail -jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail +jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail +jail_default_rulset="10" # Default jail devfs ruleset to apply + +# create an entry for each jail named in jail_list, with these variables +# NOTE: replace 'example' with the jail's name from jail_list +# +jail_example_rootdir="/usr/jail/default" # Jails root directory +jail_example_hostname="default.domain.com" # Jails hostname +jail_example_ip="192.168.0.10" # Jails IP number +jail_example_exec="/bin/sh /etc/rc" # command to execute in jail +jail_example_devfs="NO" # mount devfs in jail +jail_example_devfs_rulset="10" # devfs ruleset to apply to jail +jail_example_procfs="NO" # mount procfs in jail ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## Index: rc.d/devfs =================================================================== RCS file: /home/ncvs/src/etc/rc.d/devfs,v retrieving revision 1.2 diff -u -r1.2 devfs --- rc.d/devfs 15 Dec 2002 21:56:53 -0000 1.2 +++ rc.d/devfs 20 Apr 2003 00:10:02 -0000 @@ -13,6 +13,22 @@ load_rc_config $name +# Standard Jail ruleset +/sbin/devfs rule -s 10 delset +/sbin/devfs rule -s 10 add 100 hide +/sbin/devfs rule -s 10 add 200 path ptyp* unhide +/sbin/devfs rule -s 10 add 300 path ttyp* unhide +/sbin/devfs rule -s 10 add 400 path null unhide +/sbin/devfs rule -s 10 add 500 path zero unhide +/sbin/devfs rule -s 10 add 600 path random unhide +/sbin/devfs rule -s 10 add 610 path urandom unhide +/sbin/devfs rule -s 10 add 700 path fd unhide +/sbin/devfs rule -s 10 add 800 path fd/* unhide +/sbin/devfs rule -s 10 add 810 path mdctl unhide +/sbin/devfs rule -s 10 add 900 path stdin unhide +/sbin/devfs rule -s 10 add 910 path stdout unhide +/sbin/devfs rule -s 10 add 920 path stderr unhide + # Setup DEVFS, ie permissions, links etc. # if [ -r /etc/rc.devfs ]; then Index: rc.d/jail =================================================================== RCS file: /home/ncvs/src/etc/rc.d/jail,v retrieving revision 1.3 diff -u -r1.3 jail --- rc.d/jail 19 Apr 2003 07:50:32 -0000 1.3 +++ rc.d/jail 20 Apr 2003 00:26:51 -0000 @@ -4,8 +4,8 @@ # # PROVIDE: jail -# REQUIRE: LOGIN -# KEYWORD: FreeBSD +# REQUIRE: LOGIN devfs +# KEYWORD: FreeBSD shutdown . /etc/rc.subr @@ -14,6 +14,15 @@ start_cmd="jail_start" stop_cmd="jail_stop" +create_dev_links() +{ + local devdir=$1 + local source=$2 + local target=$3 + + (cd ${devdir} && ln -sf ${source} ${target}) +} + jail_start() { echo -n 'Configuring jails:' @@ -49,11 +58,54 @@ for _jail in ${jail_list} do eval jail_rootdir=\"\$jail_${_jail}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_procdir="${jail_rootdir}/proc" + eval jail_hostname=\"\$jail_${_jail}_hostname\" eval jail_ip=\"\$jail_${_jail}_ip\" eval jail_exec=\"\$jail_${_jail}_exec\" [ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc" - + + eval jail_devfs=\"\$jail_${_jail}_devfs\" + [ -z ${jail_devfs} ] && jail_devfs="NO" + + eval jail_rulset=\"\$jail_${_jail}_devfs_ruleset\" + [ -z ${jail_rulset} ] && jail_rulset="${jail_default_rulset}" + + eval jail_procfs=\"\$jail_${_jail}_procfs\" + [ -z ${jail_procfs} ] && jail_procfs="NO" + + if checkyesno jail_devfs; then + if [ -d ${jail_devdir} ] ; then + mount -t devfs dev ${jail_devdir} + + if [ -n "${jail_rulset}" ]; then + # Apply devfs rulset + devfs -m ${jail_devdir} ruleset ${jail_rulset} + + # for libkvm (ab)users + create_dev_links ${jail_devdir} null mem + create_dev_links ${jail_devdir} null kmem + + # create_dev_links ${jail_devdir} null console + fi + + # Transitional symlink for old binaries + if [ ! -L ${jail_devdir}/log ]; then + create_dev_links ${jail_devdir} ../var/run/log log + fi + + # Jail console output + create_dev_links ${jail_devdir} ../var/log/console console + fi + fi + + if checkyesno jail_procfs; then + if [ -d ${jail_procdir} ] ; then + mount -t procfs proc ${jail_procdir} + fi + fi + jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec} done } @@ -61,6 +113,28 @@ jail_stop() { kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print $2};') + for _jail in ${jail_list} + do + eval jail_rootdir=\"\$jail_${_jail}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_procdir="${jail_rootdir}/proc" + eval jail_devfs=\"\$jail_${_jail}_devfs\" + [ -z ${jail_devfs} ] && jail_devfs="NO" + eval jail_procfs=\"\$jail_${_jail}_procfs\" + [ -z ${jail_procfs} ] && jail_procfs="NO" + + if checkyesno jail_devfs; then + if [ -d ${jail_devdir} ] ; then + umount -f ${jail_devdir} >/dev/null 2>&1 + fi + fi + + if checkyesno jail_procfs; then + if [ -d ${jail_procdir} ] ; then + umount -f ${jail_procdir} >/dev/null 2>&1 + fi + fi + done }