diff options
author | cryx <cryx@h3q.com> | 2009-12-28 22:09:17 +0000 |
---|---|---|
committer | cryx <cryx@h3q.com> | 2009-12-28 22:09:17 +0000 |
commit | 7fd24086946f90347adc59a61beec621b555bdd7 (patch) | |
tree | e1d0d6d2c973410fcb8dc06ba100eb4c4397aae4 | |
parent | 12cf0c4f2130411e6408433d411eae8ee21e6da2 (diff) |
Support for setting and using jail-bound ZFS datasets, cpuset(1) and setfib(1).
Jail-bound ZFS datasets still need the usual zfs+jail stuff like security.jail.mount_allowed=1 and security.jail.enforce_statfs=0 as well as "add path zfs unhide" in the devfs.rules for the jail.
The setfib utility requires FIBs to be enabled via kernel-config.
All features need at least FreeBSD 7.1-RELEASE.
-rwxr-xr-x | ezjail-admin | 116 | ||||
-rwxr-xr-x | ezjail.sh | 16 |
2 files changed, 127 insertions, 5 deletions
diff --git a/ezjail-admin b/ezjail-admin index 1ba7fc9..b0fb6f8 100755 --- a/ezjail-admin +++ b/ezjail-admin | |||
@@ -46,7 +46,7 @@ ezjail_usage_install="Usage: ${ezjail_admin} install [-mMpPsS] [-h host] [-r rel | |||
46 | ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli|zfs] [-C args] [-a archive] jailname jailip" | 46 | ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli|zfs] [-C args] [-a archive] jailname jailip" |
47 | ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname" | 47 | ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname" |
48 | ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)" | 48 | ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)" |
49 | ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-i attach|detach|fsck] jailname" | 49 | ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-c cpuset] [-z zfs-datasets] [-f fib] [-i attach|detach|fsck] jailname" |
50 | ezjail_usage_console="Usage: ${ezjail_admin} console [-f] [-e command] jailname" | 50 | ezjail_usage_console="Usage: ${ezjail_admin} console [-f] [-e command] jailname" |
51 | ezjail_usage_archive="Usage: ${ezjail_admin} archive [-Af] [-a archive] [-d archivedir] jailname [jailname...]" | 51 | ezjail_usage_archive="Usage: ${ezjail_admin} archive [-Af] [-a archive] [-d archivedir] jailname [jailname...]" |
52 | ezjail_usage_restore="Usage: ${ezjail_admin} restore [-f] [-d archivedir] (archive|jailname)..." | 52 | ezjail_usage_restore="Usage: ${ezjail_admin} restore [-f] [-d archivedir] (archive|jailname)..." |
@@ -170,6 +170,9 @@ fetchjailinfo () { | |||
170 | eval ezjail_attachparams=\"\$jail_${ezjail_safename}_attachparams\" | 170 | eval ezjail_attachparams=\"\$jail_${ezjail_safename}_attachparams\" |
171 | eval ezjail_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\" | 171 | eval ezjail_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\" |
172 | eval ezjail_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\" | 172 | eval ezjail_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\" |
173 | eval ezjail_zfs_datasets=\"\$jail_${ezjail_safename}_zfs_datasets\" | ||
174 | eval ezjail_cpuset=\"\$jail_${ezjail_safename}_cpuset\" | ||
175 | eval ezjail_fib=\"\$jail_${ezjail_safename}_fib\" | ||
173 | 176 | ||
174 | ezjail_softlink=${ezjail_jaildir}/`basename -- "${ezjail_rootdir}"` | 177 | ezjail_softlink=${ezjail_jaildir}/`basename -- "${ezjail_rootdir}"` |
175 | ezjail_devicelink="${ezjail_rootdir}.device" | 178 | ezjail_devicelink="${ezjail_rootdir}.device" |
@@ -615,6 +618,9 @@ create) | |||
615 | echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" | 618 | echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" |
616 | echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" | 619 | echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" |
617 | echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" | 620 | echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" |
621 | echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_zfs_datasets}\" | ||
622 | echo export jail_${ezjail_safename}_cpuset=\"${ezjail_cpuset}\" | ||
623 | echo export jail_${ezjail_safename}_fib=\"${ezjail_fib}\" | ||
618 | ) > "${ezjail_config}" | 624 | ) > "${ezjail_config}" |
619 | 625 | ||
620 | # Final steps for flavour installation | 626 | # Final steps for flavour installation |
@@ -1142,12 +1148,15 @@ restore) | |||
1142 | ######################## ezjail-admin CONFIG ######################## | 1148 | ######################## ezjail-admin CONFIG ######################## |
1143 | config) | 1149 | config) |
1144 | # Clean variables, prevent polution | 1150 | # Clean variables, prevent polution |
1145 | unset ezjail_setrunnable ezjail_imageaction ezjail_new_name | 1151 | unset ezjail_setrunnable ezjail_imageaction ezjail_new_name ezjail_new_zfs_datasets ezjail_new_cpuset ezjail_new_fib |
1146 | 1152 | ||
1147 | shift; while getopts :r:i:n: arg; do case ${arg} in | 1153 | shift; while getopts :r:i:n:z:c:f: arg; do case ${arg} in |
1148 | i) ezjail_imageaction=${OPTARG};; | 1154 | i) ezjail_imageaction=${OPTARG};; |
1149 | r) ezjail_setrunnable=${OPTARG};; | 1155 | r) ezjail_setrunnable=${OPTARG};; |
1150 | n) ezjail_new_name=${OPTARG};; | 1156 | n) ezjail_new_name=${OPTARG};; |
1157 | z) ezjail_new_zfs_datasets=${OPTARG};; | ||
1158 | c) ezjail_new_cpuset=${OPTARG};; | ||
1159 | f) ezjail_new_fib=${OPTARG};; | ||
1151 | ?) exerr ${ezjail_usage_config};; | 1160 | ?) exerr ${ezjail_usage_config};; |
1152 | esac; done; shift $(( ${OPTIND} - 1 )) | 1161 | esac; done; shift $(( ${OPTIND} - 1 )) |
1153 | 1162 | ||
@@ -1160,7 +1169,7 @@ config) | |||
1160 | [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}." | 1169 | [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}." |
1161 | 1170 | ||
1162 | # Nothing to be configured? | 1171 | # Nothing to be configured? |
1163 | [ "${ezjail_setrunnable}" -o "${ezjail_new_name}" -o "${ezjail_imageaction}" ] || echo "Warning: No config option specified." | 1172 | [ "${ezjail_setrunnable}" -o "${ezjail_new_name}" -o "${ezjail_imageaction}" -o "${ezjail_new_zfs_datasets}" -o "${ezjail_new_cpuset}" -o "${ezjail_new_fib}" ] || echo "Warning: No config option specified." |
1164 | 1173 | ||
1165 | # Do we want a new name for our jail? | 1174 | # Do we want a new name for our jail? |
1166 | if [ "${ezjail_new_name}" ]; then | 1175 | if [ "${ezjail_new_name}" ]; then |
@@ -1190,12 +1199,15 @@ config) | |||
1190 | eval ezjail_new_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\" | 1199 | eval ezjail_new_attachblocking=\"\$jail_${ezjail_safename}_attachblocking\" |
1191 | eval ezjail_new_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\" | 1200 | eval ezjail_new_forceblocking=\"\$jail_${ezjail_safename}_forceblocking\" |
1192 | eval ezjail_new_imagetype=\"\$jail_${ezjail_safename}_imagetype\" | 1201 | eval ezjail_new_imagetype=\"\$jail_${ezjail_safename}_imagetype\" |
1202 | eval ezjail_new_zfs_datasets=\"\$jail_${ezjail_safename}_zfs_datasets\" | ||
1203 | eval ezjail_new_cpuset=\"\$jail_${ezjail_safename}_cpuset\" | ||
1204 | eval ezjail_new_fib=\"\$jail_${ezjail_safename}_fib\" | ||
1193 | 1205 | ||
1194 | # This scenario really will only lead to real troubles in the 'fulljail' | 1206 | # This scenario really will only lead to real troubles in the 'fulljail' |
1195 | # case, but I should still explain this to the user and not claim that | 1207 | # case, but I should still explain this to the user and not claim that |
1196 | # "an ezjail would already exist" | 1208 | # "an ezjail would already exist" |
1197 | case ${ezjail_new_hostname} in basejail|newjail|fulljail|flavours|ezjailtemp) exerr "Error: ezjail needs the ${ezjail_new_hostname} directory for its own administrative purposes.\n Please chose another name.";; esac | 1209 | case ${ezjail_new_hostname} in basejail|newjail|fulljail|flavours|ezjailtemp) exerr "Error: ezjail needs the ${ezjail_new_hostname} directory for its own administrative purposes.\n Please chose another name.";; esac |
1198 | 1210 | ||
1199 | # jail names may lead to identical configs, eg. foo.bar.com == foo-bar.com | 1211 | # jail names may lead to identical configs, eg. foo.bar.com == foo-bar.com |
1200 | # so check, whether we might be running into problems | 1212 | # so check, whether we might be running into problems |
1201 | [ -e "${ezjail_new_config}" -o -e "${ezjail_new_config}.norun" ] && exerr "Error: An ezjail config already exists at ${ezjail_new_config}.\n Please chose another name." | 1213 | [ -e "${ezjail_new_config}" -o -e "${ezjail_new_config}.norun" ] && exerr "Error: An ezjail config already exists at ${ezjail_new_config}.\n Please chose another name." |
@@ -1264,6 +1276,9 @@ config) | |||
1264 | echo export jail_${ezjail_new_safename}_attachparams=\"${ezjail_new_attachparams}\" | 1276 | echo export jail_${ezjail_new_safename}_attachparams=\"${ezjail_new_attachparams}\" |
1265 | echo export jail_${ezjail_new_safename}_attachblocking=\"${ezjail_new_attachblocking}\" | 1277 | echo export jail_${ezjail_new_safename}_attachblocking=\"${ezjail_new_attachblocking}\" |
1266 | echo export jail_${ezjail_new_safename}_forceblocking=\"${ezjail_new_forceblocking}\" | 1278 | echo export jail_${ezjail_new_safename}_forceblocking=\"${ezjail_new_forceblocking}\" |
1279 | echo export jail_${ezjail_new_safename}_zfs_datasets=\"${ezjail_new_zfs_datasets}\" | ||
1280 | echo export jail_${ezjail_new_safename}_cpuset=\"${ezjail_new_cpuset}\" | ||
1281 | echo export jail_${ezjail_new_safename}_fib=\"${ezjail_new_fib}\" | ||
1267 | ) > "${ezjail_new_config}" | 1282 | ) > "${ezjail_new_config}" |
1268 | 1283 | ||
1269 | # remove old config | 1284 | # remove old config |
@@ -1278,6 +1293,97 @@ config) | |||
1278 | fetchjailinfo ${ezjail_new_safename} | 1293 | fetchjailinfo ${ezjail_new_safename} |
1279 | fi | 1294 | fi |
1280 | 1295 | ||
1296 | if [ "${ezjail_new_zfs_datasets}" ]; then | ||
1297 | # if jail is still running, refuse to go any further | ||
1298 | [ "${ezjail_id}" ] && exerr "Error: Jail appears to be still running.\n '${ezjail_admin} stop ${ezjail_name}' it first ." | ||
1299 | |||
1300 | # write new config file, preserve comments | ||
1301 | ( | ||
1302 | grep -e ^\# "${ezjail_config}" | ||
1303 | echo | ||
1304 | echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\" | ||
1305 | echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\" | ||
1306 | echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\" | ||
1307 | echo export jail_${ezjail_safename}_exec=\"${ezjail_exec}\" | ||
1308 | echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\" | ||
1309 | echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\" | ||
1310 | echo export jail_${ezjail_safename}_devfs_ruleset=\"${ezjail_devfs_ruleset}\" | ||
1311 | echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\" | ||
1312 | echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" | ||
1313 | echo export jail_${ezjail_safename}_image=\"${ezjail_image}\" | ||
1314 | echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\" | ||
1315 | echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" | ||
1316 | echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" | ||
1317 | echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" | ||
1318 | echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_new_zfs_datasets}\" | ||
1319 | echo export jail_${ezjail_safename}_cpuset=\"${ezjail_cpuset}\" | ||
1320 | echo export jail_${ezjail_safename}_fib=\"${ezjail_fib}\" | ||
1321 | ) > "${ezjail_config}_" | ||
1322 | mv "${ezjail_config}_" "${ezjail_config}" | ||
1323 | fi | ||
1324 | |||
1325 | if [ "${ezjail_new_cpuset}" ]; then | ||
1326 | # configure the new cpuset if the jail is currently running | ||
1327 | [ "${ezjail_id}" ] && /usr/bin/cpuset -l ${ezjail_new_cpuset} -j ${ezjail_id} || exerr "Error: The defined cpuset is malformed" | ||
1328 | |||
1329 | # write new config file, preserve comments | ||
1330 | ( | ||
1331 | grep -e ^\# "${ezjail_config}" | ||
1332 | echo | ||
1333 | echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\" | ||
1334 | echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\" | ||
1335 | echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\" | ||
1336 | echo export jail_${ezjail_safename}_exec=\"${ezjail_exec}\" | ||
1337 | echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\" | ||
1338 | echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\" | ||
1339 | echo export jail_${ezjail_safename}_devfs_ruleset=\"${ezjail_devfs_ruleset}\" | ||
1340 | echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\" | ||
1341 | echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" | ||
1342 | echo export jail_${ezjail_safename}_image=\"${ezjail_image}\" | ||
1343 | echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\" | ||
1344 | echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" | ||
1345 | echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" | ||
1346 | echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" | ||
1347 | echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_zfs_datasets}\" | ||
1348 | echo export jail_${ezjail_safename}_cpuset=\"${ezjail_new_cpuset}\" | ||
1349 | echo export jail_${ezjail_safename}_fib=\"${ezjail_fib}\" | ||
1350 | ) > "${ezjail_config}_" | ||
1351 | mv "${ezjail_config}_" "${ezjail_config}" | ||
1352 | |||
1353 | fi | ||
1354 | |||
1355 | if [ "${ezjail_new_fib}" ]; then | ||
1356 | # if jail is still running, refuse to go any further | ||
1357 | [ "${ezjail_id}" ] && exerr "Error: Jail appears to be still running.\n '${ezjail_admin} stop ${ezjail_name}' it first ." | ||
1358 | [ "${ezjail_new_fib}" -ge "0" ] && exerr "Error: fib number has to be an integer." | ||
1359 | |||
1360 | # write new config file, preserve comments | ||
1361 | ( | ||
1362 | grep -e ^\# "${ezjail_config}" | ||
1363 | echo | ||
1364 | echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\" | ||
1365 | echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\" | ||
1366 | echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\" | ||
1367 | echo export jail_${ezjail_safename}_exec=\"${ezjail_exec}\" | ||
1368 | echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\" | ||
1369 | echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\" | ||
1370 | echo export jail_${ezjail_safename}_devfs_ruleset=\"${ezjail_devfs_ruleset}\" | ||
1371 | echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\" | ||
1372 | echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" | ||
1373 | echo export jail_${ezjail_safename}_image=\"${ezjail_image}\" | ||
1374 | echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\" | ||
1375 | echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" | ||
1376 | echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" | ||
1377 | echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" | ||
1378 | echo export jail_${ezjail_safename}_zfs_datasets=\"${ezjail_zfs_datasets}\" | ||
1379 | echo export jail_${ezjail_safename}_cpuset=\"${ezjail_cpuset}\" | ||
1380 | echo export jail_${ezjail_safename}_fib=\"${ezjail_new_fib}\" | ||
1381 | ) > "${ezjail_config}_" | ||
1382 | mv "${ezjail_config}_" "${ezjail_config}" | ||
1383 | |||
1384 | fi | ||
1385 | |||
1386 | |||
1281 | case "${ezjail_setrunnable}" in | 1387 | case "${ezjail_setrunnable}" in |
1282 | run) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] || mv "${ezjail_config}" "${ezjail_config%.norun}";; | 1388 | run) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] || mv "${ezjail_config}" "${ezjail_config%.norun}";; |
1283 | norun) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] && mv "${ezjail_config}" "${ezjail_config}.norun" ;; | 1389 | norun) [ "${ezjail_config}" = "${ezjail_config%.norun}" ] && mv "${ezjail_config}" "${ezjail_config}.norun" ;; |
@@ -65,6 +65,8 @@ do_cmd() | |||
65 | eval ezjail_attachparams=\"\$jail_${ezjail}_attachparams\" | 65 | eval ezjail_attachparams=\"\$jail_${ezjail}_attachparams\" |
66 | eval ezjail_attachblocking=\"\$jail_${ezjail}_attachblocking\" | 66 | eval ezjail_attachblocking=\"\$jail_${ezjail}_attachblocking\" |
67 | eval ezjail_forceblocking=\"\$jail_${ezjail}_forceblocking\" | 67 | eval ezjail_forceblocking=\"\$jail_${ezjail}_forceblocking\" |
68 | eval ezjail_zfs_datasets=\"\$jail_${ezjail}_zfs_datasets\" | ||
69 | eval ezjail_cpuset=\"\$jail_${ezjail}_cpuset\" | ||
68 | 70 | ||
69 | # Do we still have a root to run in? | 71 | # Do we still have a root to run in? |
70 | [ ! -d "${ezjail_rootdir}" ] && echo " Warning: root directory ${ezjail_rootdir} of ${ezjail} does not exist." && continue | 72 | [ ! -d "${ezjail_rootdir}" ] && echo " Warning: root directory ${ezjail_rootdir} of ${ezjail} does not exist." && continue |
@@ -88,6 +90,20 @@ do_cmd() | |||
88 | # Pass control to jail script which does the actual work | 90 | # Pass control to jail script which does the actual work |
89 | [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} | 91 | [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} |
90 | 92 | ||
93 | if [ "${action}" = "start" ]; then | ||
94 | ezjail_safename=`echo -n "${ezjail}" | tr -c '[:alnum:]' _` | ||
95 | # Get the JID of the jail | ||
96 | [ -f "/var/run/jail_${ezjail_safename}.id" ] && ezjail_id=`cat /var/run/jail_${ezjail_safename}.id` || return | ||
97 | |||
98 | # Attach ZFS-datasets to the jail | ||
99 | for zfs in ${ezjail_zfs_datasets}; do | ||
100 | /sbin/zfs jail ${ezjail_id} ${zfs} ||�echo -n "Error: ${zfs} could not be configured" | ||
101 | done | ||
102 | |||
103 | # Configure processor sets for the jail via cpuset(1) | ||
104 | [ "${ezjail_cpuset}" ] && /usr/bin/cpuset -l ${ezjail_cpuset} -j ${ezjail_id} || echo -n "Error: The defined cpuset is malformed" | ||
105 | fi | ||
106 | |||
91 | # Can only detach after unmounting (from fstab.JAILNAME in /etc/rc.d/jail) | 107 | # Can only detach after unmounting (from fstab.JAILNAME in /etc/rc.d/jail) |
92 | attach_detach_post | 108 | attach_detach_post |
93 | } | 109 | } |