From 66338db9e9e44f42f6951ac8c6362ae4a83cbfbf Mon Sep 17 00:00:00 2001 From: Mike Makonnen Date: Sun, 24 Aug 2003 06:29:32 +0000 Subject: [PATCH] Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel with modifications by Jens Rehsack and me. --- etc/defaults/rc.conf | 29 ++++++++++-- etc/rc.d/jail | 110 +++++++++++++++++++++++++++++++++++++++---- 2 files changed, 124 insertions(+), 15 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 8a0907d88f33..0a287a9bc034 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -428,16 +428,35 @@ harvest_interrupt="YES" # Entropy device harvests interrupt randomness harvest_ethernet="YES" # Entropy device harvests ethernet randomness harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot -jail_enable="NO" # Set to NO to disable starting of any jails -jail_list="" # Space separated list of names of jails -jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname -jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail -jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail watchdogd_enable="NO" # Start the software watchdog daemon devfs_rulesets="/etc/defaults/devfs.rules /etc/devfs.rules" # Files containing # devfs(8) rules. devfs_system_ruleset="" # The name of a ruleset to apply to /dev +############################################################## +### Jail Configuration ####################################### +############################################################## +jail_enable="NO" # Set to NO to disable starting of any jails +jail_list="" # Space separated list of names of jails +jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname +jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail +jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail +jail_stop_jailer="NO" # Only stop jailer. Requires jail_*_exec be set + # to use sysutils/jailer port to start the jail. + +# +# To use rc's built-in jail infrastructure create entries for +# each jail, specified in jail_list, with the following variables. +# NOTE: replace 'example' with the jail's name. +# +#jail_example_rootdir="/usr/jail/default" # Jail's root directory +#jail_example_hostname="default.domain.com" # Jail's hostname +#jail_example_ip="192.168.0.10" # Jail's IP number +#jail_example_exec="/bin/sh /etc/rc" # command to execute in jail +#jail_example_devfs_enable="NO" # mount devfs in the jail +#jail_example_fdescfs_enable="NO" # mount fdescfs in the jail +#jail_example_procfs_enable="NO" # mount procfs in jail +#jail_example_devfs_ruleset="123" # devfs ruleset to apply to jail ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## diff --git a/etc/rc.d/jail b/etc/rc.d/jail index 364ca9c763cb..25e59a457cad 100644 --- a/etc/rc.d/jail +++ b/etc/rc.d/jail @@ -6,7 +6,7 @@ # PROVIDE: jail # REQUIRE: LOGIN # BEFORE: securelevel -# KEYWORD: FreeBSD +# KEYWORD: FreeBSD shutdown . /etc/rc.subr @@ -15,6 +15,50 @@ rcvar=`set_rcvar` start_cmd="jail_start" stop_cmd="jail_stop" +# init_variables _j +# Initialize the various jail variables for jail _j. +# +init_variables() +{ + _j="$1" + + if [ -z "$_j" ]; then + warn "init_variables: you must specify a jail" + return + fi + + eval jail_rootdir=\"\$jail_${_j}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_fdescdir="${jail_devdir}/fd" + jail_procdir="${jail_rootdir}/proc" + eval jail_hostname=\"\$jail_${_j}_hostname\" + eval jail_ip=\"\$jail_${_j}_ip\" + eval jail_exec=\"\$jail_${_j}_exec\" + [ -z "${jail_exec}" ] && jail_exec="/bin/sh /etc/rc" + + # The default jail ruleset will be used by rc.subr if none is specified. + eval jail_ruleset=\"\$jail_${_j}_devfs_ruleset\" + eval jail_devfs=\"\$jail_${_j}_devfs_enable\" + [ -z "${jail_devfs}" ] && jail_devfs="NO" + eval jail_fdescfs=\"\$jail_${_j}_fdescfs_enable\" + [ -z "${jail_fdescfs}" ] && jail_fdescfs="NO" + eval jail_procfs=\"\$jail_${_j}_procfs_enable\" + [ -z "${jail_procfs}" ] && jail_procfs="NO" + + # Debuggin aid + # + debug "$_j devfs enable: $jail_devfs" + debug "$_j fdescfs enable: $jail_fdescfs" + debug "$_j procfs enable: $jail_procfs" + debug "$_j hostname: $jail_hostname" + debug "$_j ip: $jail_ip" + debug "$_j root: $jail_rootdir" + debug "$_j devdir: $jail_devdir" + debug "$_j fdescdir: $jail_fdescdir" + debug "$_j procdir: $jail_procdir" + debug "$_j ruleset: $jail_ruleset" +} + jail_start() { echo -n 'Configuring jails:' @@ -46,22 +90,68 @@ jail_start() fi echo '.' - echo 'Starting Jails.' + echo -n 'Starting Jails:' for _jail in ${jail_list} do - eval jail_rootdir=\"\$jail_${_jail}_rootdir\" - eval jail_hostname=\"\$jail_${_jail}_hostname\" - eval jail_ip=\"\$jail_${_jail}_ip\" - eval jail_exec=\"\$jail_${_jail}_exec\" - [ -z "${jail_exec}" ] && jail_exec="/bin/sh /etc/rc" - - jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec} + init_variables $_jail + if checkyesno jail_devfs; then + info "Mounting devfs on ${jail_devdir}" + devfs_mount_jail "${jail_devdir}" ${jail_ruleset} + + # Transitional symlink for old binaries + if [ ! -L ${jail_devdir}/log ]; then + devfs_link ${jail_devdir} ../var/run/log log + fi + + # Jail console output + devfs_link ${jail_devdir} ../var/log/console console + fi + if checkyesno jail_fdescfs; then + info "Mounting fdescfs on ${jail_fdescdir}" + mount -t fdescfs fdesc "${jail_fdescdir}" + fi + if checkyesno jail_procfs; then + info "Mounting procfs onto ${jail_procdir}" + if [ -d ${jail_procdir} ] ; then + mount -t procfs proc "${jail_procdir}" + fi + fi + jail 1>/dev/null 2>&1 \ + ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec} + [ "$?" -eq 0 ] && echo -n " $jail_hostname" done + echo '.' } jail_stop() { - kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print $2};') + echo 'Stopping all jails.' + if checkyesno jail_stop_jailer; then + rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};') + else + rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};') + fi + if [ -n "${rc_pid}" ]; then + kill -TERM $rc_pid + wait_for_pids $rc_pid + fi + for _jail in ${jail_list} + do + init_variables $_jail + if checkyesno jail_devfs; then + if [ -d ${jail_devdir} ] ; then + umount -f ${jail_devdir} >/dev/null 2>&1 + fi + fi + if checkyesno jail_fdescfs; then + umount -f ${jail_fdescdir} >/dev/null 2>&1 + fi + if checkyesno jail_procfs; then + if [ -d ${jail_procdir} ] ; then + umount -f ${jail_procdir} >/dev/null 2>&1 + fi + fi + done }