From owner-freebsd-jail@freebsd.org Fri Feb 17 17:58:57 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4850ECE3599 for ; Fri, 17 Feb 2017 17:58:57 +0000 (UTC) (envelope-from jmk@wagsky.com) Received: from bmx.allycomm.com (bmx.allycomm.com [198.199.108.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3A5521288 for ; Fri, 17 Feb 2017 17:58:56 +0000 (UTC) (envelope-from jmk@wagsky.com) Received: from JKLETSKY1-MBP15.local (184-23-191-243.vpn.dynamic.sonic.net [184.23.191.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bmx.allycomm.com (Postfix) with ESMTPSA id 8F59DD7A3A; Fri, 17 Feb 2017 09:58:49 -0800 (PST) Subject: Re: Using jail.conf array parameters in exec.* commands To: Ernie Luzar , freebsd-jail@freebsd.org References: <58A42DC7.5040702@gmail.com> From: Jeff Kletsky Message-ID: <5c11e326-cd4b-73e1-a681-9d116a0c1cd3@wagsky.com> Date: Fri, 17 Feb 2017 09:58:48 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <58A42DC7.5040702@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2017 17:58:57 -0000 Thanks for the suggestion of trying to use 'ifconfig interface vnet jail' in the scripts themselves. I'll get my scripts up once I've got them running again confidently and can get proper licensing on them. TL;DR * Is there a clean way to "catch" failures in jail(8) creation after exec.prestart completes, such as vnet.interface failing? * Is there a good way to execute commands in the host environment once jail(8) brings up the jail, but before exec.start runs? The rest: I've been thinking about that for a while, especially as there isn't a way to "catch" an execution error in jail(8) itself, such as the vnet transition failing. (Yes, I'll open an issue on that once I'm convinced I can't do it with the current jail functionality.) To be able to call 'ifconfig interface vnet jail' the jail needs to exist already: # ifconfig ngeth3 vnet t2 ifconfig: jail "t2" not found Further, the network needs to be up and running when services are started. ntpd, anything that binds to a specific interface (rather than *), anything that needs DNS (such as nginx providing proxy services), ... jail(8) tells me I have the following hooks available exec.prestart -- jail isn't created yet exec.start -- runs *in* the jail; typically starts execution exec.poststart -- runs in the host, after exec.start completes There isn't a "jail up, but not executing yet" hook in the host environment that I am aware of. There is a somewhat ugly approach along the lines of: exec.prestart -- do the setup on the host side exec.start -- '/bin/true' or 'return 0'-- don't do anything exec.poststart -- 'ifconfig interface vnet jail'-like things 'jexec jail sh /etc/rc > ${exec.consolelog}' Is there a better approach that someone out there knows of? Thanks! Jeff On 2/15/17 2:30 AM, Ernie Luzar wrote: > Jeff Kletsky wrote: >> TL;DR >> >> Is there a patch available to allow substitution of "array" parameters >> into the strings used for exec.prestart, exec.poststop, and the like? >> >> [...] > An alternate method to coding the jail.conf vnet.interface parameter is to use the "ifconfig vnet" command to enable it and "ifconfig -vnet" command to disable it in your netgraph script that starts and stops the vnet jail. Doing so would eliminate your current desire for array processing in the jail.conf definition all together. > > I use the bridge/epair method my self because its so much easier to understand. If you don't mind sharing, I sure would like to see your netgraph script for vnet jail control once you get it working