From owner-svn-ports-all@freebsd.org Thu Jan 23 11:12:29 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4E155235907; Thu, 23 Jan 2020 11:12:29 +0000 (UTC) (envelope-from grembo@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 483KP91RGKz4TV1; Thu, 23 Jan 2020 11:12:29 +0000 (UTC) (envelope-from grembo@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 13DDDDBF1; Thu, 23 Jan 2020 11:12:29 +0000 (UTC) (envelope-from grembo@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00NBCSEj087957; Thu, 23 Jan 2020 11:12:28 GMT (envelope-from grembo@FreeBSD.org) Received: (from grembo@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00NBCS51087954; Thu, 23 Jan 2020 11:12:28 GMT (envelope-from grembo@FreeBSD.org) Message-Id: <202001231112.00NBCS51087954@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: grembo set sender to grembo@FreeBSD.org using -f From: Michael Gmelin Date: Thu, 23 Jan 2020 11:12:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r523920 - in head/sysutils/iocage: . files X-SVN-Group: ports-head X-SVN-Commit-Author: grembo X-SVN-Commit-Paths: in head/sysutils/iocage: . files X-SVN-Commit-Revision: 523920 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2020 11:12:29 -0000 Author: grembo Date: Thu Jan 23 11:12:28 2020 New Revision: 523920 URL: https://svnweb.freebsd.org/changeset/ports/523920 Log: Fix accidental removal of devfs_rulesets on jail stop Pulls in a bugfix[0] that has been merged upstream[1]. This bug caused manually configured devfs_rulesets to get deleted on jail stop, causing jails to come up with a default devfs rules on next start, which can be a nuisance or even dangerous, depending on the specific setup. Also adds a minimum devfs_ruleset id for dynamically created devfs rulesets and fixes a devfs_ruleset resource leak when using plugins. Take maintainership, as suggested by araujo@ (thanks for taking care of that port for so long!). [0]https://github.com/iocage/iocage/pull/1106 [1]https://github.com/iocage/iocage/commit/753b2f35731423597d7f51f33427b6d619fcd0b5 PR: 243510 Approved by: araujo (maintainer) MFH: 2020Q1 Added: head/sysutils/iocage/files/patch-iocage__lib_ioc__common.py (contents, props changed) head/sysutils/iocage/files/patch-iocage__lib_ioc__json.py (contents, props changed) head/sysutils/iocage/files/patch-iocage__lib_ioc__start.py (contents, props changed) Modified: head/sysutils/iocage/Makefile Modified: head/sysutils/iocage/Makefile ============================================================================== --- head/sysutils/iocage/Makefile Thu Jan 23 11:01:25 2020 (r523919) +++ head/sysutils/iocage/Makefile Thu Jan 23 11:12:28 2020 (r523920) @@ -2,11 +2,11 @@ PORTNAME= iocage PORTVERSION= 1.2 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= sysutils python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} -MAINTAINER= araujo@FreeBSD.org +MAINTAINER= grembo@FreeBSD.org COMMENT= FreeBSD jail manager written in Python3 LICENSE= BSD2CLAUSE Added: head/sysutils/iocage/files/patch-iocage__lib_ioc__common.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/iocage/files/patch-iocage__lib_ioc__common.py Thu Jan 23 11:12:28 2020 (r523920) @@ -0,0 +1,73 @@ +Originates here +https://github.com/iocage/iocage/commit/753b2f35731423597d7f51f33427b6d619fcd0b5 +https://github.com/iocage/iocage/pull/1106 +and most likely can be removed on the next release of iocage. +--- iocage_lib/ioc_common.py.orig 2019-09-26 07:23:24 UTC ++++ iocage_lib/ioc_common.py +@@ -44,6 +44,9 @@ import iocage_lib.ioc_exceptions + import iocage_lib.ioc_exec + + INTERACTIVE = False ++# 4 is a magic number for default and doesn't refer ++# to the actual ruleset 4 in devfs.rules(!) ++IOCAGE_DEVFS_RULESET = 4 + + + def callback(_log, callback_exception): +@@ -737,7 +740,7 @@ def generate_devfs_ruleset(conf, paths=N + Will add a per jail devfs ruleset with the specified rules, + specifying defaults that equal devfs_ruleset 4 + """ +- ruleset = conf['devfs_ruleset'] ++ configured_ruleset = conf['devfs_ruleset'] + devfs_includes = [] + devfs_rulesets = su.run( + ['devfs', 'rule', 'showsets'], +@@ -745,22 +748,26 @@ def generate_devfs_ruleset(conf, paths=N + ) + ruleset_list = [int(i) for i in devfs_rulesets.stdout.splitlines()] + +- if ruleset != '4': +- if int(ruleset) in ruleset_list: +- return str(ruleset) +- +- logit({ +- "level": "INFO", +- "message": f'* Ruleset {ruleset} does not exist, using defaults' +- }, +- _callback=callback, +- silent=silent) +- +- ruleset = 5 # 0-4 is always reserved ++ ruleset = int(conf["min_dyn_devfs_ruleset"]) + while ruleset in ruleset_list: + ruleset += 1 + ruleset = str(ruleset) + ++ # Custom devfs_ruleset configured, clone to dynamic ruleset ++ if int(configured_ruleset) != IOCAGE_DEVFS_RULESET: ++ if int(configured_ruleset) not in ruleset_list: ++ return (True, configured_ruleset, '0') ++ rules = su.run( ++ ['devfs', 'rule', '-s', configured_ruleset, 'show'], ++ stdout=su.PIPE, universal_newlines=True ++ ) ++ for rule in rules.stdout.splitlines(): ++ su.run(['devfs', 'rule', '-s', ruleset, 'add'] + ++ rule.split(' ')[1:], stdout=su.PIPE) ++ ++ return (True, configured_ruleset, ruleset) ++ ++ # Create default ruleset + devfs_dict = dict((dev, None) for dev in ( + 'hide', 'null', 'zero', 'crypto', 'random', 'urandom', 'ptyp*', + 'ptyq*', 'ptyr*', 'ptys*', 'ptyP*', 'ptyQ*', 'ptyR*', 'ptyS*', 'ptyl*', +@@ -812,7 +819,7 @@ def generate_devfs_ruleset(conf, paths=N + + su.run(['devfs', 'rule', '-s', ruleset] + path, stdout=su.PIPE) + +- return ruleset ++ return (False, configured_ruleset, ruleset) + + + def runscript(script): Added: head/sysutils/iocage/files/patch-iocage__lib_ioc__json.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/iocage/files/patch-iocage__lib_ioc__json.py Thu Jan 23 11:12:28 2020 (r523920) @@ -0,0 +1,74 @@ +Originates here +https://github.com/iocage/iocage/commit/753b2f35731423597d7f51f33427b6d619fcd0b5 +https://github.com/iocage/iocage/pull/1106 +and most likely can be removed on the next release of iocage. +--- iocage_lib/ioc_json.py.orig 2019-09-26 07:23:24 UTC ++++ iocage_lib/ioc_json.py +@@ -671,7 +671,7 @@ class IOCConfiguration(IOCZFS): + @staticmethod + def get_version(): + """Sets the iocage configuration version.""" +- version = '26' ++ version = '27' + + return version + +@@ -1104,6 +1104,10 @@ class IOCConfiguration(IOCZFS): + if conf.get(option) == 'none': + conf[option] = 'auto' + ++ # Version 27 key ++ if not conf.get('min_dyn_devfs_ruleset'): ++ conf['min_dyn_devfs_ruleset'] = '1000' ++ + if not default: + conf.update(jail_conf) + +@@ -1321,7 +1325,7 @@ class IOCConfiguration(IOCZFS): + 'vnet2_mac': 'none', + 'vnet3_mac': 'none', + 'vnet_default_interface': 'auto', +- 'devfs_ruleset': '4', ++ 'devfs_ruleset': str(iocage_lib.ioc_common.IOCAGE_DEVFS_RULESET), + 'exec_start': '/bin/sh /etc/rc', + 'exec_stop': '/bin/sh /etc/rc.shutdown', + 'exec_prestart': '/usr/bin/true', +@@ -1432,6 +1436,7 @@ class IOCConfiguration(IOCZFS): + 'nat_forwards': 'none', + 'plugin_name': 'none', + 'plugin_repository': 'none', ++ 'min_dyn_devfs_ruleset': '1000', + } + + def check_default_config(self): +@@ -2369,6 +2374,7 @@ class IOCJson(IOCConfiguration): + 'nat_forwards': ('string', ), + 'plugin_name': ('string', ), + 'plugin_repository': ('string', ), ++ 'min_dyn_devfs_ruleset': ('string', ), + } + + zfs_props = { +@@ -2648,6 +2654,22 @@ class IOCJson(IOCConfiguration): + silent=self.silent, + exception=ioc_exceptions.ValidationFailed + ) ++ elif key in ('devfs_ruleset', 'min_dyn_devfs_ruleset'): ++ try: ++ intval = int(value) ++ if intval <= 0: ++ raise ValueError() ++ conf[key] = str(intval) ++ except ValueError: ++ iocage_lib.ioc_common.logit( ++ { ++ 'level': 'EXCEPTION', ++ 'message': f'Invalid {key} value: {value}' ++ }, ++ _callback=self.callback, ++ silent=self.silent, ++ exception=ioc_exceptions.ValidationFailed ++ ) + + return value, conf + else: Added: head/sysutils/iocage/files/patch-iocage__lib_ioc__start.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/iocage/files/patch-iocage__lib_ioc__start.py Thu Jan 23 11:12:28 2020 (r523920) @@ -0,0 +1,104 @@ +Originates here +https://github.com/iocage/iocage/commit/753b2f35731423597d7f51f33427b6d619fcd0b5 +https://github.com/iocage/iocage/pull/1106 +and most likely can be removed on the next release of iocage. +--- iocage_lib/ioc_start.py.orig 2019-09-26 07:23:24 UTC ++++ iocage_lib/ioc_start.py +@@ -145,7 +145,6 @@ class IOCStart(object): + allow_quotas = self.conf["allow_quotas"] + allow_socket_af = self.conf["allow_socket_af"] + allow_vmm = self.conf["allow_vmm"] +- devfs_ruleset = iocage_lib.ioc_common.generate_devfs_ruleset(self.conf) + exec_prestart = self.conf["exec_prestart"] + exec_poststart = self.conf["exec_poststart"] + exec_clean = self.conf["exec_clean"] +@@ -486,16 +485,8 @@ class IOCStart(object): + _callback=self.callback, + silent=self.silent) + +- if wants_dhcp and self.conf['type'] != 'pluginv2' \ +- and self.conf['devfs_ruleset'] != '4': +- iocage_lib.ioc_common.logit({ +- "level": "WARNING", +- "message": f" {self.uuid} is not using the devfs_ruleset" +- f" of 4, not generating a ruleset for the jail," +- " DHCP may not work." +- }, +- _callback=self.callback, +- silent=self.silent) ++ devfs_paths = None ++ devfs_includes = None + + if self.conf['type'] == 'pluginv2' and os.path.isfile( + os.path.join(self.path, f'{self.conf["plugin_name"]}.json') +@@ -509,17 +500,51 @@ class IOCStart(object): + plugin_name = self.conf['plugin_name'] + plugin_devfs = devfs_json[ + "devfs_ruleset"][f"plugin_{plugin_name}"] +- plugin_devfs_paths = plugin_devfs['paths'] +- +- plugin_devfs_includes = None if 'includes' not in \ ++ devfs_paths = plugin_devfs['paths'] ++ devfs_includes = None if 'includes' not in \ + plugin_devfs else plugin_devfs['includes'] + +- devfs_ruleset = \ +- iocage_lib.ioc_common.generate_devfs_ruleset( +- self.conf, +- paths=plugin_devfs_paths, +- includes=plugin_devfs_includes +- ) ++ # Generate dynamic devfs ruleset from configured one ++ (manual_devfs_config, configured_devfs_ruleset, devfs_ruleset) \ ++ = iocage_lib.ioc_common.generate_devfs_ruleset( ++ self.conf, devfs_paths, devfs_includes) ++ ++ if int(devfs_ruleset) <= 0: ++ iocage_lib.ioc_common.logit({ ++ "level": "ERROR", ++ "message": f"{self.uuid} devfs_ruleset" ++ f" {configured_devfs_ruleset} does not exist!" ++ " - Not starting jail" ++ }, ++ _callback=self.callback, ++ silent=self.silent) ++ return ++ ++ # Manually configured devfs_ruleset doesn't support all iocage features ++ if manual_devfs_config: ++ if devfs_paths is not None or devfs_includes is not None: ++ iocage_lib.ioc_common.logit({ ++ "level": "WARNING", ++ "message": f" {self.uuid} is not using the devfs_ruleset" ++ " of " ++ f"{iocage_lib.ioc_common.IOCAGE_DEVFS_RULESET}" ++ ", devices and includes from plugin not added" ++ ", some features of the plugin may not work." ++ }, ++ _callback=self.callback, ++ silent=self.silent) ++ ++ if wants_dhcp and self.conf['type'] != 'pluginv2': ++ iocage_lib.ioc_common.logit({ ++ "level": "WARNING", ++ "message": f" {self.uuid} is not using the devfs_ruleset" ++ " of " ++ f"{iocage_lib.ioc_common.IOCAGE_DEVFS_RULESET}" ++ ", not generating a ruleset for the jail," ++ " DHCP may not work." ++ }, ++ _callback=self.callback, ++ silent=self.silent) + + parameters = [ + fdescfs, _allow_mlock, tmpfs, +@@ -619,6 +644,9 @@ class IOCStart(object): + iocage_lib.ioc_common.logit({ + 'level': 'INFO', + 'message': f' + Using devfs_ruleset: {devfs_ruleset}' ++ + (' (cloned from devfs_ruleset ' ++ f'{configured_devfs_ruleset})' if manual_devfs_config ++ else ' (iocage generated default)') + }, + _callback=self.callback, + silent=self.silent)