From owner-freebsd-current@FreeBSD.ORG  Tue Jul 29 16:16:21 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5A6FD37B401; Tue, 29 Jul 2003 16:16:21 -0700 (PDT)
Received: from mail.westbend.net (ns1.westbend.net [216.47.253.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3F09743F3F; Tue, 29 Jul 2003 16:16:20 -0700 (PDT)
	(envelope-from hetzels@westbend.net)
Received: from WBIw009.westbend.net (wbiw009 [216.47.253.29])
	by mail.westbend.net (8.12.9/8.12.9) with ESMTP id h6TNGFHZ057354;
	Tue, 29 Jul 2003 18:16:15 -0500 (CDT)
	(envelope-from hetzels@westbend.net)
Received: from WBIw009.westbend.net (localhost [127.0.0.1])
	by WBIw009.westbend.net (8.12.9/8.12.9) with ESMTP id h6TNGDhb045797;
	Tue, 29 Jul 2003 18:16:15 -0500 (CDT)
	(envelope-from hetzels@westbend.net)
Received: (from root@localhost)
	by WBIw009.westbend.net (8.12.9/8.12.9/Submit) id h6TNGBJx045796;
	Tue, 29 Jul 2003 18:16:12 -0500 (CDT)
Message-Id: <200307292316.h6TNGBJx045796@WBIw009.westbend.net>
From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Mike Makonnen" <mtm@identd.net>,
	"Jens Rehsack" <rehsack@liwing.de>
References: 
	<Pine.NEB.3.96L.1030729124628.75304H-100000@fledge.watson.org><3F26AA16.5030007@liwing.de>
	<20030729172122.GA5005@kokeb.ambesa.net>
Date: Tue, 29 Jul 2003 16:51:54 -0500
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
cc: Clement Laforet <sheepkiller@cultdeadsheep.org>
cc: Robert Watson <rwatson@freebsd.org>
cc: FreeBSD-Current List <current@freebsd.org>
Subject: Re: [PATCH] jail NG schript patch for mounting devfs and
	procfsautomatically
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2003 23:16:21 -0000

Below is my current patch to devfs and jail to support the mounting of devfs
and procfs in jails.  This patch also allows a jail to specify what devfs
rule to apply to the jail.  As well as defining a default jail devfs rule
in /etc/rc.d/devfs.

Scot

Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.182
diff -u -r1.182 rc.conf
--- etc/defaults/rc.conf	28 Jul 2003 13:09:00 -0000	1.182
+++ etc/defaults/rc.conf	29 Jul 2003 22:06:08 -0000
@@ -426,12 +426,35 @@
 harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
 harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
-jail_enable="NO"	# Set to NO to disable starting of any jails
-jail_list=""		# Space separated list of names of jails
-jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
-jail_sysvipc_allow="NO"       # Allow SystemV IPC use from within a jail
 watchdogd_enable="NO"	# Start the software watchdog daemon
+
+##############################################################
+### Jail Configuration #######################################
+##############################################################
+devfs_jail_ruleset_enable="NO"		# Enable Standard Jail devfs ruleset in rc.d/devfs
+devfs_jail_ruleset_num="666"		# Standard Jail ruleset number
+					# (change if it conflicts with your rulesets)
+
+jail_enable="NO"			# Set to NO to disable starting of any jails
+jail_list=""				# Space separated list of names of jails
+jail_set_hostname_allow="YES"		# Allow root user in a jail to change its hostname
+jail_socket_unixiproute_only="YES"	# Route only TCP/IP within a jail
+jail_sysvipc_allow="NO"			# Allow SystemV IPC use from within a jail
+jail_default_ruleset="666"		# Default jail devfs ruleset to apply
+jail_stop_jailer="NO"			# Only stop jailer. Requires jail_*_exec be set
+					# to use sysutils/jailer port to start the jail.
+
+# create an entry for each jail named in jail_list,  with these variables
+#
+#jail_example_rootdir="/usr/jail/default"	# Jails root directory         
+#jail_example_hostname="default.domain.com"	# Jails hostname
+#jail_example_ip="192.168.0.10"			# Jails IP number
+#jail_example_exec="/bin/sh /etc/rc"		# command to execute in jail
+#jail_example_devfs="NO"			# mount devfs in jail
+#jail_example_devfs_ruleset="666"		# devfs ruleset to apply to jail 
+#jail_example_procfs="NO"			# mount procfs in jail
+#
+# NOTE: replace 'example' with the jail's name from jail_list
 
 ##############################################################
 ### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: etc/rc.d/devfs
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/devfs,v
retrieving revision 1.5
diff -u -r1.5 devfs
--- etc/rc.d/devfs	6 May 2003 01:10:33 -0000	1.5
+++ etc/rc.d/devfs	6 May 2003 16:24:39 -0000
@@ -39,3 +39,21 @@
 
 load_rc_config $name
 run_rc_command "$1"
+
+# Standard Jail ruleset
+if checkyesno devfs_jail_ruleset_enable ; then
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} delset
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 100 hide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 200 path ptyp* unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 300 path ttyp* unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 400 path null unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 500 path zero unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 600 path random unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 610 path urandom unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 700 path fd unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 800 path fd/* unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 810 path mdctl unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 900 path stdin unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 910 path stdout unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 920 path stderr unhide
+fi
Index: etc/rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.4
diff -u -r1.4 jail
--- etc/rc.d/jail	5 May 2003 15:38:41 -0000	1.4
+++ etc/rc.d/jail	21 Jun 2003 20:22:44 -0000
@@ -6,7 +6,7 @@
 # PROVIDE: jail
 # REQUIRE: LOGIN
 # BEFORE: securelevel
-# KEYWORD: FreeBSD
+# KEYWORD: FreeBSD shutdown
 
 . /etc/rc.subr
 
@@ -15,6 +15,15 @@
 start_cmd="jail_start"
 stop_cmd="jail_stop"
 
+create_dev_links()
+{
+        local devdir=$1
+        local source=$2
+        local target=$3
+
+	(cd ${devdir} && ln -sf ${source} ${target})
+}
+
 jail_start()
 {
 	echo -n 'Configuring jails:'
@@ -50,18 +59,91 @@
 	for _jail in ${jail_list} 
 	do
 		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+
 		eval jail_hostname=\"\$jail_${_jail}_hostname\"
 		eval jail_ip=\"\$jail_${_jail}_ip\"
 		eval jail_exec=\"\$jail_${_jail}_exec\"
 		[ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc"
-		
+
+		eval jail_devfs=\"\$jail_${_jail}_devfs\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+
+		eval jail_ruleset=\"\$jail_${_jail}_devfs_ruleset\"
+		[ -z ${jail_ruleset} ] && jail_ruleset="${jail_default_ruleset}"
+
+		eval jail_procfs=\"\$jail_${_jail}_procfs\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				mount -t devfs dev ${jail_devdir}
+
+				if [ -n "${jail_ruleset}" ]; then
+					# Apply devfs ruleset
+					devfs -m ${jail_devdir} ruleset ${jail_ruleset}
+
+					# for libkvm (ab)users
+					create_dev_links ${jail_devdir} null mem
+					create_dev_links ${jail_devdir} null kmem
+
+					# create_dev_links ${jail_devdir} null console
+				fi
+
+				# Transitional symlink for old binaries
+				if [ ! -L ${jail_devdir}/log ]; then
+					create_dev_links ${jail_devdir} ../var/run/log log
+				fi
+
+				# Jail console output
+				create_dev_links ${jail_devdir} ../var/log/console console
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				mount -t procfs proc ${jail_procdir}
+			fi
+		fi
+
 		jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
 	done
 }
 
 jail_stop()
 {
-	kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print  $2};')
+	if checkyesno jail_stop_jailer; then
+		rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print  $2};')
+	else
+		rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print  $2};')
+	fi
+	if [ -n "${rc_pid}" ]; then
+		kill -TERM $rc_pid
+		wait_for_pids $rc_pid
+	fi
+	for _jail in ${jail_list}
+	do
+		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+		eval jail_devfs=\"\$jail_${_jail}_devfs\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+		eval jail_procfs=\"\$jail_${_jail}_procfs\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				umount -f ${jail_devdir} >/dev/null 2>&1
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				umount -f ${jail_procdir} >/dev/null 2>&1
+			fi
+		fi
+	done
 }
 
 
Index: share/man/man5/rc.conf.5
===================================================================
RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
retrieving revision 1.197
diff -u -r1.197 rc.conf.5
--- share/man/man5/rc.conf.5	28 Jul 2003 13:56:00 -0000	1.197
+++ share/man/man5/rc.conf.5	29 Jul 2003 22:12:05 -0000
@@ -2431,12 +2431,25 @@
 jail_vjail_ip="192.168.1.100"
 jail_vjail_rootdir="/var/jails/vjail/root"
 jail_vjail_exec="/bin/sh /etc/rc"
+jail_vjail_devfs="YES"
+jail_vjail_devfs_ruleset="666"
+jail_vjail_procfs="NO"
 .Ed
 .Pp
-The last one is optional.
-It defaults to
+The last four are optional. jail_<jailname>_exec defaults to
 .Pa /etc/rc
 if it is not set.
+jail_<jailname>_devfs and jail_<jailname>_procfs default to
+not mounting the devfs/procfs on the jail.
+jail_<jailname>_devfs_ruleset defaults to using devfs ruleset 666.
+.It Va jail_default_ruleset
+.Pq Vt int
+The default ruleset to apply to a jail that has devfs enabled, but
+no jail_<jailname>_devfs_ruleset defined. By default it is set to
+666.  A Standard Jail rule set is provided in rc.d/devfs to enable
+it set devfs_jail_ruleset_enable to YES.  If this ruleset conflicts
+with your rulesets change devfs_jail_ruleset_num from 666 to another
+value.
 .It Va jail_set_hostname_allow
 .Pq Vt bool
 If set to