From owner-freebsd-jail@FreeBSD.ORG Thu Jan 21 18:00:23 2010 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB38D1065676 for ; Thu, 21 Jan 2010 18:00:23 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 906FD8FC13 for ; Thu, 21 Jan 2010 18:00:23 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0LI0NsI048838 for ; Thu, 21 Jan 2010 18:00:23 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0LI0NQv048837; Thu, 21 Jan 2010 18:00:23 GMT (envelope-from gnats) Date: Thu, 21 Jan 2010 18:00:23 GMT Message-Id: <201001211800.o0LI0NQv048837@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: David BERARD Cc: Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: David BERARD List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jan 2010 18:00:23 -0000 The following reply was made to PR conf/142972; it has been noted by GNATS. From: David BERARD To: bug-followup@FreeBSD.org Cc: Philipp Wuensche Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail Date: Thu, 21 Jan 2010 18:55:10 +0100 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5C8C54383CDA0037FC28999C Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable > I did some testing with vnet and I find the way of using _poststart and= > _afterstart to configure ip-addr. inside a vimage jail very impractical= =2E > First we loose all the nice features of configuring ipaddrs. via > ipv4_addrs_if in rc.conf from inside the jail and second, more > important, the jail will be fully bootet before any ipaddr. is > configured or even interfaces are configured. This will result in > services not starting correctly, firewalling going nuts, routing-daemon= s > not working etc.pp. >=20 I had to patch rc to support this, and use this in rc.conf jail_example_exec_earlypoststart0=3D"ifconfig epair0b vnet example" jail_example_exec_afterstart0=3D"ifconfig epair0b x.x.x.x" --- jailv2rc_earlypoststart.patch begins here --- --- /usr/src/etc/rc.d/jail 2009-10-25 02:10:29.000000000 +0100 +++ /etc/rc.d/jail 2010-01-20 10:40:57.000000000 +0100 @@ -38,6 +38,7 @@ _fdescdir=3D"${_devdir}/fd" _procdir=3D"${_rootdir}/proc" eval _hostname=3D\"\$jail_${_j}_hostname\" + eval _name=3D\"\$jail_${_j}_name\" eval _ip=3D\"\$jail_${_j}_ip\" eval _interface=3D\"\${jail_${_j}_interface:-${jail_interface}}\"= eval _exec=3D\"\$jail_${_j}_exec\" @@ -51,12 +52,19 @@ eval _exec_start=3D\"\${jail_${_j}_exec_start:-${jail_exec_start}= }\" - i=3D1 + i=3D0 while : ; do eval _exec_afterstart${i}=3D\"\${jail_${_j}_exec_aftersta= rt${i}:-\${jail_exec_afterstart${i}}}\" [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && brea= k i=3D$((i + 1)) done + + i=3D0 + while : ; do + eval _exec_earlypoststart${i}=3D\"\${jail_${_j}_exec_earl= ypoststart${i}:-\${jail_exec_earlypoststart${i}}}\" + [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break + i=3D$((i + 1)) + done i=3D0 while : ; do @@ -95,6 +103,9 @@ fi fi + # JAIL new style + eval _v2=3D\"\${jail_v2_enable:-"NO"}\" + # The default jail ruleset will be used by rc.subr if none is spe= cified. eval _ruleset=3D\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_rules= et}}\" eval _devfs=3D\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}= \" @@ -110,18 +121,26 @@ eval _fstab=3D\"\${jail_${_j}_fstab:-${jail_fstab}}\" [ -z "${_fstab}" ] && _fstab=3D"/etc/fstab.${_j}" eval _flags=3D\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags=3D"-l -U root" + if checkyesno _v2; then + [ -z "${_flags}" ] && _flags=3D"-l -U root -c" + else + [ -z "${_flags}" ] && _flags=3D"-l -U root" + fi eval _consolelog=3D\"\${jail_${_j}_consolelog:-${jail_consolelog}= }\" [ -z "${_consolelog}" ] && _consolelog=3D"/var/log/jail_${_j}_con= sole.log" eval _fib=3D\"\${jail_${_j}_fib:-${jail_fib}}\" + eval _vnet=3D\"\${jail_${_j}_vnet_enable:-"NO"}\" # Debugging aid # + debug "$_j v2 enable: $_v2" debug "$_j devfs enable: $_devfs" debug "$_j fdescfs enable: $_fdescfs" debug "$_j procfs enable: $_procfs" debug "$_j mount enable: $_mount" + debug "$_j vnet enable: $_vnet" debug "$_j hostname: $_hostname" + debug "$_j name: $_name" debug "$_j ip: $_ip" jail_show_addresses ${_j} debug "$_j interface: $_interface" @@ -145,7 +164,7 @@ debug "$_j exec start: $_exec_start" - i=3D1 + i=3D0 while : ; do eval out=3D\"\${_exec_afterstart${i}:-''}\" @@ -481,6 +500,20 @@ *) ;; esac + + # Append address to list of addresses for the jail comman= d. + case "${_type}" in + "inet") case "${_addrlv4}" in + "") _addrlv4=3D"${_addr}" ;; + *) _addrlv4=3D"${_addrlv4},${_addr}" ;; + esac;; + "inet6") case "${_addrlv6}" in + "") _addrlv6=3D"${_addr}" ;; + *) _addrlv6=3D"${_addrlv6},${_addr}" ;; + esac;; + esac + + # Append address to list of addresses for the jail comman= d. case "${_addrl}" in "") _addrl=3D"${_addr}" ;; @@ -567,6 +600,8 @@ continue; fi _addrl=3D"" + _addrlv4=3D"" + _addrlv6=3D"" jail_ips "add" if [ -n "${_fib}" ]; then _setfib=3D"setfib -F '${_fib}'" @@ -634,13 +669,36 @@ ${out} i=3D$((i + 1)) done - - eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname= } \ - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 - + if checkyesno _v2; then + _start_cmd=3D"${_setfib} jail -J ${_tmp_jail} ${_= flags} path=3D${_rootdir} host.hostname=3D${_hostname} \ + name=3D\"${_name}\"" + if checkyesno _vnet; then + _start_cmd=3D"${_start_cmd} vnet" + else + _start_cmd=3D"${_start_cmd} ip4.addr=3D\"= ${_addrlv4}\" ip6.addr=3D\"${_addrlv6}\"" + fi + _start_cmd=3D"${_start_cmd} command=3D${_exec_st= art}" + eval ${_start_cmd} > /dev/null 2>&1 + else + eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_= hostname} \ + \"${_addrl}\" ${_exec_start} > ${_tmp_jai= l} 2>&1 + fi if [ "$?" -eq 0 ] ; then - _jail_id=3D$(head -1 ${_tmp_jail}) - i=3D1 + if checkyesno _v2; then + _jail_id=3D$(awk -F '=3D| ' '{print $2}' = ${_tmp_jail}) + else + _jail_id=3D$(head -1 ${_tmp_jail}) + fi + + i=3D0 + while : ; do + eval out=3D\"\${_exec_earlypoststart${i}:= -''}\" + [ -z "$out" ] && break + ${out} + i=3D$((i + 1)) + done + + i=3D0 while : ; do eval out=3D\"\${_exec_afterstart${i}:-''}= \" --- jailv2rc_earlypoststart.patch ends here --- --=20 David BERARD --------------------------------------- NFrance Conseil david(at)nfrance.com GPG|PGP KeyId 0x7FC68EB8 GPG|PGP Key http://tinyurl.com/gpgdavid --------------------------------------- * No electrons were harmed in * * the transmission of this email * --------------enig5C8C54383CDA0037FC28999C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAktYlP4ACgkQYIAREn/GjriIIgCfdy6Zj9reUcNRypeqlV9Iy/20 D7UAoIHOBP+qlHy6R5rBLPBC5c72xGjH =6y/A -----END PGP SIGNATURE----- --------------enig5C8C54383CDA0037FC28999C--