Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Oct 2013 15:04:12 +0200
From:      Remko Lodder <remko@FreeBSD.org>
To:        Hiroki Sato <hrs@FreeBSD.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r256256 - in head: . etc etc/defaults etc/rc.d share/man/man5 usr.sbin/jail
Message-ID:  <04E9979E-1D97-4AA2-A7AE-F9D8457B3599@FreeBSD.org>
In-Reply-To: <201310100932.r9A9WS0H013645@svn.freebsd.org>
References:  <201310100932.r9A9WS0H013645@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--Apple-Mail=_EE56DFCD-625B-41F1-9E20-0F47A1A3EE82
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


Hi Hiroki,

On Oct 10, 2013, at 11:32 AM, Hiroki Sato <hrs@FreeBSD.org> wrote:

> Author: hrs
> Date: Thu Oct 10 09:32:27 2013
> New Revision: 256256
> URL: http://svnweb.freebsd.org/changeset/base/256256
>=20
> Log:
>  - Update rc.d/jail to use a jail(8) configuration file instead of
>    command line options.  The "jail_<jname>_*" rc.conf(5) variables =
for
>    per-jail configuration are automatically converted to
>    /var/run/jail.<jname>.conf before the jail(8) utility is invoked.
>    This is transparently backward compatible.
>=20
>  - Fix a minor bug in jail(8) which prevented it from returning false
>    when jail -r failed.
>=20

Thanks for doing such a massive update. However it seems to break the =
ezjail utility.
My jails didn't restart after I upgraded to the most recent -head =
version=20

FreeBSD nakur.elvandar.org 10.0-ALPHA6 FreeBSD 10.0-ALPHA6 #7 r256311: =
Fri Oct 11 13:27:54 CEST 2013     =
root@nakur.elvandar.org:/usr/obj/usr/src/sys/NAKUR  amd64

If I replace this with an older version, the utility starts and =
complains about certain things not being done properly. The
system does not mount devfs nodes anylonger and thus is basically out of =
function.

I was not expecting this much fallout from this change, others that will =
be upgrading will loose the ability to start their jails until they can
resolve this by hand.

Thanks
Remko

>  Approved by:	re (glebius)
>=20
> Modified:
>  head/UPDATING
>  head/etc/defaults/rc.conf
>  head/etc/rc.d/jail
>  head/etc/rc.subr
>  head/share/man/man5/rc.conf.5
>  head/usr.sbin/jail/jail.c
>=20
> Modified: head/UPDATING
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- head/UPDATING	Thu Oct 10 07:41:11 2013	(r256255)
> +++ head/UPDATING	Thu Oct 10 09:32:27 2013	(r256256)
> @@ -31,6 +31,25 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10
> 	disable the most expensive debugging functionality run
> 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
>=20
> +20131010:
> +	The rc.d/jail script has been updated to support jail(8)
> +	configuration file.  The "jail_<jname>_*" rc.conf(5) variables
> +	for per-jail configuration are automatically converted to
> +	/var/run/jail.<jname>.conf before the jail(8) utility is =
invoked.
> +	This is transparently backward compatible.  See below about some
> +	incompatibilities and rc.conf(5) manual page for more details.
> +
> +	These variables are now deprecated in favor of jail(8) =
configuration
> +	file.  One can use "rc.d/jail config <jname>" command to =
generate
> +	a jail(8) configuration file in /var/run/jail.<jname>.conf =
without
> +	running the jail(8) utility.   The default pathname of the
> +	configuration file is /etc/jail.conf and can be specified by
> +	using $jail_conf or $jail_<jname>_conf variables.
> +
> +	Please note that jail_devfs_ruleset accepts an integer at
> +	this moment.  Please consider to rewrite the ruleset name
> +	with an integer.
> +
> 20130930:
> 	BIND has been removed from the base system.  If all you need
> 	is a local resolver, simply enable and start the local_unbound
>=20
> Modified: head/etc/defaults/rc.conf
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- head/etc/defaults/rc.conf	Thu Oct 10 07:41:11 2013	=
(r256255)
> +++ head/etc/defaults/rc.conf	Thu Oct 10 09:32:27 2013	=
(r256256)
> @@ -674,44 +674,11 @@ mixer_enable=3D"YES"	# Run the sound mixer
> opensm_enable=3D"NO"	# Opensm(8) for infiniband devices defaults to =
off
>=20
> ##############################################################
> -### Jail Configuration #######################################
> +### Jail Configuration (see rc.conf(5) manual page) ##########
> ##############################################################
> jail_enable=3D"NO"	# Set to NO to disable starting of any jails
> jail_parallel_start=3D"NO"	# Start jails in the background
> jail_list=3D""		# Space separated list of names of jails
> -jail_set_hostname_allow=3D"YES" # Allow root user in a jail to change =
its hostname
> -jail_socket_unixiproute_only=3D"YES" # Route only TCP/IP within a =
jail
> -jail_sysvipc_allow=3D"NO"	# Allow SystemV IPC use from within a =
jail
> -
> -#
> -# To use rc's built-in jail infrastructure create entries for
> -# each jail, specified in jail_list, with the following variables.
> -# NOTES:
> -# - replace 'example' with the jail's name.
> -# - except rootdir, hostname, ip and the _multi<n> addresses,
> -#   all of the following variables may be made global jail variables
> -#   if you don't specify a jail name (ie. jail_interface, =
jail_devfs_ruleset).
> -#
> -#jail_example_rootdir=3D"/usr/jail/default"	# Jail's root directory
> -#jail_example_hostname=3D"default.domain.com"	# Jail's =
hostname
> -#jail_example_interface=3D""			# Jail's interface =
variable to create IP aliases on
> -#jail_example_fib=3D"0"				# Routing table =
for setfib(1)
> -#jail_example_ip=3D"192.0.2.10,2001:db8::17"	# Jail's primary IPv4 =
and IPv6 address
> -#jail_example_ip_multi0=3D"2001:db8::10"		#  and another =
IPv6 address
> -#jail_example_exec_start=3D"/bin/sh /etc/rc"		# command to =
execute in jail for starting
> -#jail_example_exec_afterstart0=3D"/bin/sh command"	# command to =
execute after the one for
> -							# starting the =
jail. More than one can be
> -							# specified =
using a trailing number
> -#jail_example_exec_stop=3D"/bin/sh /etc/rc.shutdown"	# command to =
execute in jail for stopping
> -#jail_example_devfs_enable=3D"NO"			# mount devfs in =
the jail
> -#jail_example_devfs_ruleset=3D"ruleset_name"	# devfs ruleset to apply =
to jail -
> -						# usually you want =
"devfsrules_jail".
> -#jail_example_fdescfs_enable=3D"NO"		# mount fdescfs in the =
jail
> -#jail_example_procfs_enable=3D"NO"		# mount procfs in jail
> -#jail_example_mount_enable=3D"NO"			# mount/umount =
jail's fs
> -#jail_example_fstab=3D""				# fstab(5) for =
mount/umount
> -#jail_example_flags=3D"-l -U root"		# flags for jail(8)
> -#jail_example_parameters=3D"allow.raw_sockets=3D1"	# extra =
parameters for this jail
>=20
> ##############################################################
> ### Define source_rc_confs, the mechanism used by /etc/rc.* ##
>=20
> Modified: head/etc/rc.d/jail
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- head/etc/rc.d/jail	Thu Oct 10 07:41:11 2013	=
(r256255)
> +++ head/etc/rc.d/jail	Thu Oct 10 09:32:27 2013	=
(r256256)
> @@ -8,81 +8,138 @@
> # BEFORE: securelevel
> # KEYWORD: nojail shutdown
>=20
> -# WARNING: This script deals with untrusted data (the data and
> -# processes inside the jails) and care must be taken when changing =
the
> -# code related to this!  If you have any doubt whether a change is
> -# correct and have security impact, please get the patch reviewed by
> -# the FreeBSD Security Team prior to commit.
> -
> . /etc/rc.subr
>=20
> name=3D"jail"
> rcvar=3D"jail_enable"
>=20
> -start_precmd=3D"jail_prestart"
> start_cmd=3D"jail_start"
> +start_postcmd=3D"jail_warn"
> stop_cmd=3D"jail_stop"
> +config_cmd=3D"jail_config"
> +console_cmd=3D"jail_console"
> +status_cmd=3D"jail_status"
> +extra_commands=3D"config console status"
> +: ${jail_conf:=3D/etc/jail.conf}
> +: ${jail_program:=3D/usr/sbin/jail}
> +: ${jail_consolecmd:=3D/bin/sh}
> +: ${jail_jexec:=3D/usr/sbin/jexec}
> +: ${jail_jls:=3D/usr/sbin/jls}
> +
> +need_dad_wait=3D
> +
> +# extact_var jail name param num defval
> +#	Extract value from ${jail_$jail_$name} or ${jail_$name} and
> +#	set it to $param.  If not defined, $defval is used.
> +#	When $num is [0-9]*, ${jail_$jail_$name$num} are looked up and
> +#	$param is set by using +=3D.
> +#	When $num is YN or NY, the value is interpret as boolean.
> +extract_var()
> +{
> +	local i _j _name _param _num _def _name1 _name2
> +	_j=3D$1
> +	_name=3D$2
> +	_param=3D$3
> +	_num=3D$4
> +	_def=3D$5
> +
> +	case $_num in
> +	YN)
> +		_name1=3Djail_${_j}_${_name}
> +		_name2=3Djail_${_name}
> +		eval $_name1=3D\"\${$_name1:-\${$_name2:-$_def}}\"
> +		if checkyesno $_name1; then
> +			echo "	$_param =3D 1;"
> +		else
> +			echo "	$_param =3D 0;"
> +		fi
> +	;;
> +	NY)
> +		_name1=3Djail_${_j}_${_name}
> +		_name2=3Djail_${_name}
> +		eval $_name1=3D\"\${$_name1:-\${$_name2:-$_def}}\"
> +		if checkyesno $_name1; then
> +			echo "	$_param =3D 0;"
> +		else
> +			echo "	$_param =3D 1;"
> +		fi
> +	;;
> +	[0-9]*)
> +		i=3D$_num
> +		while : ; do
> +			_name1=3Djail_${_j}_${_name}${i}
> +			_name2=3Djail_${_name}${i}
> +			eval =
_tmpargs=3D\"\${$_name1:-\${$_name2:-$_def}}\"
> +			if [ -n "$_tmpargs" ]; then=20
> +				echo "	$_param +=3D \"$_tmpargs\";"
> +			else
> +				break;
> +			fi
> +			i=3D$(($i + 1))
> +		done
> +	;;
> +	*)
> +		_name1=3Djail_${_j}_${_name}
> +		_name2=3Djail_${_name}
> +		eval _tmpargs=3D\"\${$_name1:-\${$_name2:-$_def}}\"
> +		if [ -n "$_tmpargs" ]; then
> +			echo "	$_param =3D \"$_tmpargs\";"
> +		fi
> +	;;
> +	esac
> +}
>=20
> -# init_variables _j
> -#	Initialize the various jail variables for jail _j.
> +# parse_options _j
> +#	Parse options and create a temporary configuration file if =
necessary.
> #
> -init_variables()
> +parse_options()
> {
> -	_j=3D"$1"
> +	local _j
> +	_j=3D$1
>=20
> +	_confwarn=3D0
> 	if [ -z "$_j" ]; then
> -		warn "init_variables: you must specify a jail"
> +		warn "parse_options: you must specify a jail"
> 		return
> 	fi
> -
> +	eval _jconf=3D\"\${jail_${_j}_conf:-/etc/jail.${_j}.conf}\"
> 	eval _rootdir=3D\"\$jail_${_j}_rootdir\"
> -	_devdir=3D"${_rootdir}/dev"
> -	_fdescdir=3D"${_devdir}/fd"
> -	_procdir=3D"${_rootdir}/proc"
> 	eval _hostname=3D\"\$jail_${_j}_hostname\"
> +	if [ -z "$_rootdir" -o \
> +	     -z "$_hostname" ]; then
> +		if [ -r "$_jconf" ]; then
> +			_conf=3D"$_jconf"
> +			return 0
> +		elif [ -r "$jail_conf" ]; then
> +			_conf=3D"$jail_conf"
> +			return 0
> +		else
> +			warn "Invalid configuration for $_j " \
> +			    "(no jail.conf, no hostname, or no path).  " =
\
> +			    "Jail $_j was ignored."
> +		fi
> +		return 1
> +	fi
> 	eval _ip=3D\"\$jail_${_j}_ip\"
> -	eval _interface=3D\"\${jail_${_j}_interface:-${jail_interface}}\"
> -	eval _exec=3D\"\$jail_${_j}_exec\"
> -
> -	i=3D0
> -	while : ; do
> -		eval =
_exec_prestart${i}=3D\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prest=
art${i}}}\"
> -		[ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break
> -		i=3D$((i + 1))
> -	done
> -
> -	eval =
_exec_start=3D\"\${jail_${_j}_exec_start:-${jail_exec_start}}\"
> -
> -	i=3D1
> -	while : ; do
> -		eval =
_exec_afterstart${i}=3D\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_a=
fterstart${i}}}\"
> -		[ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] &&  =
break
> -		i=3D$((i + 1))
> -	done
> -
> -	i=3D0
> -	while : ; do
> -		eval =
_exec_poststart${i}=3D\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_pos=
tstart${i}}}\"
> -		[ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break
> -		i=3D$((i + 1))
> -	done
> -
> -	i=3D0
> -	while : ; do
> -		eval =
_exec_prestop${i}=3D\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop=
${i}}}\"
> -		[ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break
> -		i=3D$((i + 1))
> -	done
> -
> -	eval _exec_stop=3D\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\"
> -
> -	i=3D0
> -	while : ; do
> -		eval =
_exec_poststop${i}=3D\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_posts=
top${i}}}\"
> -		[ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break
> -		i=3D$((i + 1))
> -	done
> +	if [ -z "$_ip" ] && ! check_kern_features vimage; then
> +		warn "no ipaddress specified and no vimage support.  " \
> +		    "Jail $_j was ignored."
> +		return 1
> +	fi
> +	_conf=3D/var/run/jail.${_j}.conf
> +	#
> +	# To relieve confusion, show a warning message.
> +	#
> +	_confwarn=3D1
> +	if [ -r "$jail_conf" -o -r "$_jconf" ]; then
> +		warn "$_conf is created and used for jail $_j."
> +	fi
> +	/usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || =
return 1
>=20
> +	eval : \${jail_${_j}_flags:=3D${jail_flags}}
> +	eval _exec=3D\"\$jail_${_j}_exec\"
> +	eval _exec_start=3D\"\$jail_${_j}_exec_start\"
> +	eval _exec_stop=3D\"\$jail_${_j}_exec_stop\"
> 	if [ -n "${_exec}" ]; then
> 		#   simple/backward-compatible execution
> 		_exec_start=3D"${_exec}"
> @@ -96,285 +153,104 @@ init_variables()
> 			fi
> 		fi
> 	fi
> -
> -	# The default jail ruleset will be used by rc.subr if none is =
specified.
> -	eval =
_ruleset=3D\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
> -	eval =
_devfs=3D\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
> -	[ -z "${_devfs}" ] && _devfs=3D"NO"
> -	eval =
_fdescfs=3D\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\"
> -	[ -z "${_fdescfs}" ] && _fdescfs=3D"NO"
> -	eval =
_procfs=3D\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\"
> -	[ -z "${_procfs}" ] && _procfs=3D"NO"
> -
> -	eval =
_mount=3D\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\"
> -	[ -z "${_mount}" ] && _mount=3D"NO"
> -	# "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is =
specified.
> -	eval _fstab=3D\"\${jail_${_j}_fstab:-${jail_fstab}}\"
> -	[ -z "${_fstab}" ] && _fstab=3D"/etc/fstab.${_j}"
> -	eval _flags=3D\"\${jail_${_j}_flags:-${jail_flags}}\"
> -	[ -z "${_flags}" ] && _flags=3D"-l -U root"
> -	eval =
_consolelog=3D\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
> -	[ -z "${_consolelog}" ] && =
_consolelog=3D"/var/log/jail_${_j}_console.log"
> +	eval _interface=3D\"\${jail_${_j}_interface:-${jail_interface}}\"
> 	eval =
_parameters=3D\"\${jail_${_j}_parameters:-${jail_parameters}}\"
> -	[ -z "${_parameters}" ] && _parameters=3D""
> -	eval _fib=3D\"\${jail_${_j}_fib:-${jail_fib}}\"
> -
> -	# Debugging aid
> -	#
> -	debug "$_j devfs enable: $_devfs"
> -	debug "$_j fdescfs enable: $_fdescfs"
> -	debug "$_j procfs enable: $_procfs"
> -	debug "$_j mount enable: $_mount"
> -	debug "$_j hostname: $_hostname"
> -	debug "$_j ip: $_ip"
> -	jail_show_addresses ${_j}
> -	debug "$_j interface: $_interface"
> -	debug "$_j fib: $_fib"
> -	debug "$_j root: $_rootdir"
> -	debug "$_j devdir: $_devdir"
> -	debug "$_j fdescdir: $_fdescdir"
> -	debug "$_j procdir: $_procdir"
> -	debug "$_j ruleset: $_ruleset"
> -	debug "$_j fstab: $_fstab"
> -
> -	i=3D0
> -	while : ; do
> -		eval out=3D\"\${_exec_prestart${i}:-''}\"
> -		if [ -z "$out" ]; then
> -			break
> -		fi
> -		debug "$_j exec pre-start #${i}: ${out}"
> -		i=3D$((i + 1))
> -	done
> -
> -	debug "$_j exec start: $_exec_start"
> -
> -	i=3D1
> -	while : ; do
> -		eval out=3D\"\${_exec_afterstart${i}:-''}\"
> -
> -		if [ -z "$out" ]; then
> -			break;
> -		fi
> -
> -		debug "$_j exec after start #${i}: ${out}"
> -		i=3D$((i + 1))
> -	done
> -
> -	i=3D0
> -	while : ; do
> -		eval out=3D\"\${_exec_poststart${i}:-''}\"
> -		if [ -z "$out" ]; then
> -			break
> -		fi
> -		debug "$_j exec post-start #${i}: ${out}"
> -		i=3D$((i + 1))
> -	done
> -
> -	i=3D0
> -	while : ; do
> -		eval out=3D\"\${_exec_prestop${i}:-''}\"
> -		if [ -z "$out" ]; then
> -			break
> -		fi
> -		debug "$_j exec pre-stop #${i}: ${out}"
> -		i=3D$((i + 1))
> -	done
> -
> -	debug "$_j exec stop: $_exec_stop"
> +	eval =
_fstab=3D\"\${jail_${_j}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\"
> +	(
> +		date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S"
> +		echo "$_j {"
> +		extract_var $_j hostname host.hostname - ""
> +		extract_var $_j rootdir path - ""
> +		if [ -n "$_ip" ]; then
> +			extract_var $_j interface interface - ""
> +			jail_handle_ips_option $_ip $_interface
> +			alias=3D0
> +			while : ; do
> +				eval =
_x=3D\"\$jail_${_jail}_ip_multi${alias}\"
> +				[ -z "$_x" ] && break
>=20
> -	i=3D0
> -	while : ; do
> -		eval out=3D\"\${_exec_poststop${i}:-''}\"
> -		if [ -z "$out" ]; then
> -			break
> +				jail_handle_ips_option $_x $_interface
> +				alias=3D$(($alias + 1))
> +			done
> +			case $need_dad_wait in
> +			1)
> +				# Sleep to let DAD complete before
> +				# starting services.
> +				echo "	exec.start +=3D \"sleep " \
> +				$(($(${SYSCTL_N} =
net.inet6.ip6.dad_count) + 1)) \
> +				"\";"
> +			;;
> +			esac
> +			# These are applicable only to non-vimage jails.=20=

> +			extract_var $_j fib exec.fib - ""
> +			extract_var $_j socket_unixiproute_only \
> +			    allow.raw_sockets NY YES
> +		else
> +			echo "	vnet;"
> +			extract_var $_j vnet_interface vnet.interface - =
""
> 		fi
> -		debug "$_j exec post-stop #${i}: ${out}"
> -		i=3D$((i + 1))
> -	done
> -
> -	debug "$_j flags: $_flags"
> -	debug "$_j consolelog: $_consolelog"
> -	debug "$_j parameters: $_parameters"
>=20
> -	if [ -z "${_hostname}" ]; then
> -		err 3 "$name: No hostname has been defined for ${_j}"
> -	fi
> -	if [ -z "${_rootdir}" ]; then
> -		err 3 "$name: No root directory has been defined for =
${_j}"
> -	fi
> -}
> -
> -# set_sysctl rc_knob mib msg
> -#	If the mib sysctl is set according to what rc_knob
> -#	specifies, this function does nothing. However if
> -#	rc_knob is set differently than mib, then the mib
> -#	is set accordingly and msg is displayed followed by
> -#	an '=3D" sign and the word 'YES' or 'NO'.
> -#
> -set_sysctl()
> -{
> -	_knob=3D"$1"
> -	_mib=3D"$2"
> -	_msg=3D"$3"
> -
> -	_current=3D`${SYSCTL} -n $_mib 2>/dev/null`
> -	if checkyesno $_knob ; then
> -		if [ "$_current" -ne 1 ]; then
> -			echo -n " ${_msg}=3DYES"
> -			${SYSCTL} 1>/dev/null ${_mib}=3D1
> -		fi
> -	else
> -		if [ "$_current" -ne 0 ]; then
> -			echo -n " ${_msg}=3DNO"
> -			${SYSCTL} 1>/dev/null ${_mib}=3D0
> +		echo "	exec.clean;"
> +		echo "	exec.system_user =3D \"root\";"
> +		echo "	exec.jail_user =3D \"root\";"
> +		extract_var $_j exec_prestart exec.prestart 0 ""
> +		extract_var $_j exec_poststart exec.poststart 0 ""
> +		extract_var $_j exec_prestop exec.prestop 0 ""
> +		extract_var $_j exec_poststop exec.poststop 0 ""
> +
> +		echo "	exec.start +=3D \"$_exec_start\";"
> +		extract_var $_j exec_afterstart exec.start 1 ""
> +		echo "	exec.stop =3D \"$_exec_stop\";"
> +
> +		extract_var $_j consolelog exec.consolelog - \
> +		    /var/log/jail_${_j}_console.log
> +
> +		eval : =
\${jail_${_j}_devfs_enable:=3D${jail_devfs_enable:-NO}}
> +		if checkyesno jail_${_j}_devfs_enable; then
> +			echo "	mount.devfs;"
> +			case $_ruleset in
> +			"")	;;
> +			[0-9]*) echo "	devfs_ruleset =3D =
\"$_ruleset\";" ;;
> +			devfsrules_jail)
> +				# XXX: This is the default value,
> +				# Let jail(8) to use the default because
> +				# mount(8) only accepts an integer.=20
> +				# This should accept a ruleset name.
> +			;;
> +			*)	warn "devfs_ruleset must be integer." ;;
> +			esac
> +			if [ -r $_fstab ]; then
> +				echo "	mount.fstab =3D \"$_fstab\";"
> +			fi
> 		fi
> -	fi
> -}
> -
> -# is_current_mountpoint()
> -#	Is the directory mount point for a currently mounted file
> -#	system?
> -#
> -is_current_mountpoint()
> -{
> -	local _dir _dir2
> -
> -	_dir=3D$1
> -
> -	_dir=3D`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'`
> -	[ ! -d "${_dir}" ] && return 1
> -	_dir2=3D`df ${_dir} | tail +2 | awk '{ print $6 }'`
> -	[ "${_dir}" =3D "${_dir2}" ]
> -	return $?
> -}
> -
> -# is_symlinked_mountpoint()
> -#	Is a mount point, or any of its parent directories, a symlink?
> -#
> -is_symlinked_mountpoint()
> -{
> -	local _dir
> -
> -	_dir=3D$1
> -
> -	[ -L "$_dir" ] && return 0
> -	[ "$_dir" =3D "/" ] && return 1
> -	is_symlinked_mountpoint `dirname $_dir`
> -	return $?
> -}
> -
> -# secure_umount
> -#	Try to unmount a mount point without being vulnerable to
> -#	symlink attacks.
> -#
> -secure_umount()
> -{
> -	local _dir
> -
> -	_dir=3D$1
> -
> -	if is_current_mountpoint ${_dir}; then
> -		umount -f ${_dir} >/dev/null 2>&1
> -	else
> -		debug "Nothing mounted on ${_dir} - not unmounting"
> -	fi
> -}
> -
> -
> -# jail_umount_fs
> -#	This function unmounts certain special filesystems in the
> -#	currently selected jail. The caller must call the =
init_variables()
> -#	routine before calling this one.
> -#
> -jail_umount_fs()
> -{
> -	local _device _mountpt _rest
>=20
> -	if checkyesno _fdescfs; then
> -		if [ -d "${_fdescdir}" ] ; then
> -			secure_umount ${_fdescdir}
> -		fi
> -	fi
> -	if checkyesno _devfs; then
> -		if [ -d "${_devdir}" ] ; then
> -			secure_umount ${_devdir}
> +		eval : =
\${jail_${_j}_fdescfs_enable:=3D${jail_fdescfs_enable:-NO}}
> +		if checkyesno jail_${_j}_fdescfs_enable; then
> +			echo "	mount +=3D " \
> +			    "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 =
0\";"
> 		fi
> -	fi
> -	if checkyesno _procfs; then
> -		if [ -d "${_procdir}" ] ; then
> -			secure_umount ${_procdir}
> +		eval : =
\${jail_${_j}_procfs_enable:=3D${jail_procfs_enable:-NO}}
> +		if checkyesno jail_${_j}_procfs_enable; then
> +			echo "	mount +=3D " \
> +			    "\"procfs ${_rootdir%/}/proc procfs rw 0 =
0\";"
> 		fi
> -	fi
> -	if checkyesno _mount; then
> -		[ -f "${_fstab}" ] || warn "${_fstab} does not exist"
> -		tail -r ${_fstab} | while read _device _mountpt _rest; =
do
> -			case ":${_device}" in
> -			:#* | :)
> -				continue
> -				;;
> -			esac
> -			secure_umount ${_mountpt}
> -		done
> -	fi
> -}
>=20
> -# jail_mount_fstab()
> -#	Mount file systems from a per jail fstab while trying to
> -#	secure against symlink attacks at the mount points.
> -#
> -#	If we are certain we cannot secure against symlink attacks we
> -#	do not mount all of the file systems (since we cannot just not
> -#	mount the file system with the problematic mount point).
> -#
> -#	The caller must call the init_variables() routine before
> -#	calling this one.
> -#
> -jail_mount_fstab()
> -{
> -	local _device _mountpt _rest
> +		echo "	${_parameters};"
>=20
> -	while read _device _mountpt _rest; do
> -		case ":${_device}" in
> -		:#* | :)
> -			continue
> -			;;
> -		esac
> -		if is_symlinked_mountpoint ${_mountpt}; then
> -			warn "${_mountpt} has symlink as parent - not =
mounting from ${_fstab}"
> -			return
> +		eval : =
\${jail_${_j}_mount_enable:=3D${jail_mount_enable:-NO}}
> +		if checkyesno jail_${_j}_mount_enable; then
> +			echo "	allow.mount;" >> $_conf
> 		fi
> -	done <${_fstab}
> -	mount -a -F "${_fstab}"
> -}
> -
> -# jail_show_addresses jail
> -#	Debug print the input for the given _multi aliases
> -#	for a jail for init_variables().
> -#
> -jail_show_addresses()
> -{
> -	local _j _type alias
> -	_j=3D"$1"
> -	alias=3D0
>=20
> -	if [ -z "${_j}" ]; then
> -		warn "jail_show_addresses: you must specify a jail"
> -		return
> -	fi
> +		extract_var $_j set_hostname_allow allow.set_hostname YN =
NO
> +		extract_var $_j sysvipc_allow allow.sysvipc YN NO
> +		echo "}"
> +	) >> $_conf
>=20
> -	while : ; do
> -		eval _addr=3D\"\$jail_${_j}_ip_multi${alias}\"
> -		if [ -n "${_addr}" ]; then
> -			debug "${_j} ip_multi${alias}: $_addr"
> -			alias=3D$((${alias} + 1))
> -		else
> -			break
> -		fi
> -	done
> +	return 0
> }
>=20
> -# jail_extract_address argument
> +# jail_extract_address argument iface
> #	The second argument is the string from one of the _ip
> #	or the _multi variables. In case of a comma separated list
> #	only one argument must be passed in at a time.
> @@ -382,8 +258,9 @@ jail_show_addresses()
> #
> jail_extract_address()
> {
> -	local _i
> +	local _i _interface
> 	_i=3D$1
> +	_interface=3D$2
>=20
> 	if [ -z "${_i}" ]; then
> 		warn "jail_extract_address: called without input"
> @@ -439,21 +316,21 @@ jail_extract_address()
> 		_mask=3D${_mask:-/32}
>=20
> 	elif [ "${_type}" =3D "inet6" ]; then
> -		# In case _maske is not set for IPv6, use /128.
> -		_mask=3D${_mask:-/128}
> +		# In case _maske is not set for IPv6, use /64.
> +		_mask=3D${_mask:-/64}
> 	fi
> }
>=20
> -# jail_handle_ips_option {add,del} input
> +# jail_handle_ips_option input iface
> #	Handle a single argument imput which can be a comma separated
> #	list of addresses (theoretically with an option interface and
> #	prefix/netmask/prefixlen).
> #
> jail_handle_ips_option()
> {
> -	local _x _action _type _i
> -	_action=3D$1
> -	_x=3D$2
> +	local _x _type _i _iface
> +	_x=3D$1
> +	_iface=3D$2
>=20
> 	if [ -z "${_x}" ]; then
> 		# No IP given. This can happen for the primary address
> @@ -468,294 +345,146 @@ jail_handle_ips_option()
> 		*,*)	# Extract the first argument and strip it off =
the list.
> 			_i=3D`expr "${_x}" : '^\([^,]*\)'`
> 			_x=3D`expr "${_x}" : "^[^,]*,\(.*\)"`
> -			;;
> +		;;
> 		*)	_i=3D${_x}
> 			_x=3D""
> -			;;
> +		;;
> 		esac
>=20
> 		_type=3D""
> -		_iface=3D""
> 		_addr=3D""
> 		_mask=3D""
> -		jail_extract_address "${_i}"
> +		jail_extract_address $_i $_iface
>=20
> 		# make sure we got an address.
> -		case "${_addr}" in
> +		case $_addr in
> 		"")	continue ;;
> 		*)	;;
> 		esac
>=20
> 		# Append address to list of addresses for the jail =
command.
> -		case "${_type}" in
> +		case $_type in
> 		inet)
> -			case "${_addrl}" in
> -			"")	_addrl=3D"${_addr}" ;;
> -			*)	_addrl=3D"${_addrl},${_addr}" ;;
> -			esac
> -			;;
> +			echo "	ip4.addr +=3D \"${_addr}${_mask}\";"
> +		;;
> 		inet6)
> -			case "${_addr6l}" in
> -			"")	_addr6l=3D"${_addr}" ;;
> -			*)	_addr6l=3D"${_addr6l},${_addr}" ;;
> -			esac
> -			;;
> -		esac
> -
> -		# Configure interface alias if requested by a given =
interface
> -		# and if we could correctly parse everything.
> -		case "${_iface}" in
> -		"")	continue ;;
> -		esac
> -		case "${_type}" in
> -		inet)	;;
> -		inet6)	ipv6_address_count=3D$((ipv6_address_count + 1)) =
;;
> -		*)	warn "Could not determine address family.  Not =
going" \
> -			    "to ${_action} address '${_addr}' for =
${_jail}."
> -			continue
> -			;;
> -		esac
> -		case "${_action}" in
> -		add)	ifconfig ${_iface} ${_type} ${_addr}${_mask} =
alias
> -			;;
> -		del)	# When removing the IP, ignore the _mask.
> -			ifconfig ${_iface} ${_type} ${_addr} -alias
> -			;;
> +			echo "	ip6.addr +=3D \"${_addr}${_mask}\";"
> +			need_dad_wait=3D1
> +		;;
> 		esac
> 	done
> }
>=20
> -# jail_ips {add,del}
> -#	Extract the comma separated list of addresses and return them
> -#	for the jail command.
> -#	Handle more than one address via the _multi option as well.
> -#	If an interface is given also add/remove an alias for the
> -#	address with an optional netmask.
> -#
> -jail_ips()
> +jail_config()
> {
> -	local _action
> -	_action=3D$1
> -
> -	case "${_action}" in
> -	add)	;;
> -	del)	;;
> -	*)	warn "jail_ips: invalid action '${_action}'"
> -		return
> -		;;
> +	case $1 in
> +	_ALL)	return ;;
> 	esac
> -
> -	# Handle addresses.
> -	ipv6_address_count=3D0
> -	jail_handle_ips_option ${_action} "${_ip}"
> -	# Handle jail_xxx_ip_multi<N>
> -	alias=3D0
> -	while : ; do
> -		eval _x=3D\"\$jail_${_jail}_ip_multi${alias}\"
> -		case "${_x}" in
> -		"")	break ;;
> -		*)	jail_handle_ips_option ${_action} "${_x}"
> -			alias=3D$((${alias} + 1))
> -			;;
> -		esac
> +	for _jail in $@; do
> +		if parse_options $_jail; then=20
> +			echo "$_jail: parameters are in $_conf."
> +		fi
> 	done
> -	case ${ipv6_address_count} in
> -	0)	;;
> -	*)	# Sleep 1 second to let DAD complete before starting =
services.
> -		sleep 1
> -		;;
> +}
> +
> +jail_console()
> +{
> +	# One argument that is not _ALL.
> +	case $#:$1 in
> +	1:_ALL)	err 3 "Specify a jail name." ;;
> +	1:*)	;;
> +	*)	err 3 "Specify a jail name." ;;
> 	esac
> +	eval _cmd=3D\${jail_$1_consolecmd:-$jail_consolecmd}
> +	$jail_jexec $1 $_cmd
> }
>=20
> -jail_prestart()
> +jail_status()
> {
> -	if checkyesno jail_parallel_start; then
> -		command_args=3D'&'
> -	fi
> +
> +	$jail_jls -N
> }
>=20
> jail_start()
> {
> -	echo -n 'Configuring jails:'
> -	set_sysctl jail_set_hostname_allow =
security.jail.set_hostname_allowed \
> -	    set_hostname_allow
> -	set_sysctl jail_socket_unixiproute_only \
> -	    security.jail.socket_unixiproute_only unixiproute_only
> -	set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \
> -	    sysvipc_allow
> -	echo '.'
> -
> +	if [ $# =3D 0 ]; then
> +		return
> +	fi
> 	echo -n 'Starting jails:'
> -	_tmp_dir=3D`mktemp -d /tmp/jail.XXXXXXXX` || \
> -	    err 3 "$name: Can't create temp dir, exiting..."
> -	for _jail in ${jail_list}
> -	do
> -		init_variables $_jail
> -		if [ -f /var/run/jail_${_jail}.id ]; then
> -			echo -n " [${_hostname} already running =
(/var/run/jail_${_jail}.id exists)]"
> -			continue;
> -		fi
> -		_addrl=3D""
> -		_addr6l=3D""
> -		jail_ips "add"
> -		if [ -n "${_fib}" ]; then
> -			_setfib=3D"setfib -F '${_fib}'"
> +	case $1 in
> +	_ALL)
> +		echo -n ' '
> +		command=3D$jail_program
> +		rc_flags=3D$jail_flags
> +		command_args=3D"-f $jail_conf -c"
> +		$command $rc_flags $command_args "*"
> +		echo '.'
> +		return
> +	;;
> +	esac
> +	_tmp=3D`mktemp -t jail` || exit 3
> +	for _jail in $@; do
> +		parse_options $_jail || continue
> +
> +		eval rc_flags=3D\${jail_${_j}_flags:-$jail_flags}
> +		eval command=3D\${jail_${_j}_program:-$jail_program}
> +		if checkyesno jail_parallel_start; then
> +			command_args=3D"-i -f $_conf -c $_jail &"
> 		else
> -			_setfib=3D""
> -		fi
> -		if checkyesno _mount; then
> -			info "Mounting fstab for jail ${_jail} =
(${_fstab})"
> -			if [ ! -f "${_fstab}" ]; then
> -				err 3 "$name: ${_fstab} does not exist"
> -			fi
> -			jail_mount_fstab
> -		fi
> -		if checkyesno _devfs; then
> -			# If devfs is already mounted here, skip it.
> -			df -t devfs "${_devdir}" >/dev/null
> -			if [ $? -ne 0 ]; then
> -				if is_symlinked_mountpoint ${_devdir}; =
then
> -					warn "${_devdir} has symlink as =
parent - not starting jail ${_jail}"
> -					continue
> -				fi
> -				info "Mounting devfs on ${_devdir}"
> -				devfs_mount_jail "${_devdir}" =
${_ruleset}
> -				# Transitional symlink for old binaries
> -				if [ ! -L "${_devdir}/log" ]; then
> -					ln -sf ../var/run/log =
"${_devdir}/log"
> -				fi
> -			fi
> -
> -			# XXX - It seems symlinks don't work when there
> -			#	is a devfs(5) device of the same name.
> -			# Jail console output
> -			#	__pwd=3D"`pwd`"
> -			#	cd "${_devdir}"
> -			#	ln -sf ../var/log/console console
> -			#	cd "$__pwd"
> -		fi
> -		if checkyesno _fdescfs; then
> -			if is_symlinked_mountpoint ${_fdescdir}; then
> -				warn "${_fdescdir} has symlink as =
parent, not mounting"
> -			else
> -				info "Mounting fdescfs on ${_fdescdir}"
> -				mount -t fdescfs fdesc "${_fdescdir}"
> -			fi
> -		fi
> -		if checkyesno _procfs; then
> -			if is_symlinked_mountpoint ${_procdir}; then
> -				warn "${_procdir} has symlink as parent, =
not mounting"
> -			else
> -				info "Mounting procfs onto ${_procdir}"
> -				if [ -d "${_procdir}" ] ; then
> -					mount -t procfs proc =
"${_procdir}"
> -				fi
> -			fi
> +			command_args=3D"-i -f $_conf -c $_jail"
> 		fi
> -		_tmp_jail=3D${_tmp_dir}/jail.$$
> -
> -		i=3D0
> -		while : ; do
> -			eval out=3D\"\${_exec_prestart${i}:-''}\"
> -			[ -z "$out" ] && break
> -			${out}
> -			i=3D$((i + 1))
> -		done
> -
> -		eval ${_setfib} jail -n ${_jail} ${_flags} -i -c =
path=3D${_rootdir} host.hostname=3D${_hostname} \
> -			${_addrl:+ip4.addr=3D\"${_addrl}\"} =
${_addr6l:+ip6.addr=3D\"${_addr6l}\"} \
> -			${_parameters} command=3D${_exec_start} > =
${_tmp_jail} 2>&1 \
> -			</dev/null
> -
> -		if [ "$?" -eq 0 ] ; then
> -			_jail_id=3D$(head -1 ${_tmp_jail})
> -			i=3D1
> -			while : ; do
> -				eval =
out=3D\"\${_exec_afterstart${i}:-''}\"
> -
> -				if [ -z "$out" ]; then
> -					break;
> -				fi
> -
> -				jexec "${_jail_id}" ${out}
> -				i=3D$((i + 1))
> -			done
> -
> -			echo -n " $_hostname"
> -			tail +2 ${_tmp_jail} >${_consolelog}
> -			echo ${_jail_id} > /var/run/jail_${_jail}.id
> -
> -			i=3D0
> -			while : ; do
> -				eval out=3D\"\${_exec_poststart${i}:-''}\"=

> -				[ -z "$out" ] && break
> -				${out}
> -				i=3D$((i + 1))
> -			done
> +		if $command $rc_flags $command_args \
> +		    >> $_tmp 2>&1 </dev/null; then
> +			echo -n " ${_hostname:-${_jail}}"
> 		else
> -			jail_umount_fs
> -			jail_ips "del"
> -			echo " cannot start jail \"${_jail}\": "
> -			tail +2 ${_tmp_jail}
> +			echo " cannot start jail =
\"${_hostname:-${jail}}\": "
> +			tail +2 $_tmp
> 		fi
> -		rm -f ${_tmp_jail}
> +		rm -f $_tmp
> 	done
> -	rmdir ${_tmp_dir}
> 	echo '.'
> }
>=20
> jail_stop()
> {
> +	if [ $# =3D 0 ]; then
> +		return
> +	fi
> 	echo -n 'Stopping jails:'
> -	for _jail in ${jail_list}
> -	do
> -		if [ -f "/var/run/jail_${_jail}.id" ]; then
> -			_jail_id=3D$(cat /var/run/jail_${_jail}.id)
> -			if [ ! -z "${_jail_id}" ]; then
> -				init_variables $_jail
> -
> -				i=3D0
> -				while : ; do
> -					eval =
out=3D\"\${_exec_prestop${i}:-''}\"
> -					[ -z "$out" ] && break
> -					${out}
>=20
> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

--=20
/"\   With kind regards,			| remko@elvandar.org
\ /   Remko Lodder			| remko@FreeBSD.org
X    FreeBSD					| =
http://www.evilcoder.org
/ \   The Power to Serve		| Quis custodiet ipsos custodes


--Apple-Mail=_EE56DFCD-625B-41F1-9E20-0F47A1A3EE82
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJSV/dMAAoJEKjD27JZ84ywesQP/RXhI39Get8gQsMRWKZ5vx/R
T/nPalo0naFQgAyYDgjUTiVmp0WhCvX5OWiBN5VDQdVy6XfhX/GB5Vtq/kpDQUq5
qpjieytPgvSWyw2R084eCE+dUGifG9hyNbUIU6AoiXzHEdOBJxDC7ZiGMwHk1QMj
RSd1I/9Su+3xppoYJVLdLRT7R1lLY4VhIbQizNMVaisJbF7C6HvFG0kE8GOy3UJk
Dq/eEDO7ae6tGIsbctRBFp+Z4FtL1LdtXemwYv+fkaYw3V124XO0zLN1+8xa0b0i
EJAWA7ac+PqCtZasfIb8x1uFHaPzcVWF+4g8QypWfZXPEkL/dxQ63FBdR6LcSpub
waRIz5JiBMTi5dHus5aLsrh67LZ0cnZXWkhjZo8/bZt6ObtZFP1SCZ7jIzs1j2ge
hri1wVIfKeQhKTbJUyahPP/53Tamh8aI96z9YQnKVhCWWIh1+zXBMvRPXkdElYo5
3/cz4UM2kPiUPMpu9XqiEFUiYmVNr8bTHfLfk2+XmMxXcnDg8Zc60tCWZmSQ8myE
r3AeoJWaR5PnrHPsYmpBGMorXYdTYxGpN0HjCFXgC55UH/mVIGCnWTBi04SjjcCf
dl8J7ftRUBj3Cr4Og8bwXAO9uln/6pLCL1xGBeH6NKO49t+L/6Y8vbvz3O4Bdn/M
rlNrifr3+jUM1i79mxhC
=9VQs
-----END PGP SIGNATURE-----

--Apple-Mail=_EE56DFCD-625B-41F1-9E20-0F47A1A3EE82--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04E9979E-1D97-4AA2-A7AE-F9D8457B3599>