! ! Rather than using a private IPv4 address on a dedeicated loopback ! interface and pf NAT, share an IP address with the base system for ! the portjail. ! This should be no problem as we do not bind any port in the jail ! to conflict with base, but just need outgoing ports. ! ! This also allows the use of IPv6 from inside the jail for distfile ! fetching, etc. and makes portjail start on IPv6-only systems. ! ! Switch to new jail command line options and a persistent jail ! allowing the portjail to be running without processes attached. ! ! Always write a clean rc.conf inside the jail so no services ! will be enabled and specifically disable sendmail, syslog and cron. ! ! ! Note: the old commands are currently just commented out mostly ! and should be removed after review and testing. ! ! Submitted by: bz ! Sponsored by: The FreeBSD Foundation ! Sponsored by: iXsystems ! Index: system-overlay/usr/local/share/pcbsd/scripts/portjail.sh =================================================================== --- system-overlay/usr/local/share/pcbsd/scripts/portjail.sh (revision 10713) +++ system-overlay/usr/local/share/pcbsd/scripts/portjail.sh (working copy) @@ -4,7 +4,6 @@ PJDIR="/usr/jails/portjail" PJHOST="`hostname`" -PJIP="10.1.1.1" # Set manpath to enable whatis to work MANPATH=/usr/local/man @@ -60,26 +59,45 @@ then rm ${PJDIR}/etc/localtime >/dev/null 2>/dev/null cp /etc/localtime ${PJDIR}/etc/localtime - # Create our pseudo device for networking - ifconfig lo1 create - ifconfig lo1 inet ${PJIP} netmask 255.255.255.0 +# # Create our pseudo device for networking +# ifconfig lo1 create +# ifconfig lo1 inet ${PJIP} netmask 255.255.255.0 - # Configure NAT with PF - sed -i -e '/.*from lo1:network to any/d' /etc/pf.conf +# # Configure NAT with PF +# sed -i -e '/.*from lo1:network to any/d' /etc/pf.conf - TMPIF=`ifconfig -l` - for i in ${TMPIF} - do - case $i in - fwe0|fwip0|pflog0|pfsync0|lo0|lo1) ;; - *) cp /etc/pf.conf /etc/.pftmp.conf - sed "s/scrub in all/scrub in all\\`echo -e '\r'`nat on ${i} from lo1:network to any -> (${i})/" /etc/.pftmp.conf | tr -s "\r" "\n" >/etc/pf.conf ;; - esac - done +# TMPIF=`ifconfig -l` +# for i in ${TMPIF} +# do +# case $i in +# fwe0|fwip0|pflog0|pfsync0|lo0|lo1) ;; +# *) cp /etc/pf.conf /etc/.pftmp.conf +# sed "s/scrub in all/scrub in all\\`echo -e '\r'`nat on ${i} from lo1:network to any -> (${i})/" /etc/.pftmp.conf | tr -s "\r" "\n" >/etc/pf.conf ;; +# esac +# done +# +# rm /etc/.pftmp.conf >/dev/null 2>/dev/null +# /etc/rc.d/pf restart >/dev/null 2>/dev/null - rm /etc/.pftmp.conf >/dev/null 2>/dev/null - /etc/rc.d/pf restart >/dev/null 2>/dev/null + # Figure out our default itnerfaces, otherwise try all. + # Get the first IP address we find that is not special and use that for the jail. + IP6_DFLT_IFACE=`netstat -Warn -f inet6 | awk '/^default/ { print $7 }'` + IP4_DFLT_IFACE=`netstat -Warn -f inet | awk '/^default/ { print $7 }'` + if [ -z "${IP6_DFLT_IFACE}" ]; then + IP6_DFLT_IFACE="-a" + fi + if [ -z "${IP4_DFLT_IFACE}" ]; then + IP4_DFLT_IFACE="-a" + fi + PJIP6=`ifconfig ${IP6_DFLT_IFACE} inet6 | awk '{ if (/fe80:/) { next; }; if (/ ::1 /) { next; }; if (/inet6 /) { print $2 }; }' | head -1` + PJIP4=`ifconfig ${IP6_DFLT_IFACE} inet | awk '{ if (/127.0.0./) { next; }; if (/inet /) { print $2 }; }' | head -1` + PJIP="ip6.addr=${PJIP6}" + if [ -n "${PJIP}" -a -n "${PJIP4}" ]; then + PJIP="${PJIP} ip4.addr=${PJIP4}" + elif [ -n "${PJIP4}" ]; then + PJIP="ip4.addr=${PJIP4}" + fi # Make sure we remove our cleartmp rc.d script, causes issues if [ -e "${PJDIR}/etc/rc.d/cleartmp" ] @@ -88,12 +106,20 @@ then fi # Add the hostname to the portjails /etc/hosts file, to prevent sendmail warnings - sed -i -e '/127.0.0.1.*/d' ${PJDIR}/etc/hosts - echo "127.0.0.1 localhost localhost.my.domain ${PJHOST}" >>${PJDIR}/etc/hosts + sed -i -e '/^127.0.0.1.*/d' -e '/^::1.*/d' ${PJDIR}/etc/hosts + echo "::1 localhost localhost.my.domain ${PJHOST}" >>${PJDIR}/etc/hosts + echo "127.0.0.1 localhost localhost.my.domain ${PJHOST}" >>${PJDIR}/etc/hosts # Make sure the /etc/rc.conf HOSTNAME values match - sed -i -e '/hostname=.*/d' ${PJDIR}/etc/rc.conf + #sed -i -e '/hostname=.*/d' ${PJDIR}/etc/rc.conf + : > ${PJDIR}/etc/rc.conf echo "hostname=\"$PJHOST\"" >> ${PJDIR}/etc/rc.conf + echo "cron_enable=\"NO\"" >> ${PJDIR}/etc/rc.conf + echo "syslogd_enable=\"NO\"" >> ${PJDIR}/etc/rc.conf + echo "sendmail_enable=\"NO\"" >> ${PJDIR}/etc/rc.conf + echo "sendmail_submit_enable=\"NO\"" >> ${PJDIR}/etc/rc.conf + echo "sendmail_outbound_enable=\"NO\"" >> ${PJDIR}/etc/rc.conf + echo "sendmail_msp_queue_enable=\"NO\"" >> ${PJDIR}/etc/rc.conf mount_nullfs /tmp ${PJDIR}/tmp mount_nullfs /media ${PJDIR}/media @@ -110,7 +136,8 @@ then mkdir -p ${PJDIR}/compat/linux/proc mount -t linprocfs linprocfs ${PJDIR}/compat/linux/proc fi - jail -n portjail ${PJDIR} ${PJHOST} ${PJIP} /bin/sh /etc/rc + jail -c name=portjail path=${PJDIR} host.hostname=${PJHOST} ${PJIP} persist + jexec portjail /bin/sh /etc/rc elif [ "$1" = "stop" ] then @@ -128,7 +155,7 @@ then fi # Cleanup /etc/pf.conf - sed -i "" -e '/.*from lo1:network to any/d' /etc/pf.conf + #sed -i "" -e '/.*from lo1:network to any/d' /etc/pf.conf # Stop the Jail jexec portjail /bin/sh /etc/rc.shutdown @@ -140,7 +167,7 @@ then umount ${PJDIR}/media umount ${PJDIR}/usr/home umount ${PJDIR}/usr/src - ifconfig lo1 destroy + #ifconfig lo1 destroy elif [ "$1" = "console" ] then @@ -153,7 +180,8 @@ then fi DBUS_SESSION_BUS_ADDRESS="" ; export DBUS_SESSION_BUS_ADDRESS - PJID=`jls | grep "${PJDIR}" | tr -s " " | awk '{ print $1 }'` + #PJID=`jls | grep "${PJDIR}" | tr -s " " | awk '{ print $1 }'` + PJID=`jls -s -j portjail -n jid | awk -F= '{ print $2 }'` /usr/local/sbin/jailme $PJID /bin/csh elif [ "$1" = "run" ] @@ -173,7 +201,8 @@ then fi DBUS_SESSION_BUS_ADDRESS="" ; export DBUS_SESSION_BUS_ADDRESS - PJID=`jls | grep "${PJDIR}" | tr -s " " | awk '{ print $1 }'` + #PJID=`jls | grep "${PJDIR}" | tr -s " " | awk '{ print $1 }'` + PJID=`jls -s -j portjail -n jid | awk -F= '{ print $2 }'` /usr/local/sbin/jailme $PJID $2 elif [ "$1" = "init" ]