From 8b6be47436c7f87e888df1630e0398672116d774 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sun, 15 Jul 2012 08:47:01 -0400 Subject: [PATCH] Import jail init script from FreeBSD The FreeBSD jail init script has been adapted to function in OpenRC. It currently does not support starting and stopping individual jails, but that functionality should be added after some extensions to OpenRC are done. --- conf.d/Makefile | 2 +- conf.d/jail | 62 ++++ init.d/Makefile | 2 +- init.d/jail.in | 885 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 949 insertions(+), 2 deletions(-) create mode 100644 conf.d/jail create mode 100755 init.d/jail.in diff --git a/conf.d/Makefile b/conf.d/Makefile index aefb612..2c8a4af 100644 --- a/conf.d/Makefile +++ b/conf.d/Makefile @@ -13,7 +13,7 @@ endif MK= ../mk include ${MK}/os.mk -CONF-FreeBSD= ipfw moused powerd rarpd savecore syscons +CONF-FreeBSD= ipfw jail moused powerd rarpd savecore syscons CONF-Linux= consolefont dmesg hwclock keymaps killprocs modules diff --git a/conf.d/jail b/conf.d/jail new file mode 100644 index 0000000..05742a3 --- /dev/null +++ b/conf.d/jail @@ -0,0 +1,62 @@ +# Example jail config file. +# This is the place to define settings for jails you wish to control +# with the jail init script. + +# Global Settings: +# This group of settings affects all jails. + +# List the jails you wish to control separated by spaces. +#jail_list="jail1 jail2" + +# Document this variable. +# What does it do? Show a commented default setting. +#jail_set_hostname_allow="YES" + +# Document this variable. +# What does it do? Show a commented default setting. +#jail_socket_unixiproute_only + +# Document this variable. +# What does it do? Show a commented default setting. +#jail_sysvipc_allow + +# jail-specific settings: +# These variables must be set for each jail. +# The example is for jail1 listed above, but you must repeat these +# settings for each jail unless you want to use the defaults. + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_devfs_enable="YES" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_fdescfs_enable="YES" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_exec_start="/sbin/rc default" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_exec_stop="/sbin/rc shutdown" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_rootdir="/mnt/linux" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_hostname="linux" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_ip="192.168.1.252" + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_fstab="/etc/jail/fstab.linux" # for linprocfs + +# Document this variable. +# What does it do? Show a commented default setting below. +#jail_jail1_flags="-l -u root" diff --git a/init.d/Makefile b/init.d/Makefile index c2c3ea1..74d88d5 100644 --- a/init.d/Makefile +++ b/init.d/Makefile @@ -18,7 +18,7 @@ include ${MK}/os.mk SRCS-FreeBSD= hostid.in moused.in newsyslog.in pf.in rarpd.in rc-enabled.in \ rpcbind.in savecore.in syslogd.in # These are FreeBSD specific -SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \ +SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in jail.in \ mixer.in nscd.in powerd.in syscons.in SRCS-Linux= devfs.in dmesg.in hwclock.in consolefont.in keymaps.in \ diff --git a/init.d/jail.in b/init.d/jail.in new file mode 100755 index 0000000..b9b6083 --- /dev/null +++ b/init.d/jail.in @@ -0,0 +1,885 @@ +#!@PREFIX@/sbin/runscript +# Copyright 1992-2012 FreeBSD Project +# Released under the 2-clause BSD license + +depend() +{ + after net +} + +# devfs_rulesets_from_file file +# Reads a set of devfs commands from file, and creates +# the specified rulesets with their rules. Returns non-zero +# if there was an eerroror. +# +devfs_rulesets_from_file() +{ + local file _eerror _me + file="$1" + _me="devfs_rulesets_from_file" + _eerror=0 + + if [ -z "$file" ]; then + ewarn "$_me: you must specify a file" + return 1 + fi + if [ ! -e "$file" ]; then + veinfo "$_me: no such file ($file)" + return 0 + fi + veinfo "reading rulesets from file ($file)" + { while read line + do + case $line in + \#*) + continue + ;; + \[*\]*) + rulenum=`expr "$line" : "\[.*=\([0-9]*\)\]"` + if [ -z "$rulenum" ]; then + ewarn "$_me: cannot extract rule number ($line)" + _eerror=1 + break + fi + rulename=`expr "$line" : "\[\(.*\)=[0-9]*\]"` + if [ -z "$rulename" ]; then + ewarn "$_me: cannot extract rule name ($line)" + _eerror=1 + break; + fi + eval $rulename=\$rulenum + veinfo "found ruleset: $rulename=$rulenum" + if ! /sbin/devfs rule -s $rulenum delset; then + _eerror=1 + break + fi + ;; + *) + rulecmd="${line%%"\#*"}" + # evaluate the command incase it includes + # other rules + if [ -n "$rulecmd" ]; then + veinfo "adding rule ($rulecmd)" + if ! eval /sbin/devfs rule -s $rulenum $rulecmd + then + _eerror=1 + break + fi + fi + ;; + esac + if [ $_eerror -ne 0 ]; then + veinfo "eerroror in $_me" + break + fi + done } < $file + return $_eerror +} + +# devfs_init_rulesets +# Initializes rulesets from configuration files. Returns +# non-zero if there was an eerroror. +# +devfs_init_rulesets() +{ + local file _me + _me="devfs_init_rulesets" + + # Go through this only once + if [ -n "$devfs_rulesets_init" ]; then + veinfo "$_me: devfs rulesets already initialized" + return + fi + for file in $devfs_rulesets; do + if ! devfs_rulesets_from_file $file; then + ewarn "$_me: could not read rules from $file" + return 1 + fi + done + devfs_rulesets_init=1 + veinfo "$_me: devfs rulesets initialized" + return 0 +} + +# devfs_set_ruleset ruleset [dir] +# Sets the default ruleset of dir to ruleset. The ruleset argument +# must be a ruleset name as specified in devfs.rules(5) file. +# Returns non-zero if it could not set it successfully. +# +devfs_set_ruleset() +{ + local devdir rs _me + [ -n "$1" ] && eval rs=\$$1 || rs= + [ -n "$2" ] && devdir="-m "$2"" || devdir= + _me="devfs_set_ruleset" + + if [ -z "$rs" ]; then + ewarn "$_me: you must specify a ruleset number" + return 1 + fi + veinfo "$_me: setting ruleset ($rs) on mount-point (${devdir#-m })" + if ! /sbin/devfs $devdir ruleset $rs; then + ewarn "$_me: unable to set ruleset $rs to ${devdir#-m }" + return 1 + fi + return 0 +} + +# devfs_domount dir [ruleset] +# Mount devfs on dir. If ruleset is specified it is set +# on the mount-point. It must also be a ruleset name as specified +# in a devfs.rules(5) file. Returns 0 on success. +# +devfs_domount() +{ + local devdir rs _me + devdir="$1" + [ -n "$2" ] && rs=$2 || rs= + _me="devfs_domount()" + + if [ -z "$devdir" ]; then + ewarn "$_me: you must specify a mount-point" + return 1 + fi + veinfo "$_me: mount-point is ($devdir), ruleset is ($rs)" + if ! mount -t devfs dev "$devdir"; then + ewarn "$_me: Unable to mount devfs on $devdir" + return 1 + fi + if [ -n "$rs" ]; then + devfs_init_rulesets + devfs_set_ruleset $rs $devdir + devfs -m $devdir rule applyset + fi + return 0 +} + +# devfs_mount_jail dir [ruleset] +# Mounts a devfs file system appropriate for jails +# on the directory dir. If ruleset is specified, the ruleset +# it names will be used instead. If present, ruleset must +# be the name of a ruleset as defined in a devfs.rules(5) file. +# This function returns non-zero if an eerroror occurs. +# +devfs_mount_jail() +{ + local jdev rs _me + jdev="$1" + [ -n "$2" ] && rs=$2 || rs="devfsrules_jail" + _me="devfs_mount_jail" + + devfs_init_rulesets + if ! devfs_domount "$jdev" $rs; then + ewarn "$_me: devfs was not mounted on $jdev" + return 1 + fi + return 0 +} + +# init_variables _j +# Initialize the various jail variables for jail _j. +# +init_variables() +{ + _j="$1" + + if [ -z "$_j" ]; then + ewarn "init_variables: you must specify a jail" + return + fi + + eval _rootdir=\"\$jail_${_j}_rootdir\" + _devdir="${_rootdir}/dev" + _fdescdir="${_devdir}/fd" + _procdir="${_rootdir}/proc" + eval _hostname=\"\$jail_${_j}_hostname\" + eval _ip=\"\$jail_${_j}_ip\" + eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" + eval _exec=\"\$jail_${_j}_exec\" + + i=0 + while : ; do + eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\" + [ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break + i=$((i + 1)) + done + + eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" + + i=1 + while : ; do + eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\" + [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break + i=$((i + 1)) + done + + i=0 + while : ; do + eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\" + [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break + i=$((i + 1)) + done + + i=0 + while : ; do + eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\" + [ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break + i=$((i + 1)) + done + + eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\" + + i=0 + while : ; do + eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\" + [ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break + i=$((i + 1)) + done + + if [ -n "${_exec}" ]; then + # simple/backward-compatible execution + _exec_start="${_exec}" + _exec_stop="" + else + # flexible execution + if [ -z "${_exec_start}" ]; then + _exec_start="/bin/sh /etc/rc" + if [ -z "${_exec_stop}" ]; then + _exec_stop="/bin/sh /etc/rc.shutdown" + fi + fi + fi + + # The default jail ruleset will be used by rc.subr if none is specified. + eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" + eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" + [ -z "${_devfs}" ] && _devfs="NO" + eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\" + [ -z "${_fdescfs}" ] && _fdescfs="NO" + eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\" + [ -z "${_procfs}" ] && _procfs="NO" + + eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\" + [ -z "${_mount}" ] && _mount="NO" + # "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified. + eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" + [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" + eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" + [ -z "${_flags}" ] && _flags="-l -U root" + eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" + [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" + eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" + + # Debugging aid + # + veinfo "$_j devfs enable: $_devfs" + veinfo "$_j fdescfs enable: $_fdescfs" + veinfo "$_j procfs enable: $_procfs" + veinfo "$_j mount enable: $_mount" + veinfo "$_j hostname: $_hostname" + veinfo "$_j ip: $_ip" + jail_show_addresses ${_j} + veinfo "$_j interface: $_interface" + veinfo "$_j fib: $_fib" + veinfo "$_j root: $_rootdir" + veinfo "$_j devdir: $_devdir" + veinfo "$_j fdescdir: $_fdescdir" + veinfo "$_j procdir: $_procdir" + veinfo "$_j ruleset: $_ruleset" + veinfo "$_j fstab: $_fstab" + + i=0 + while : ; do + eval out=\"\${_exec_prestart${i}:-''}\" + if [ -z "$out" ]; then + break + fi + veinfo "$_j exec pre-start #${i}: ${out}" + i=$((i + 1)) + done + + veinfo "$_j exec start: $_exec_start" + + i=1 + while : ; do + eval out=\"\${_exec_afterstart${i}:-''}\" + + if [ -z "$out" ]; then + break; + fi + + veinfo "$_j exec after start #${i}: ${out}" + i=$((i + 1)) + done + + i=0 + while : ; do + eval out=\"\${_exec_poststart${i}:-''}\" + if [ -z "$out" ]; then + break + fi + veinfo "$_j exec post-start #${i}: ${out}" + i=$((i + 1)) + done + + i=0 + while : ; do + eval out=\"\${_exec_prestop${i}:-''}\" + if [ -z "$out" ]; then + break + fi + veinfo "$_j exec pre-stop #${i}: ${out}" + i=$((i + 1)) + done + + veinfo "$_j exec stop: $_exec_stop" + + i=0 + while : ; do + eval out=\"\${_exec_poststop${i}:-''}\" + if [ -z "$out" ]; then + break + fi + veinfo "$_j exec post-stop #${i}: ${out}" + i=$((i + 1)) + done + + veinfo "$_j flags: $_flags" + veinfo "$_j consolelog: $_consolelog" + + if [ -z "${_hostname}" ]; then + eerror 3 "$name: No hostname has been defined for ${_j}" + fi + if [ -z "${_rootdir}" ]; then + eerror 3 "$name: No root directory has been defined for ${_j}" + fi +} + +# set_sysctl rc_knob mib msg +# If the mib sysctl is set according to what rc_knob +# specifies, this function does nothing. However if +# rc_knob is set differently than mib, then the mib +# is set accordingly and msg is displayed followed by +# an '=" sign and the word 'YES' or 'NO'. +# +set_sysctl() +{ + _knob="$1" + _mib="$2" + _msg="$3" + + SYSCTL="@PREFIX@/sbin/sysctl" + _current=`${SYSCTL} -n $_mib 2>/dev/null` + if yesno $_knob ; then + if [ "$_current" -ne 1 ]; then + einfo "${_msg}=YES" + ${SYSCTL} 1>/dev/null ${_mib}=1 + fi + else + if [ "$_current" -ne 0 ]; then + einfo "${_msg}=NO" + ${SYSCTL} 1>/dev/null ${_mib}=0 + fi + fi +} + +# is_current_mountpoint() +# Is the directory mount point for a currently mounted file +# system? +# +is_current_mountpoint() +{ + local _dir _dir2 + + _dir=$1 + + _dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'` + [ ! -d "${_dir}" ] && return 1 + _dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'` + [ "${_dir}" = "${_dir2}" ] + return $? +} + +# is_symlinked_mountpoint() +# Is a mount point, or any of its parent directories, a symlink? +# +is_symlinked_mountpoint() +{ + local _dir + + _dir=$1 + + [ -L "$_dir" ] && return 0 + [ "$_dir" = "/" ] && return 1 + is_symlinked_mountpoint `dirname $_dir` + return $? +} + +# secure_umount +# Try to unmount a mount point without being vulnerable to +# symlink attacks. +# +secure_umount() +{ + local _dir + + _dir=$1 + + if is_current_mountpoint ${_dir}; then + umount -f ${_dir} >/dev/null 2>&1 + else + ewarn "Nothing mounted on ${_dir} - not unmounting" + fi +} + + +# jail_umount_fs +# This function unmounts certain special filesystems in the +# currently selected jail. The caller must call the init_variables() +# routine before calling this one. +# +jail_umount_fs() +{ + local _device _mountpt _rest + + if yesno _fdescfs; then + if [ -d "${_fdescdir}" ] ; then + secure_umount ${_fdescdir} + fi + fi + if yesno _devfs; then + if [ -d "${_devdir}" ] ; then + secure_umount ${_devdir} + fi + fi + if yesno _procfs; then + if [ -d "${_procdir}" ] ; then + secure_umount ${_procdir} + fi + fi + if yesno _mount; then + [ -f "${_fstab}" ] || ewarn "${_fstab} does not exist" + tail -r ${_fstab} | while read _device _mountpt _rest; do + case ":${_device}" in + :#* | :) + continue + ;; + esac + secure_umount ${_mountpt} + done + fi +} + +# jail_mount_fstab() +# Mount file systems from a per jail fstab while trying to +# secure against symlink attacks at the mount points. +# +# If we are certain we cannot secure against symlink attacks we +# do not mount all of the file systems (since we cannot just not +# mount the file system with the problematic mount point). +# +# The caller must call the init_variables() routine before +# calling this one. +# +jail_mount_fstab() +{ + local _device _mountpt _rest + + while read _device _mountpt _rest; do + case ":${_device}" in + :#* | :) + continue + ;; + esac + if is_symlinked_mountpoint ${_mountpt}; then + ewarn "${_mountpt} has symlink as parent - not mounting from ${_fstab}" + return + fi + done <${_fstab} + mount -a -F "${_fstab}" +} + +# jail_show_addresses jail +# Debug print the input for the given _multi aliases +# for a jail for init_variables(). +# +jail_show_addresses() +{ + local _j _type alias + _j="$1" + alias=0 + + if [ -z "${_j}" ]; then + ewarn "jail_show_addresses: you must specify a jail" + return + fi + + while : ; do + eval _addr=\"\$jail_${_j}_ip_multi${alias}\" + if [ -n "${_addr}" ]; then + veinfo "${_j} ip_multi${alias}: $_addr" + alias=$((${alias} + 1)) + else + break + fi + done +} + +# jail_extract_address argument +# The second argument is the string from one of the _ip +# or the _multi variables. In case of a comma separated list +# only one argument must be passed in at a time. +# The function alters the _type, _iface, _addr and _mask variables. +# +jail_extract_address() +{ + local _i + _i=$1 + + if [ -z ${_i}" ]; then + ewarn "jail_extract_address: called without input" + return + fi + + # Check if we have an interface prefix given and split into + # iFace and rest. + case "${_i}" in + *\|*) # ifN|.. prefix there + _iface=${_i%%|*} + _r=${_i##*|} + ;; + *) _iface="" + _r=${_i} + ;; + esac + + # In case the IP has no interface given, check if we have a global one. + _iface=${_iface:-${_interface}} + + # Set address, cut off any prefix/netmask/prefixlen. + _addr=${_r} + _addr=${_addr%%[/ ]*} + + # Theoretically we can return here if interface is not set, + # as we only care about the _mask if we call ifconfig. + # This is not done because we may want to santize IP addresses + # based on _type later, and optionally change the type as well. + + # Extract the prefix/netmask/prefixlen part by cutting off the address. + _mask=${_r} + _mask=`expr "${_mask}" : "${_addr}\(.*\)"` + + # Identify type {inet,inet6}. + case "${_addr}" in + *\.*\.*\.*) _type="inet" ;; + *:*) _type="inet6" ;; + *) ewarn "jail_extract_address: type not identified" + ;; + esac + + # Handle the special /netmask instead of /prefix or + # "netmask xxx" case for legacy IP. + # We do NOT support shortend class-full netmasks. + if [ "${_type}" = "inet" ]; then + case "${_mask}" in + /*\.*\.*\.*) _mask=" netmask ${_mask#/}" ;; + *) ;; + esac + + # In case _mask is still not set use /32. + _mask=${_mask:-/32} + + elif [ "${_type}" = "inet6" ]; then + # In case _maske is not set for IPv6, use /128. + _mask=${_mask:-/128} + fi +} + +# jail_handle_ips_option {add,del} input +# Handle a single argument imput which can be a comma separated +# list of addresses (theoretically with an option interface and +# prefix/netmask/prefixlen). +# +jail_handle_ips_option() +{ + local _x _action _type _i + _action=$1 + _x=$2 + + if [ -z "${_x}" ]; then + # No IP given. This can happen for the primary address + # of each address family. + return + fi + + # Loop, in case we find a comma separated list, we need to handle + # each argument on its own. + while [ ${#_x} -gt 0 ]; do + case "${_x}" in + *,*) # Extract the first argument and strip it off the list. + _i=`expr "${_x}" : '^\([^,]*\)'` + _x=`expr "${_x}" : "^[^,]*,\(.*\)"` + ;; + *) _i=${_x} + _x="" + ;; + esac + + _type="" + _iface="" + _addr="" + _mask="" + jail_extract_address "${_i}" + + # make sure we got an address. + case "${_addr}" in + "") continue ;; + *) ;; + esac + + # Append address to list of addresses for the jail command. + case "${_addrl}" in + "") _addrl="${_addr}" ;; + *) _addrl="${_addrl},${_addr}" ;; + esac + + # Configure interface alias if requested by a given interface + # and if we could correctly parse everything. + case "${_iface}" in + "") continue ;; + esac + case "${_type}" in + inet) ;; + inet6) ;; + *) ewarn "Could not determine address family. Not going" \ + "to ${_action} address '${_addr}' for ${_jail}." + continue + ;; + esac + case "${_action}" in + add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias + ;; + del) # When removing the IP, ignore the _mask. + ifconfig ${_iface} ${_type} ${_addr} -alias + ;; + esac + done +} + +# jail_ips {add,del} +# Extract the comma separated list of addresses and return them +# for the jail command. +# Handle more than one address via the _multi option as well. +# If an interface is given also add/remove an alias for the +# address with an optional netmask. +# +jail_ips() +{ + local _action + _action=$1 + + case "${_action}" in + add) ;; + del) ;; + *) ewarn "jail_ips: invalid action '${_action}'" + return + ;; + esac + + # Handle addresses. + jail_handle_ips_option ${_action} "${_ip}" + # Handle jail_xxx_ip_multi + alias=0 + while : ; do + eval _x=\"\$jail_${_jail}_ip_multi${alias}\" + case "${_x}" in + "") break ;; + *) jail_handle_ips_option ${_action} "${_x}" + alias=$((${alias} + 1)) + ;; + esac + done +} + +start_pre() +{ + if yesno jail_parallel_start; then + command_args='&' + fi +} + +start() +{ + ebegin 'Configuring jails:' + set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \ + set_hostname_allow + set_sysctl jail_socket_unixiproute_only \ + security.jail.socket_unixiproute_only unixiproute_only + set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \ + sysvipc_allow + eend + + ebegin 'Starting jails:' + _tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \ + eerror 3 "$name: Can't create temp dir, exiting..." + for _jail in ${jail_list} + do + init_variables $_jail + if [ -f /var/run/jail_${_jail}.id ]; then + ewarn " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]" + continue; + fi + _addrl="" + jail_ips "add" + if [ -n "${_fib}" ]; then + _setfib="setfib -F '${_fib}'" + else + _setfib="" + fi + if yesno _mount; then + einfo "Mounting fstab for jail ${_jail} (${_fstab})" + if [ ! -f "${_fstab}" ]; then + eerror 3 "$name: ${_fstab} does not exist" + fi + jail_mount_fstab + fi + if yesno _devfs; then + # If devfs is already mounted here, skip it. + df -t devfs "${_devdir}" >/dev/null + if [ $? -ne 0 ]; then + if is_symlinked_mountpoint ${_devdir}; then + ewarn "${_devdir} has symlink as parent - not starting jail ${_jail}" + continue + fi + einfo "Mounting devfs on ${_devdir}" + devfs_mount_jail "${_devdir}" ${_ruleset} + # Transitional symlink for old binaries + if [ ! -L "${_devdir}/log" ]; then + __pwd="`pwd`" + cd "${_devdir}" + ln -sf ../var/run/log log + cd "$__pwd" + fi + fi + + # XXX - It seems symlinks don't work when there + # is a devfs(5) device of the same name. + # Jail console output + # __pwd="`pwd`" + # cd "${_devdir}" + # ln -sf ../var/log/console console + # cd "$__pwd" + fi + if yesno _fdescfs; then + if is_symlinked_mountpoint ${_fdescdir}; then + ewarn "${_fdescdir} has symlink as parent, not mounting" + else + einfo "Mounting fdescfs on ${_fdescdir}" + mount -t fdescfs fdesc "${_fdescdir}" + fi + fi + if yesno _procfs; then + if is_symlinked_mountpoint ${_procdir}; then + ewarn "${_procdir} has symlink as parent, not mounting" + else + einfo "Mounting procfs onto ${_procdir}" + if [ -d "${_procdir}" ] ; then + mount -t procfs proc "${_procdir}" + fi + fi + fi + _tmp_jail=${_tmp_dir}/jail.$$ + + i=0 + while : ; do + eval out=\"\${_exec_prestart${i}:-''}\" + [ -z "$out" ] && break + ${out} + i=$((i + 1)) + done + + eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ + \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 \ + ${_consolelog} + echo ${_jail_id} > /var/run/jail_${_jail}.id + + i=0 + while : ; do + eval out=\"\${_exec_poststart${i}:-''}\" + [ -z "$out" ] && break + ${out} + i=$((i + 1)) + done + else + jail_umount_fs + jail_ips "del" + eerror " cannot start jail \"${_jail}\": " + tail +2 ${_tmp_jail} + fi + rm -f ${_tmp_jail} + done + rmdir ${_tmp_dir} + eend +} + +stop() +{ + ebegin 'Stopping jails:' + for _jail in ${jail_list} + do + if [ -f "/var/run/jail_${_jail}.id" ]; then + _jail_id=$(cat /var/run/jail_${_jail}.id) + if [ ! -z "${_jail_id}" ]; then + init_variables $_jail + + i=0 + while : ; do + eval out=\"\${_exec_prestop${i}:-''}\" + [ -z "$out" ] && break + ${out} + i=$((i + 1)) + done + + if [ -n "${_exec_stop}" ]; then + eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \ + >> ${_consolelog} 2>&1 + fi + killall -j ${_jail_id} -TERM > /dev/null 2>&1 + sleep 1 + killall -j ${_jail_id} -KILL > /dev/null 2>&1 + jail_umount_fs + einfo "Stopped $_hostname" + + i=0 + while : ; do + eval out=\"\${_exec_poststop${i}:-''}\" + [ -z "$out" ] && break + ${out} + i=$((i + 1)) + done + fi + jail_ips "del" + rm /var/run/jail_${_jail}.id + else + ewarn " cannot stop jail ${_jail}. No jail id in /var/run" + fi + done + eend +} -- 1.8.3.2