From owner-freebsd-jail@freebsd.org Fri Feb 17 23:01:02 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EE32CE2E0C for ; Fri, 17 Feb 2017 23:01:02 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 064C516C7 for ; Fri, 17 Feb 2017 23:01:02 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x22a.google.com with SMTP id j18so2968269ioe.2 for ; Fri, 17 Feb 2017 15:01:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=NYE4rD+179kMY6hqGUOsIxFNrzy/ujJMSC2JrjgFRLs=; b=NP8eK6sKBcv0GxmAZGmO50mUBLCleTP2V5kwGeaqGtwrkKYsRzF7J7Zs96CmucYkso psKFIE4w2bM8ftnbhiRaz9yGQxNdLyZlsmuzt6pR+FAodpj2Tqvs5d1f9opQeirKKtiA +5Ck9r9N0arL2njrIVnV5Yhwb+bvAeyo0EvZG12rC142Xvk+d2f5xvFlr5MLIHrBLZiK xz0h8U36QYMHiqPCUrf2EahP8cCsyLGfLUb4/jKn0Qd9lrRv31h1vSAA9ELXZ4WD/b7i kwf9plFuhPYWrC+MizO7AntayhUwBkMYe2tq9spnVa9uDhm9OGv2X9VvSTUM/b41nmCU f8sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=NYE4rD+179kMY6hqGUOsIxFNrzy/ujJMSC2JrjgFRLs=; b=gvYE1bWHvcRhet4e7JZE2uuibV82mFCVys2bliY+UZEZLp1wS0vqVmGhU/Z2vo19F6 auv6A+tALZwhhTDXnI2w5Cjkbzz5oqMEX6s+Mt7pMo47D9CWLwspZM1LnTjWj26mxH3b mAIN87tOYxX8CK+PAeKKDBaR1XNTZgIkLK6kPHo4s6NV4EocNQ833qUTPF+BKwIyM3he PdsqSe/7wJwwDM93OPRveOLzp6827JDhP5TZfZhhsR8U0Yw1vbtV8Fwu77z+55W4ZHu+ HkWO6OyH/jQdxv4pCKTDePeLfupB56EOitpvkg/6Wa4HZ9INgxAk2rerkTvkRju4grVF YNiQ== X-Gm-Message-State: AMke39nq0jIomcFct5pLQ2V8g6VuWvUH9ZUWYHOPpTFhQve40DYqLKGywJ2LuinFZ8HKYw== X-Received: by 10.107.19.9 with SMTP id b9mr8961966ioj.48.1487372461328; Fri, 17 Feb 2017 15:01:01 -0800 (PST) Received: from [10.0.10.3] (cpe-24-165-207-226.neo.res.rr.com. [24.165.207.226]) by smtp.googlemail.com with ESMTPSA id d5sm1382187itd.3.2017.02.17.15.01.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 17 Feb 2017 15:01:00 -0800 (PST) Message-ID: <58A780C4.6030503@gmail.com> Date: Fri, 17 Feb 2017 18:01:24 -0500 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Jeff Kletsky CC: freebsd-jail@freebsd.org Subject: Re: Using jail.conf array parameters in exec.* commands References: <58A42DC7.5040702@gmail.com> <5c11e326-cd4b-73e1-a681-9d116a0c1cd3@wagsky.com> In-Reply-To: <5c11e326-cd4b-73e1-a681-9d116a0c1cd3@wagsky.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2017 23:01:02 -0000 Jeff Kletsky wrote: > Thanks for the suggestion of trying to use 'ifconfig interface vnet jail' > in the scripts themselves. > > I'll get my scripts up once I've got them running again confidently > and can get proper licensing on them. > > TL;DR > > * Is there a clean way to "catch" failures in jail(8) creation after > exec.prestart completes, such as vnet.interface failing? > > * Is there a good way to execute commands in the host environment once > jail(8) brings up the jail, but before exec.start runs? > > > > The rest: > > I've been thinking about that for a while, especially as there isn't a > way to "catch" an execution error in jail(8) itself, such as the vnet > transition failing. (Yes, I'll open an issue on that once I'm convinced > I can't do it with the current jail functionality.) > > To be able to call 'ifconfig interface vnet jail' the jail needs to > exist already: > > # ifconfig ngeth3 vnet t2 > ifconfig: jail "t2" not found > > Further, the network needs to be up and running when services are > started. ntpd, anything that binds to a specific interface (rather > than *), anything that needs DNS (such as nginx providing proxy > services), ... > > > jail(8) tells me I have the following hooks available > > exec.prestart -- jail isn't created yet > exec.start -- runs *in* the jail; typically starts execution > exec.poststart -- runs in the host, after exec.start completes > > There isn't a "jail up, but not executing yet" hook in the host > environment that I am aware of. > > There is a somewhat ugly approach along the lines of: > > exec.prestart -- do the setup on the host side > exec.start -- '/bin/true' or 'return 0'-- don't do anything > exec.poststart -- 'ifconfig interface vnet jail'-like things > 'jexec jail sh /etc/rc > ${exec.consolelog}' > > > Is there a better approach that someone out there knows of? > > > Thanks! > > Jeff > Lets make this simple. Do not use the "service jail jailname start" command to start / stop your jails. Your mixing legacy rc.conf jail method with jail.conf method. All ways use the jail(8) command itself to start/stop your jails. If you do this in a script then you can check the jail resulting return code to determine if the jail start/stop failed. But there is no information to tell you why it failed. In all most all cases it's caused by jail.conf parameters syntax coding error or invalid value content. Really pretty simple to determine cause by looking at the jail.conf content for the offending vnet jail. Change your mind set from thinking you have to use the exec.* hooks to configure the vnet jails netgraph network setup. Just have individual jail.conf files for each vnet jail with no vnet interface defined. Now you can start the jail with just the standard exec.start line and standard exec.stop line. Once your script has issued the jail(8) command to start the jail then follow it with all the netgraph commands to enable its network. The vnet jail it self has no knowledge of any network connectivity at start up, you can wrap either bridge/epair or netgraph around it and it don't care. This was learned the hard way.