From owner-freebsd-jail@FreeBSD.ORG Sat Jul 4 16:12:56 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56E7D106564A for ; Sat, 4 Jul 2009 16:12:56 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 01D988FC15 for ; Sat, 4 Jul 2009 16:12:55 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from glorfindel.gritton.org (c-76-27-80-223.hsd1.ut.comcast.net [76.27.80.223]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n64GCs2Y019846; Sat, 4 Jul 2009 10:12:54 -0600 (MDT) Message-ID: <4A4F7F85.7030903@FreeBSD.org> Date: Sat, 04 Jul 2009 10:12:53 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090220) MIME-Version: 1.0 To: Alexander Leidinger References: <20090627122519.00002b84@unknown> <20090627104704.Y22887@maildrop.int.zabbadoz.net> <20090627140803.00006830@unknown> <20090627121818.P22887@maildrop.int.zabbadoz.net> <20090627162424.00007289@unknown> <4A48FA49.70600@FreeBSD.org> <20090630100711.18745yont7x1lcjk@webmail.leidinger.net> In-Reply-To: <20090630100711.18745yont7x1lcjk@webmail.leidinger.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: jail@FreeBSD.org Subject: Re: Switching /etc/rc.d/jail to new syntax (+ new features) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jul 2009 16:12:56 -0000 Alexander Leidinger wrote: > Quoting Jamie Gritton (from Mon, 29 Jun 2009 > 11:30:49 -0600): > >> Alexander Leidinger wrote: >> >>>>>>> at http://www.leidinger.net/FreeBSD/current-patches/jail.diff I >>>>>>> have a patch to switch the jail rc script to the new jail >>>>>>> (8-current) syntax. This includes new config options for a jail >>>>>>> (see etc/defaults/rc.conf after patching). The patch also contains >>>>>>> my X-in-a-jail stuff (feel free to ignore this part, it's disabled >>>>>>> by default). >>>>>>> >>>>>>> If you do not make any config change, you will be able to see all >>>>>>> mounted filesystems of the entire machine. To get back to the >>>>>>> previous behavior, you have to add a config option: >>>>>>> jail_XXX_startparams="enforce_statfs=2" >>>>>>> >>>>>>> This config option can also take other jail parameters like >>>>>>> allow.sysvipc and other ones described in the jail man-page >>>>>>> (additional parameters need to be space separated). >>>>>>> >>>>>>> Feedback welcome. >>>>>>> >>>>>> 1) it break various things that will no longer work >>>>>> >>>>> As mentioned, it "breaks" the statfs part. If there's anything >>>>> else, be more specific please. >>>>> >>>> v6, noIP, ... >>>> >>> >>> I didn't change the IP handling in the rc script. Does this mean >>> jail(8) works differently regarding the address parsing when called >>> with the new parameters instead of the old options? >>> >>> I didn't test anything regarding ipv6, but as long as jail(8) doesn't >>> behave differently with the new calling syntax compared with what we >>> have in the tree, then the behavior is not differnt from what we have. >>> If it behaves differently, this can be fixed in the script. >>> >> >> There is a difference. Under the old options, IPv4 and IPv6 addresses >> are mixed >> into the single fixed argument, and then are parsed to determine which >> kind they >> are - both by jail(8) and rc.d/jail. Under the new parameter-based >> command line, >> IPv4 addresses and IPv6 address go with ip4.addr and ip6.addr >> respectively. > > But why are my jails (with only one ipv4 address) starting correctly then? The problem is that all addresses are put into ip4.addr, so it will break (only) if you have any IPv6 addresses. >> The rc.d/jail code that brings up addresses on an interface can be >> modified >> to decide which argument the address goes with. >> >> I've given Bjoern a patch based on yours that handles this as well as >> the allow.* >> systctls (though I missed the statfs part). > > Do you mind making it available somewhere? Sure. I've put it at http://gritton.org/freebsd/jail.rc.diff - Jamie