summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcryx <cryx@h3q.com>2009-12-28 22:09:17 +0000
committercryx <cryx@h3q.com>2009-12-28 22:09:17 +0000
commit7fd24086946f90347adc59a61beec621b555bdd7 (patch)
treee1d0d6d2c973410fcb8dc06ba100eb4c4397aae4
parent12cf0c4f2130411e6408433d411eae8ee21e6da2 (diff)
Support for setting and using jail-bound ZFS datasets, cpuset(1) and setfib(1).
Jail-bound ZFS datasets still need the usual zfs+jail stuff like security.jail.mount_allowed=1 and security.jail.enforce_statfs=0 as well as "add path zfs unhide" in the devfs.rules for the jail. The setfib utility requires FIBs to be enabled via kernel-config. All features need at least FreeBSD 7.1-RELEASE.
-rwxr-xr-xezjail-admin116
-rwxr-xr-xezjail.sh16
2 files changed, 127 insertions, 5 deletions
diff --git a/ezjail-admin b/ezjail-admin
index 1ba7fc9..b0fb6f8 100755
--- a/ezjail-admin
+++ b/ezjail-admin
@@ -46,7 +46,7 @@ ezjail_usage_install="Usage: ${ezjail_admin} install [-mMpPsS] [-h host] [-r rel
46ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli|zfs] [-C args] [-a archive] jailname jailip" 46ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli|zfs] [-C args] [-a archive] jailname jailip"
47ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname" 47ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname"
48ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)" 48ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)"
49ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-i attach|detach|fsck] jailname" 49ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-c cpuset] [-z zfs-datasets] [-f fib] [-i attach|detach|fsck] jailname"
50ezjail_usage_console="Usage: ${ezjail_admin} console [-f] [-e command] jailname" 50ezjail_usage_console="Usage: ${ezjail_admin} console [-f] [-e command] jailname"
51ezjail_usage_archive="Usage: ${ezjail_admin} archive [-Af] [-a archive] [-d archivedir] jailname [jailname...]" 51ezjail_usage_archive="Usage: ${ezjail_admin} archive [-Af] [-a archive] [-d archivedir] jailname [jailname...]"
52ezjail_usage_restore="Usage: ${ezjail_admin} restore [-f] [-d archivedir] (archive|jailname)..." 52ezjail_usage_restore="Usage: ${ezjail_admin} restore [-f] [-d archivedir] (archive|jailname)..."
@@ -170,6 +170,9 @@ fetchjailinfo () {
170 eval ezjail_attachparams=\"\$jail_${ezjail_safename}_attachparams\" 170 eval ezjail_attachparams=\"\$jail_${ezjail_safename}_attachparams\"
171 eval ezjail_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\" 171 eval ezjail_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\"
172 eval ezjail_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\" 172 eval ezjail_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\"
173 eval ezjail_zfs_datasets=\"\$jail_${ezjail_safename}_zfs_datasets\"
174 eval ezjail_cpuset=\"\$jail_${ezjail_safename}_cpuset\"
175 eval ezjail_fib=\"\$jail_${ezjail_safename}_fib\"
173 176
174 ezjail_softlink=${ezjail_jaildir}/`basename -- "${ezjail_rootdir}"` 177 ezjail_softlink=${ezjail_jaildir}/`basename -- "${ezjail_rootdir}"`
175 ezjail_devicelink="${ezjail_rootdir}.device" 178 ezjail_devicelink="${ezjail_rootdir}.device"
@@ -615,6 +618,9 @@ create)
615 echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" 618 echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\"
616 echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" 619 echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\"
617 echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" 620 echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\"
621 echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_zfs_datasets}\"
622 echo export jail_${ezjail_safename}_cpuset=\"${ezjail_cpuset}\"
623 echo export jail_${ezjail_safename}_fib=\"${ezjail_fib}\"
618 ) > "${ezjail_config}" 624 ) > "${ezjail_config}"
619 625
620 # Final steps for flavour installation 626 # Final steps for flavour installation
@@ -1142,12 +1148,15 @@ restore)
1142######################## ezjail-admin CONFIG ######################## 1148######################## ezjail-admin CONFIG ########################
1143config) 1149config)
1144 # Clean variables, prevent polution 1150 # Clean variables, prevent polution
1145 unset ezjail_setrunnable ezjail_imageaction ezjail_new_name 1151 unset ezjail_setrunnable ezjail_imageaction ezjail_new_name ezjail_new_zfs_datasets ezjail_new_cpuset ezjail_new_fib
1146 1152
1147 shift; while getopts :r:i:n: arg; do case ${arg} in 1153 shift; while getopts :r:i:n:z:c:f: arg; do case ${arg} in
1148 i) ezjail_imageaction=${OPTARG};; 1154 i) ezjail_imageaction=${OPTARG};;
1149 r) ezjail_setrunnable=${OPTARG};; 1155 r) ezjail_setrunnable=${OPTARG};;
1150 n) ezjail_new_name=${OPTARG};; 1156 n) ezjail_new_name=${OPTARG};;
1157 z) ezjail_new_zfs_datasets=${OPTARG};;
1158 c) ezjail_new_cpuset=${OPTARG};;
1159 f) ezjail_new_fib=${OPTARG};;
1151 ?) exerr ${ezjail_usage_config};; 1160 ?) exerr ${ezjail_usage_config};;
1152 esac; done; shift $(( ${OPTIND} - 1 )) 1161 esac; done; shift $(( ${OPTIND} - 1 ))
1153 1162
@@ -1160,7 +1169,7 @@ config)
1160 [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}." 1169 [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}."
1161 1170
1162 # Nothing to be configured? 1171 # Nothing to be configured?
1163 [ "${ezjail_setrunnable}" -o "${ezjail_new_name}" -o "${ezjail_imageaction}" ] || echo "Warning: No config option specified." 1172 [ "${ezjail_setrunnable}" -o "${ezjail_new_name}" -o "${ezjail_imageaction}" -o "${ezjail_new_zfs_datasets}" -o "${ezjail_new_cpuset}" -o "${ezjail_new_fib}" ] || echo "Warning: No config option specified."
1164 1173
1165 # Do we want a new name for our jail? 1174 # Do we want a new name for our jail?
1166 if [ "${ezjail_new_name}" ]; then 1175 if [ "${ezjail_new_name}" ]; then
@@ -1190,12 +1199,15 @@ config)
1190 eval ezjail_new_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\" 1199 eval ezjail_new_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\"
1191 eval ezjail_new_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\" 1200 eval ezjail_new_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\"
1192 eval ezjail_new_imagetype=\"\$jail_${ezjail_safename}_imagetype\" 1201 eval ezjail_new_imagetype=\"\$jail_${ezjail_safename}_imagetype\"
1202 eval ezjail_new_zfs_datasets=\"\$jail_${ezjail_safename}_zfs_datasets\"
1203 eval ezjail_new_cpuset=\"\$jail_${ezjail_safename}_cpuset\"
1204 eval ezjail_new_fib=\"\$jail_${ezjail_safename}_fib\"
1193 1205
1194 # This scenario really will only lead to real troubles in the 'fulljail' 1206 # This scenario really will only lead to real troubles in the 'fulljail'
1195 # case, but I should still explain this to the user and not claim that 1207 # case, but I should still explain this to the user and not claim that
1196 # "an ezjail would already exist" 1208 # "an ezjail would already exist"
1197 case ${ezjail_new_hostname} in basejail|newjail|fulljail|flavours|ezjailtemp) exerr "Error: ezjail needs the ${ezjail_new_hostname} directory for its own administrative purposes.\n Please chose another name.";; esac 1209 case ${ezjail_new_hostname} in basejail|newjail|fulljail|flavours|ezjailtemp) exerr "Error: ezjail needs the ${ezjail_new_hostname} directory for its own administrative purposes.\n Please chose another name.";; esac
1198 1210
1199 # jail names may lead to identical configs, eg. foo.bar.com == foo-bar.com 1211 # jail names may lead to identical configs, eg. foo.bar.com == foo-bar.com
1200 # so check, whether we might be running into problems 1212 # so check, whether we might be running into problems
1201 [ -e "${ezjail_new_config}" -o -e "${ezjail_new_config}.norun" ] && exerr "Error: An ezjail config already exists at ${ezjail_new_config}.\n Please chose another name." 1213 [ -e "${ezjail_new_config}" -o -e "${ezjail_new_config}.norun" ] && exerr "Error: An ezjail config already exists at ${ezjail_new_config}.\n Please chose another name."
@@ -1264,6 +1276,9 @@ config)
1264 echo export jail_${ezjail_new_safename}_attachparams=\"${ezjail_new_attachparams}\" 1276 echo export jail_${ezjail_new_safename}_attachparams=\"${ezjail_new_attachparams}\"
1265 echo export jail_${ezjail_new_safename}_attachblocking=\"${ezjail_new_attachblocking}\" 1277 echo export jail_${ezjail_new_safename}_attachblocking=\"${ezjail_new_attachblocking}\"
1266 echo export jail_${ezjail_new_safename}_forceblocking=\"${ezjail_new_forceblocking}\" 1278 echo export jail_${ezjail_new_safename}_forceblocking=\"${ezjail_new_forceblocking}\"
1279 echo export jail_${ezjail_new_safename}_zfs_datasets=\"${ezjail_new_zfs_datasets}\"
1280 echo export jail_${ezjail_new_safename}_cpuset=\"${ezjail_new_cpuset}\"
1281 echo export jail_${ezjail_new_safename}_fib=\"${ezjail_new_fib}\"
1267 ) > "${ezjail_new_config}" 1282 ) > "${ezjail_new_config}"
1268 1283
1269 # remove old config 1284 # remove old config
@@ -1278,6 +1293,97 @@ config)
1278 fetchjailinfo ${ezjail_new_safename} 1293 fetchjailinfo ${ezjail_new_safename}
1279 fi 1294 fi
1280 1295
1296 if [ "${ezjail_new_zfs_datasets}" ]; then
1297 # if jail is still running, refuse to go any further
1298 [ "${ezjail_id}" ] && exerr "Error: Jail appears to be still running.\n '${ezjail_admin} stop ${ezjail_name}' it first ."
1299
1300 # write new config file, preserve comments
1301 (
1302 grep -e ^\# "${ezjail_config}"
1303 echo
1304 echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\"
1305 echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\"
1306 echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\"
1307 echo export jail_${ezjail_safename}_exec=\"${ezjail_exec}\"
1308 echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\"
1309 echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\"
1310 echo export jail_${ezjail_safename}_devfs_ruleset=\"${ezjail_devfs_ruleset}\"
1311 echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\"
1312 echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\"
1313 echo export jail_${ezjail_safename}_image=\"${ezjail_image}\"
1314 echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\"
1315 echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\"
1316 echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\"
1317 echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\"
1318 echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_new_zfs_datasets}\"
1319 echo export jail_${ezjail_safename}_cpuset=\"${ezjail_cpuset}\"
1320 echo export jail_${ezjail_safename}_fib=\"${ezjail_fib}\"
1321 ) > "${ezjail_config}_"
1322 mv "${ezjail_config}_" "${ezjail_config}"
1323 fi
1324
1325 if [ "${ezjail_new_cpuset}" ]; then
1326 # configure the new cpuset if the jail is currently running
1327 [ "${ezjail_id}" ] && /usr/bin/cpuset -l ${ezjail_new_cpuset} -j ${ezjail_id} || exerr "Error: The defined cpuset is malformed"
1328
1329 # write new config file, preserve comments
1330 (
1331 grep -e ^\# "${ezjail_config}"
1332 echo
1333 echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\"
1334 echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\"
1335 echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\"
1336 echo export jail_${ezjail_safename}_exec=\"${ezjail_exec}\"
1337 echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\"
1338 echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\"
1339 echo export jail_${ezjail_safename}_devfs_ruleset=\"${ezjail_devfs_ruleset}\"
1340 echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\"
1341 echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\"
1342 echo export jail_${ezjail_safename}_image=\"${ezjail_image}\"
1343 echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\"
1344 echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\"
1345 echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\"
1346 echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\"
1347 echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_zfs_datasets}\"
1348 echo export jail_${ezjail_safename}_cpuset=\"${ezjail_new_cpuset}\"
1349 echo export jail_${ezjail_safename}_fib=\"${ezjail_fib}\"
1350 ) > "${ezjail_config}_"
1351 mv "${ezjail_config}_" "${ezjail_config}"
1352
1353 fi
1354
1355 if [ "${ezjail_new_fib}" ]; then
1356 # if jail is still running, refuse to go any further
1357 [ "${ezjail_id}" ] && exerr "Error: Jail appears to be still running.\n '${ezjail_admin} stop ${ezjail_name}' it first ."
1358 [ "${ezjail_new_fib}" -ge "0" ] && exerr "Error: fib number has to be an integer."
1359
1360 # write new config file, preserve comments
1361 (
1362 grep -e ^\# "${ezjail_config}"
1363 echo
1364 echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\"
1365 echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\"
1366 echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\"
1367 echo export jail_${ezjail_safename}_exec=\"${ezjail_exec}\"
1368 echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\"
1369 echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\"
1370 echo export jail_${ezjail_safename}_devfs_ruleset=\"${ezjail_devfs_ruleset}\"
1371 echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\"
1372 echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\"
1373 echo export jail_${ezjail_safename}_image=\"${ezjail_image}\"
1374 echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\"
1375 echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\"
1376 echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\"
1377 echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\"
1378 echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_zfs_datasets}\"
1379 echo export jail_${ezjail_safename}_cpuset=\"${ezjail_cpuset}\"
1380 echo export jail_${ezjail_safename}_fib=\"${ezjail_new_fib}\"
1381 ) > "${ezjail_config}_"
1382 mv "${ezjail_config}_" "${ezjail_config}"
1383
1384 fi
1385
1386
1281 case "${ezjail_setrunnable}" in 1387 case "${ezjail_setrunnable}" in
1282 run) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] || mv "${ezjail_config}" "${ezjail_config%.norun}";; 1388 run) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] || mv "${ezjail_config}" "${ezjail_config%.norun}";;
1283 norun) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] && mv "${ezjail_config}" "${ezjail_config}.norun" ;; 1389 norun) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] && mv "${ezjail_config}" "${ezjail_config}.norun" ;;
diff --git a/ezjail.sh b/ezjail.sh
index 6df6358..eb5e251 100755
--- a/ezjail.sh
+++ b/ezjail.sh
@@ -65,6 +65,8 @@ do_cmd()
65 eval ezjail_attachparams=\"\$jail_${ezjail}_attachparams\" 65 eval ezjail_attachparams=\"\$jail_${ezjail}_attachparams\"
66 eval ezjail_attachblocking=\"\$jail_${ezjail}_attachblocking\" 66 eval ezjail_attachblocking=\"\$jail_${ezjail}_attachblocking\"
67 eval ezjail_forceblocking=\"\$jail_${ezjail}_forceblocking\" 67 eval ezjail_forceblocking=\"\$jail_${ezjail}_forceblocking\"
68 eval ezjail_zfs_datasets=\"\$jail_${ezjail}_zfs_datasets\"
69 eval ezjail_cpuset=\"\$jail_${ezjail}_cpuset\"
68 70
69 # Do we still have a root to run in? 71 # Do we still have a root to run in?
70 [ ! -d "${ezjail_rootdir}" ] && echo " Warning: root directory ${ezjail_rootdir} of ${ezjail} does not exist." && continue 72 [ ! -d "${ezjail_rootdir}" ] && echo " Warning: root directory ${ezjail_rootdir} of ${ezjail} does not exist." && continue
@@ -88,6 +90,20 @@ do_cmd()
88 # Pass control to jail script which does the actual work 90 # Pass control to jail script which does the actual work
89 [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} 91 [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass}
90 92
93 if [ "${action}" = "start" ]; then
94 ezjail_safename=`echo -n "${ezjail}" | tr -c '[:alnum:]' _`
95 # Get the JID of the jail
96 [ -f "/var/run/jail_${ezjail_safename}.id" ] && ezjail_id=`cat /var/run/jail_${ezjail_safename}.id` || return
97
98 # Attach ZFS-datasets to the jail
99 for zfs in ${ezjail_zfs_datasets}; do
100 /sbin/zfs jail ${ezjail_id} ${zfs} ||�echo -n "Error: ${zfs} could not be configured"
101 done
102
103 # Configure processor sets for the jail via cpuset(1)
104 [ "${ezjail_cpuset}" ] && /usr/bin/cpuset -l ${ezjail_cpuset} -j ${ezjail_id} || echo -n "Error: The defined cpuset is malformed"
105 fi
106
91 # Can only detach after unmounting (from fstab.JAILNAME in /etc/rc.d/jail) 107 # Can only detach after unmounting (from fstab.JAILNAME in /etc/rc.d/jail)
92 attach_detach_post 108 attach_detach_post
93} 109}