Date: Sat, 14 Aug 2021 15:59:54 -0400 From: Dan Langille <dan@langille.org> To: freebsd-hackers@freebsd.org Subject: starting jails within jails using rc Message-ID: <60ecf265-b308-738d-ec2f-64e76b625a38@langille.org>
next in thread | raw e-mail | index | archive | help
Hello, Background information: Each FreshPorts instance runs two jails: ingress & web. The ingress jail pulls data from both git & the repos in order to populate the database. Until recently, the ingress jail used a chroot to isolate itself from the packages installed within the jail. That can taint the information pulled out of the repo. Recently work has moved from using a chroot to using a child jail. The chroot (jail), is used to run various commands (e.g make -V) on a ports tree contained within the chroot (jail). This extracts the information which is then loaded into the database. Bonus: changing all the commands from chroot to jexec was pretty easy. The conversion required only trivial changes. In short, each FreshPorts ingress jail will have a child jail containing a copy of the ports repo. The problem: The parent jail cannot automatically start the child jail. The child jail can be started manually. Running this command in the parent child succeeds: service jail start freshports Why? I think it's because /etc/rc.d/jail contains: # KEYWORD: nojail shutdown This tells the rc system not to run the jail script if the host is a jail. How can I trick it? My two ideas so far: * remove the keyword from the script (I've tested this; it works) * duplicate the script, removing the keyword from the script * mangle security.jail.jailed in the parent jail it thinks it's not in a jail and runs it anyway The downsides to these: * the first two require I keep up to date with the jail script. * the last one will have unintended consequences I'm sure, many which I most likely would not like. Do you have other ideas please? Thank you -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60ecf265-b308-738d-ec2f-64e76b625a38>