| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
existing jails. This burned us in the freebsd cluster yesterday.
|
| |
|
|
|
|
|
|
|
|
| |
- Fix jail_parallel_start="YES".
- Fix ip[46].addr when interface parameter is not defined.
- Fix a bug which prevented jails from starting when $jail_conf was used and
no jail name was specified.
- Display error messages when start/stop fails.
Approved by: re (glebius)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Normalize jailname. "example.com" is converted to "example_com".
- Fix a bug that some $jail_{jname}_foo variables did not work.
- Fix a bug which prevented $jail_devfs_ruleset from working[1].
- Move $jail_parameters to the last of the configuraiton lines[1].
- Fix "ifname|addr" syntax support in jail_{jname}_ip.
- Create /var/run/jail_{jname}.id because ezjail-admin depends on it.
Reported by: jase [1]
Approved by: re (gjb)
|
| |
|
|
|
|
|
|
|
|
|
| |
- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.
- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.
Approved by: re (gjb)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
command line options. The "jail_<jname>_*" rc.conf(5) variables for
per-jail configuration are automatically converted to
/var/run/jail.<jname>.conf before the jail(8) utility is invoked.
This is transparently backward compatible.
- Fix a minor bug in jail(8) which prevented it from returning false
when jail -r failed.
Approved by: re (glebius)
|
| |
|
|
|
|
|
|
|
| |
Do this per jail started, not per address. This will allow DAD to complete
and services to properly start. Before we have seen problems with services
trying to start before the IPv6 address was available to use and thus
erroring and failing to start.
MFC after: 3 days
|
| |
|
|
|
|
|
| |
Submitted by: crees
Reviewed by: Mike Jakubik <mike.jakubik@intertainservices.com>
Approved by: cperciva
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
| |
systems are fully "ready to go".
'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted before starting." However, we have
'var' which is was run after 'FILESYSTEMS' and can mount /var if it
already isn't mounted. Furthermore, several scripts cannot use /var
until 'cleanvar' has done its thing. Thus "FILESYSTEMS" hasn't really
meant all critical file systems are fully usable.
|
| |
|
|
|
|
|
| |
- To achieve above, convert jail(8) invocation to use new style
command line "-c" flag.
Reviewed at: freebsd-jail@
|
| |
|
|
| |
will override ours instead of the other way around.
|
| |
|
|
| |
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
creating stray "log" symlinks if the mount fails. That apparently
happens in some ezjail configs.
PR: conf/143084
Submitted by: Dirk Engling <erdgeist at erdgeist.org>
Reviewed by: simon
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
assignments to the literal values it would have returned.
The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.
During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.
|
| |
|
|
|
|
| |
This is a further clean up after r202988.
SYSCTL_W is still initialized in rc.subr as some ports may still use it.
|
| |
|
|
|
|
| |
rc.d'ish way.
Not objected to by: netchild
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least in RELENG_7 this fixes some start problems for some programs
from the ports. It is also more correct, as a jail shall not expect
input (interactivity) from the jail-host.
Revert the current behavior of starting jails in the background and
make it optional only for the start of jails (jail_parallell_start=YES
in rc.conf):
- The stop can not be done in the background, the system needs to wait
until everything is stopped correctly before it can reboot or power
down.
- The start should not be done in parallel by default, this not only
breaks POLA for people comming from RELENG_x, it may also break a
dependency chain with other scripts in the jail-host, which need to
do some stuff after the jails are up and running (e.g. hardlinking
a mysql socket from one jail into another one).
Discussed on: freebsd-jails@
|
| |
|
|
|
|
|
|
|
|
|
| |
This will prevent that the script hangs during startup, which
could cause annoying effects after rebooting for example.
PR: kern/139422
Submitted by: Andrey Groshev <greenx at yartv dot ru>
Approved by: imp (mentor, implicit)
MFC after: 3 days
Facilitated by: Snow B.V.
|
| |
|
|
|
|
|
|
|
| |
- Remove redundant debugging of consolelog.
- Use `while :', instead of `while [ true ]'. This is done in other
places as well.
Submitted by: Jille Timmermans <jille quis cx> (not jilles)
Reviewed by: jilles
|
| |
|
|
|
|
|
|
| |
arbitrary commands (outside the jail) associated with said events,
e.g. to bring up/down CARP interfaces representing services run in
jails.
Reviewed by: simon
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note: this is only really necessary because of the ifconfig
logic to add/remove the jail IPs upon start/stop.
Consensus among simon and I is that the logic should
really be factored out from the startup script and put
into a proper management solution.
- We now support starting of no-IP jails.
- Remove the global jail_<jname>_netmask option as it is only
helpful to set netmasks/prefixes for the right address
family and per address.
- Implement jail_<jname>_ip options to support both
address familes with regard to ifconfig logic.
- Implement _multi<n> support suffix to the jail_<jname>_ip
option to configure additional addresses to avoid overlong,
unreadbale jail_<jname>_ip lines with lots of addresses.
Submitted by: initial work from Ruben van Staveren
Discussed on: freebsd-jail in Nov 2008.
Reviewed by: simon, ru (partial, older version)
MFC after: 1 week
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
| |
Reviewed by: secteam (simon)
Reviewed by: brooks, bz
|
| | |
|
| |
|
|
| |
MFC after: 1 week
|
| | |
|
| |
|
|
|
|
| |
/var/log/console.log and mount points.
Security: FreeBSD-SA-07:01.jail
|
| |
|
|
|
|
|
|
| |
in a previous commit to avoid namespace collisions, unfortunately I missed two
of them. This leads to the ip alias being incorrectly removed in some cases
when using the stop command.
Reported by: Philipp Wuensche <cryx-freebsd@h3q.com>
|
| |
|
|
|
|
|
|
|
|
| |
1,2 and so on.
It specifies the command to be run as Nth after jail startup.
sh(1)-fu by: Dario Freni
PR: conf/97697
MFC after: 2 weeks
Reviewed by: ru@ (man page)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
issue where some global jail_* variables were overriden in the script. [1]
- Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a
jail id. [1]
- Update examples and comments in defaults/rc.conf to advertise new
variables and the fact that some of the jail-specific variables may be made
jail-global. [2]
Reported by: pjd [1], clsung [2]
Approved by: cperciva
X-MFC after: i got sufficient testing from people using rc.d/jail
|
| |
|
|
|
|
| |
jail_foobar_mount_enable were set, umount those filesystem before exiting. If we set up an alias for jail's IP, remove that alias before exiting.
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
with the error.
PR: conf/97024
MFC after: 1 week
|
| |
|
|
|
| |
Reported by: Dirk Engling <erdgeist@erdgeist.org>
Pointyhat to: self
|
| |
|
|
|
| |
Approved by: cperciva (mentor)
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set:
* jail_mount_enable
* jail_devfs_ruleset
* jail_devfs_enable
* jail_fdescfs_enable
* jail_procfs_enable
* jail_fstab
* jail_flags
- Add a jail_interface / jail_<jid>_interface option. An ip alias will be
created (jail_<jid>_ip) on jail_interface or jail_<jid>_interface if set.
This is not a mandatory option.
- Document all missing jail_* options in rc.conf(5).
Approved by: cperciva (mentor)
MFC after: 2 weeks
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
| |
We're checking for /var/run/jail_<name>.id file and if it exists, we don't
start the jail. It should be also safe in case of reboot(8), because
rc.d/cleanvar script is going to remove /var/run/jail_* files.
It helps to avoid potential mess when the same jail is started twice,
because of an administrator mistake (been there, done that).
MFC after: 1 week
|
| |
|
|
|
|
| |
# /etc/rc.d/jail start www mail
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
jail(8) flags (before the change we had hardcoded "-l -U root").
Submitted by: Frank Behrens <frank@pinky.sax.de>
PR: conf/80244
Approved by: re (scottl)
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
to see if a prior devfs has been mounted. If no devfs is mounted on
${jail_devdir}/dev then proceed. This will prevent the stack up of
multiple devfs mounts on the same mount point.
Discussed with: pjd
MFC after: 1 week
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Feature: for flexibility reasons and as a prerequisite to clean
shutdowns, allow the configuration of a stop/shutdown command
via rc.conf variable "jail_<name>_exec_stop" in addition to the
start/boot command (rc.conf variable "jail_<name>_exec_start"). For
backward compatibility reasons, rc.conf variable "jail_<name>_exec"
is still supported, too.
2. Debug: Add the used boot/shutdown commands to the debug output of
the /etc/rc.d/jail script, too.
3. Security: Run the Jail start/boot command in a cleaned environment
to not leak information from the host to the Jail during startup.
4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on
"/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail
before its processes are just killed.
5. Bugfix: When killing the remaining Jail processes give the processes
time to actually perform their termination sequence. Without this the
subsequent umount(8) operations usually fail because the resources
are still in use. Additionally, if after trying to TERM-inate the
processes there are still processes hanging around, finally just KILL
them.
6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/*
scripts which are flagged with the KEYWORD "nojail" to allow the
correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh
/etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail.
Now the following typical host-configuration for two Jails works as
expected and correctly boots and shutdowns the Jails:
-----------------------------------------------------------
# /etc/rc.conf:
jail_enable="YES"
jail_list="foo bar"
jail_foo_rootdir="/j/foo"
jail_foo_hostname="foo.example.com"
jail_foo_ip="192.168.0.1"
jail_foo_devfs_enable="YES"
jail_foo_mount_enable="YES"
jail_foo_exec_start="/bin/sh /etc/rc"
jail_foo_exec_stop="/bin/sh /etc/rc.shutdown"
jail_bar_rootdir="/j/bar"
jail_bar_hostname="bar.example.com"
jail_bar_ip="192.168.0.2"
jail_bar_devfs_enable="YES"
jail_bar_mount_enable="YES"
jail_bar_exec_start="/path/to/kjailer -v"
jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'"
-----------------------------------------------------------
# /etc/fstab.foo
/v/foo /j/foo/v/foo nullfs rw 0 0
-----------------------------------------------------------
# /etc/fstab.bar
/v/bar /j/bar/v/bar nullfs rw 0 0
-----------------------------------------------------------
Reviewed by: freebsd-hackers
MFC after: 2 weeks
|
| |
|
|
| |
Spotted by: ceri
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
this feature for a jail named foo :
jail_foo_mount_enable="YES"
jail_foo_fstab="/etc/fstab.foo"
The second line is actually useless, since the code defaults to
using "/etc/fstab.$jailname" as the fstab file if none is specified.
MFC after: 3 days
Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
|
| |
|
|
|
|
|
| |
makes any sense.
Discussed with: dougb, brooks
MFC after: 3 days
|
| |
|
|
|
|
| |
they are empty or undefined.
MFC after: 3 days
|
| |
|
|
| |
Submitted by: Jon Passki <cykyc@yahoo.com>
|
| |
|
|
| |
Some suggestions from: rwatson, Ruben de Groot <mail25@bzerk.org>
|
| |
|
|
|
|
|
|
|
| |
I committed it. Apologies to Juergen Unger <j.unger@addict.de>.
o When stopping jails output the hostname of the jails that
were stopped.
o Refactor
o Remove extraneous empty line
o Correct spelling error
|
| |
|
|
|
| |
what the rc.conf(5) knob specifies. Also, correct a minor
capitalization error.
|
