Date: Sun, 8 Jul 2007 02:31:49 GMT From: Xin LI <delphij@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 123081 for review Message-ID: <200707080231.l682VnM5007969@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=123081 Change 123081 by delphij@charlie on 2007/07/08 02:31:13 skeljail - make use of nullfs(5) to simplify jail creation and management. Affected files ... .. //depot/projects/delphij_fork/Makefile#2 edit .. //depot/projects/delphij_fork/Makefile.inc1#2 edit .. //depot/projects/delphij_fork/etc/defaults/rc.conf#2 edit .. //depot/projects/delphij_fork/etc/rc.d/jail#2 edit Differences ... ==== //depot/projects/delphij_fork/Makefile#2 (text+ko) ==== @@ -9,6 +9,8 @@ # upgrades. # installworld - Install everything built by "buildworld". # world - buildworld + installworld, no kernel. +# installskel - Install directory structure and minimal set of files +# which is suitable for a skeleton jail. # buildkernel - Rebuild the kernel and the kernel-modules. # installkernel - Install the kernel and the kernel-modules. # installkernel.debug @@ -82,6 +84,7 @@ depend distribute distributeworld distrib-dirs distribution doxygen \ everything hierarchy install installcheck installkernel \ installkernel.debug reinstallkernel reinstallkernel.debug \ + installskel \ installworld kernel-toolchain libraries lint maninstall \ obj objlink regress rerelease showconfig tags toolchain update \ _worldtmp _legacy _bootstrap-tools _cleanobj _obj \ @@ -93,6 +96,7 @@ BITGTS:=${BITGTS} ${BITGTS:S/^/build/} ${BITGTS:S/^/install/} TGTS+= ${BITGTS} +.ORDER: buildworld installskel .ORDER: buildworld installworld .ORDER: buildworld distributeworld .ORDER: buildworld buildkernel ==== //depot/projects/delphij_fork/Makefile.inc1#2 (text+ko) ==== @@ -586,6 +586,17 @@ ${_+_}cd ${.CURDIR}; ${IMAKE} re${.TARGET:S/world$//} rm -rf ${INSTALLTMP} +# installskel +# +# Installs a minimum set of files that can support a mini-jail +# +installskel: + @echo "--------------------------------------------------------------" + @echo ">>> Making installskel" + @echo "--------------------------------------------------------------" + {_+_}cd ${.CURDIR}; ${MAKE} hierarchy + {_+_}cd ${.CURDIR}/etc; ${MAKE} distribution + # # reinstall # ==== //depot/projects/delphij_fork/etc/defaults/rc.conf#2 (text+ko) ==== @@ -23,6 +23,15 @@ rc_debug="NO" # Set to YES to enable debugging output from rc.d rc_info="NO" # Enables display of informational messages at boot. +rc_fancy="NO" # Enables fancy messages for rc scripts. YES|NO|COLOR +rc_fancy_verbose="YES" # Enables fancy boot messages on system rc scripts +rc_fancy_msg_failed="FAILED" # Sets fancy word for 'failed' script. +rc_fancy_msg_error="ERROR" # Sets fancy word for scripts that errored. +rc_fancy_msg_skipped="SKIPPED" # Sets fancy word for scripts skipped. +rc_fancy_msg_ok="OK" # Sets fancy word for scripts that started ok. +rc_fancy_msg_width="8" # Max width for fancy message. +rc_fancy_cols="80" # Default columns on display + rcshutdown_timeout="30" # Seconds to wait before terminating rc.shutdown early_late_divider="FILESYSTEMS" # Script that separates early/late # stages of the boot process. Make sure you know @@ -570,6 +579,7 @@ ### Jail Configuration ####################################### ############################################################## jail_enable="NO" # Set to NO to disable starting of any jails +jail_skel_enable="NO" # Set to NO to disable skeleton jail by default jail_list="" # Space separated list of names of jails jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail @@ -599,6 +609,11 @@ #jail_example_devfs_ruleset="ruleset_name" # devfs ruleset to apply to jail #jail_example_fstab="" # fstab(5) for mount/umount #jail_example_flags="-l -U root" # flags for jail(8) +#jail_example_skel_enable="NO" # Whether to use skeleton jail +#jail_example_skel_root="/" # Mount jail from this template +#jail_example_skel_romounts="bin sbin lib libexec usr/bin usr/sbin usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/share usr/ports" # Mount these directories read-only into jail +#jail_example_skel_rwmounts="" # Mount these directories read-write into jail + ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## ==== //depot/projects/delphij_fork/etc/rc.d/jail#2 (text+ko) ==== @@ -78,6 +78,16 @@ eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" + # Default settings for skel jail + eval _skel_enable=\"\${jail_${_j}_skel_enable:-${jail_skel_enable}}\" + [ -z "${_skel_enable}" ] && _skel_enable="NO" + eval _skel_root=\"\${jail_${_j}_skel_root:-${jail_skel_root}}\" + [ -z "${_skel_root}" ] && _skel_root="/" + eval _skel_romounts=\"\${jail_${_j}_skel_romounts:-${jail_skel_romounts}}\" + [ -z "${_skel_romounts}" ] && _skel_romounts="bin sbin lib libexec usr/bin usr/sbin usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/share" + eval _skel_rwmounts=\"\${jail_${_j}_skel_rwmounts:-${jail_skel_rwmounts}}\" + [ -z "${_skel_rwmounts}" ] && _skel_rwmounts="usr/ports" + # Debugging aid # debug "$_j devfs enable: $_devfs" @@ -111,6 +121,10 @@ debug "$_j exec stop: $_exec_stop" debug "$_j flags: $_flags" debug "$_j consolelog: $_consolelog" + debug "$_j skel enable: $_skel_enable" + debug "$_j skel mount-readonly: $_skel_romounts" + debug "$_j skel mount-readwrite: $_skel_rwmounts" + debug "$_j skel mount skeleton from: $_skel_root" if [ -z "${_hostname}" ]; then err 3 "$name: No hostname has been defined for ${_j}" @@ -236,6 +250,14 @@ secure_umount ${_mountpt} done fi + if checkyesno _skel_enable; then + for _mntpt in ${_skel_romounts} ${_skel_rwmounts} + do + if [ -d "${_rootdir}/${_mntpt}" ] ; then + umount -f ${_rootdir}/${_mntpt} > /dev/null 2>&1 + fi + done + fi } # jail_mount_fstab() @@ -298,6 +320,17 @@ fi jail_mount_fstab fi + if checkyesno _skel_enable; then + info "Mounting skeleton for jail ${_jail} from ${_skel_root}" + for _mntpt in $_skel_romounts + do + mount_nullfs -ordonly ${_skel_root}/${_mntpt} ${_rootdir}/${_mntpt} > /dev/null 2>&1 + done + for _mntpt in $_skel_rwmounts + do + mount_nullfs ${_skel_root}/${_mntpt} ${_rootdir}/${_mntpt} > /dev/null 2>&1 + done + fi if checkyesno _devfs; then # If devfs is already mounted here, skip it. df -t devfs "${_devdir}" >/dev/null
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707080231.l682VnM5007969>