Only in /usr/src/etc/rc.d: Makefile diff -ur /usr/src/etc/rc.d/jail /etc/rc.d/jail --- /usr/src/etc/rc.d/jail 2011-11-11 05:20:22.000000000 +0100 +++ /etc/rc.d/jail 2012-06-09 21:16:33.469566053 +0200 @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/jail,v 1.47.2.1.2.1 2011/11/11 04:20:22 kensmith Exp $ +# $FreeBSD: release/9.0.0/etc/rc.d/jail 220153 2011-03-30 01:19:00Z emaste $ # # PROVIDE: jail @@ -10,10 +10,12 @@ # WARNING: This script deals with untrusted data (the data and # processes inside the jails) and care must be taken when changing the -# code related to this! If you have any doubt whether a change is +# code related to this! If you have any doubt whether a change is # correct and have security impact, please get the patch reviewed by # the FreeBSD Security Team prior to commit. +# Modified by girgen@FreeBSD.org for epair use + . /etc/rc.subr name="jail" @@ -40,6 +42,7 @@ _fdescdir="${_devdir}/fd" _procdir="${_rootdir}/proc" eval _hostname=\"\$jail_${_j}_hostname\" + eval _name=\"\${jail_${_j}_name:-${_j}}\" eval _ip=\"\$jail_${_j}_ip\" eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _exec=\"\$jail_${_j}_exec\" @@ -53,10 +56,17 @@ eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" - i=1 + i=0 while : ; do eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\" - [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break + [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break + i=$((i + 1)) + done + + i=0 + while : ; do + eval _exec_earlypoststart${i}=\"\${jail_${_j}_exec_earlypoststart${i}:-\${jail_exec_earlypoststart${i}}}\" + [ -z "$(eval echo \"\$_exec_earlypoststart${i}\")" ] && break i=$((i + 1)) done @@ -83,12 +93,14 @@ i=$((i + 1)) done + eval _vnet=\"\${jail_${_j}_vnet_enable:-${jail_vnet_enable}}\" + if [ -n "${_exec}" ]; then - # simple/backward-compatible execution + # simple/backward-compatible execution _exec_start="${_exec}" _exec_stop="" else - # flexible execution + # flexible execution if [ -z "${_exec_start}" ]; then _exec_start="/bin/sh /etc/rc" if [ -z "${_exec_stop}" ]; then @@ -96,6 +108,9 @@ fi fi fi + + # JAIL new style + eval _v2=\"\${jail_v2_enable:-"NO"}\" # The default jail ruleset will be used by rc.subr if none is specified. eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" @@ -112,18 +127,25 @@ eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags="-l -U root" + if checkyesno _v2; then + [ -z "${_flags}" ] && _flags="-l -U root -c" + else + [ -z "${_flags}" ] && _flags="-l -U root" + fi eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" # Debugging aid # + debug "$_j v2 enable: $_v2" debug "$_j devfs enable: $_devfs" debug "$_j fdescfs enable: $_fdescfs" debug "$_j procfs enable: $_procfs" debug "$_j mount enable: $_mount" + debug "$_j vnet enable: $_vnet" debug "$_j hostname: $_hostname" + debug "$_j name: $_name" debug "$_j ip: $_ip" jail_show_addresses ${_j} debug "$_j interface: $_interface" @@ -147,7 +169,7 @@ debug "$_j exec start: $_exec_start" - i=1 + i=0 while : ; do eval out=\"\${_exec_afterstart${i}:-''}\" @@ -417,7 +439,7 @@ # Identify type {inet,inet6}. case "${_addr}" in - *\.*\.*\.*) _type="inet" ;; + *\.*\.*\.*) _type="inet" ;; *:*) _type="inet6" ;; *) warn "jail_extract_address: type not identified" ;; @@ -479,39 +501,122 @@ # make sure we got an address. case "${_addr}" in - "") continue ;; + "") continue ;; *) ;; esac + # Append address to list of addresses for the jail command. + case "${_type}" in + "inet") case "${_addrlv4}" in + "") _addrlv4="${_addr}" ;; + *) _addrlv4="${_addrlv4},${_addr}" ;; + esac;; + "inet6") case "${_addrlv6}" in + "") _addrlv6="${_addr}" ;; + *) _addrlv6="${_addrlv6},${_addr}" ;; + esac;; + esac # Append address to list of addresses for the jail command. case "${_addrl}" in - "") _addrl="${_addr}" ;; + "") _addrl="${_addr}" ;; *) _addrl="${_addrl},${_addr}" ;; esac # Configure interface alias if requested by a given interface # and if we could correctly parse everything. case "${_iface}" in - "") continue ;; + "") continue ;; esac case "${_type}" in inet) ;; inet6) ;; *) warn "Could not determine address family. Not going" \ - "to ${_action} address '${_addr}' for ${_jail}." + "to ${_action} address '${_addr}' for ${_jail}." continue ;; esac case "${_action}" in - add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias + add) + case "${_iface}" in + bridge*) jail_add_epair + ;; + *) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias + ;; + esac ;; - del) # When removing the IP, ignore the _mask. - ifconfig ${_iface} ${_type} ${_addr} -alias + del) + case "${_iface}" in + bridge*) # already deleted + ;; + *) + # When removing the IP, ignore the _mask. + ifconfig ${_iface} ${_type} ${_addr} -alias + ;; + esac ;; esac done } +# +jail_add_epair() +{ + local i j _epairnum _epairif + i=0 + while : ; do + eval out=\"\${_exec_earlypoststart${i}:-''}\" + if [ -z "$out" ]; then + break + fi + i=$((i + 1)) + done + j=0 + while : ; do + eval out=\"\${_exec_afterstart${j}:-''}\" + if [ -z "$out" ]; then + break + fi + j=$((j + 1)) + done + + # create an epair, up it and add it to the bridge + _epairif=`ifconfig epair create` + ifconfig ${_iface} up + ifconfig ${_iface} addm ${_epairif} + ifconfig ${_epairif} up + _epairnum=`echo ${_epairif} | sed -e 's,epair\([0-9]*\)[ab],\1,'` + + # move epairNb into jail + eval _exec_earlypoststart${i}=\"ifconfig epair${_epairnum}b vnet ${_jail}\" + i=$(($i + 1)) + eval unset _exec_earlypoststart${i} + # in the jail, up the lo0 interface first + eval _exec_afterstart${j}=\"ifconfig lo0 localhost up\" + # now set ip for epairNb + j=$((j + 1)) + eval _exec_afterstart${j}=\"ifconfig epair${_epairnum}b ${_type} ${_addr}${_mask}\" + j=$(($j + 1)) + eval unset _exec_afterstart${j} +} + +# find and remember all epair interfaces inside a jail +jail_find_epairs() +{ + _epairs=`jexec ${_jail_id} ifconfig | grep ^epair | cut -f 1 -d :` +} + +# remove epairs, must be run *after* jail is deleted, or system will panic +# and we expect jail_find_epairs to have run before the jail was shut down +jail_destroy_epairs() +{ + if [ -n "${_epairs}" ]; then + for _if in ${_epairs}; do + ifconfig ${_if} -vnet ${_jail_id} + ifconfig ${_if} destroy + done + fi +} + # jail_ips {add,del} # Extract the comma separated list of addresses and return them # for the jail command. @@ -526,7 +631,8 @@ case "${_action}" in add) ;; - del) ;; + del) jail_destroy_epairs + ;; *) warn "jail_ips: invalid action '${_action}'" return ;; @@ -539,7 +645,7 @@ while : ; do eval _x=\"\$jail_${_jail}_ip_multi${alias}\" case "${_x}" in - "") break ;; + "") break ;; *) jail_handle_ips_option ${_action} "${_x}" alias=$((${alias} + 1)) ;; @@ -558,16 +664,16 @@ { echo -n 'Configuring jails:' set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \ - set_hostname_allow + set_hostname_allow set_sysctl jail_socket_unixiproute_only \ - security.jail.socket_unixiproute_only unixiproute_only + security.jail.socket_unixiproute_only unixiproute_only set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \ - sysvipc_allow + sysvipc_allow echo '.' echo -n 'Starting jails:' _tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \ - err 3 "$name: Can't create temp dir, exiting..." + err 3 "$name: Can't create temp dir, exiting..." for _jail in ${jail_list} do init_variables $_jail @@ -576,6 +682,8 @@ continue; fi _addrl="" + _addrlv4="" + _addrlv6="" jail_ips "add" if [ -n "${_fib}" ]; then _setfib="setfib -F '${_fib}'" @@ -644,13 +752,46 @@ i=$((i + 1)) done - eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 \ - /dev/null 2>&1 + else + eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ + \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 \ + > ${_consolelog} 2>&1 i=$((i + 1)) done + # and set up default route + jexec "${_jail_id}" route add default ${defaultrouter} >> ${_consolelog} 2>&1 + # and now that network is set up from outside, we can fire up /etc/rc + jexec "${_jail_id}" /bin/sh /etc/rc >> ${_consolelog} 2>&1 + echo -n " $_hostname" - tail +2 ${_tmp_jail} >${_consolelog} + tail +2 ${_tmp_jail} >> ${_consolelog} echo ${_jail_id} > /var/run/jail_${_jail}.id i=0 @@ -695,6 +841,10 @@ if [ ! -z "${_jail_id}" ]; then init_variables $_jail + if checkyesno _vnet; then + jail_find_epairs + fi + i=0 while : ; do eval out=\"\${_exec_prestop${i}:-''}\" @@ -722,6 +872,9 @@ done fi jail_ips "del" + if checkyesno _vnet; then + jail -r ${_jail_id} + fi rm /var/run/jail_${_jail}.id else echo " cannot stop jail ${_jail}. No jail id in /var/run" @@ -737,6 +890,11 @@ fi if [ -n "$*" ]; then jail_list="$*" +else + if [ "X${cmd}" = "Xstop" ]; then + echo "WARNING, YOU ARE STOPPING ALL JAILS, HIT CTRL-C NOW IF THIS IS NOT YOUR INTENTION" + sleep 7 + fi fi run_rc_command "${cmd}" Only in /etc/rc.d/: jail.orig Only in /usr/src/etc/rc.d: opensm Only in /etc/rc.d/: vimage Only in /usr/src/etc/defaults/: Makefile diff -ur /usr/src/etc/defaults/rc.conf /etc/defaults/rc.conf --- /usr/src/etc/defaults/rc.conf 2011-11-11 05:20:22.000000000 +0100 +++ /etc/defaults/rc.conf 2012-05-07 17:48:54.929696120 +0200 @@ -670,6 +670,7 @@ jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail +jail_vnet_enable="NO" # Use vnet within the jails # # To use rc's built-in jail infrastructure create entries for