From nobody Sun Aug 15 16:29:59 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6A8591766428 for ; Sun, 15 Aug 2021 16:30:07 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GnjSb1rz9z3jY7 for ; Sun, 15 Aug 2021 16:30:07 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) (authenticated bits=0) by gritton.org (8.15.2/8.15.2) with ESMTPA id 17FGTxWE049359; Sun, 15 Aug 2021 09:29:59 -0700 (PDT) (envelope-from jamie@freebsd.org) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 15 Aug 2021 09:29:59 -0700 From: James Gritton To: freebsd-hackers@freebsd.org Cc: Dan Langille Subject: Re: starting jails within jails using rc In-Reply-To: <60ecf265-b308-738d-ec2f-64e76b625a38@langille.org> References: <60ecf265-b308-738d-ec2f-64e76b625a38@langille.org> User-Agent: Roundcube Webmail/1.4.1 Message-ID: X-Sender: jamie@freebsd.org X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (gritton.org [127.0.0.131]); Sun, 15 Aug 2021 09:29:59 -0700 (PDT) X-Rspamd-Queue-Id: 4GnjSb1rz9z3jY7 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 2021-08-14 12:59, Dan Langille wrote: > The problem: > > The parent jail cannot automatically start the child jail. The child > jail can be started manually. > > Running this command in the parent child succeeds: service jail start > freshports > > Why? I think it's because /etc/rc.d/jail contains: > > # KEYWORD: nojail shutdown > > This tells the rc system not to run the jail script if the host is a > jail. > > How can I trick it? > > My two ideas so far: > > * remove the keyword from the script (I've tested this; it works) > * duplicate the script, removing the keyword from the script > * mangle security.jail.jailed in the parent jail it thinks it's not in > a jail and runs it anyway > > The downsides to these: > > * the first two require I keep up to date with the jail script. > * the last one will have unintended consequences I'm sure, many which > I most likely would not like. Since jails with jails is a supported (though not defaulted) feature, I see no reason why simply removing the "nojail" keyword from the script shouldn't be the default. The only cost is typical jail startup having to run the script to no effect, but the rc system is already built of dozens of such seldom-used scripts. - Jamie