Below is my current patch to devfs and jail to support the mounting of devfs
and procfs in jails. This patch also allows a jail to specify what devfs
rule to apply to the jail. As well as defining a default jail devfs rule
in /etc/rc.d/devfs.
Scot
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.182
diff -u -r1.182 rc.conf
--- etc/defaults/rc.conf 28 Jul 2003 13:09:00 -0000 1.182
+++ etc/defaults/rc.conf 29 Jul 2003 22:06:08 -0000
@@ -426,12 +426,35 @@
harvest_ethernet="YES" # Entropy device harvests ethernet randomness
harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness
dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot
-jail_enable="NO" # Set to NO to disable starting of any jails
-jail_list="" # Space separated list of names of jails
-jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
-jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail
watchdogd_enable="NO" # Start the software watchdog daemon
+
+##############################################################
+### Jail Configuration #######################################
+##############################################################
+devfs_jail_ruleset_enable="NO" # Enable Standard Jail devfs ruleset in
rc.d/devfs
+devfs_jail_ruleset_num="666" # Standard Jail ruleset number
+ # (change if it conflicts with your rulesets)
+
+jail_enable="NO" # Set to NO to disable starting of any jails
+jail_list="" # Space separated list of names of jails
+jail_set_hostname_allow="YES" # Allow root user in a jail to change its
hostname
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a
jail
+jail_default_ruleset="666" # Default jail devfs ruleset to apply
+jail_stop_jailer="NO" # Only stop jailer. Requires jail_*_exec be set
+ # to use sysutils/jailer port to start the
jail.
+
+# create an entry for each jail named in jail_list, with these variables
+#
+#jail_example_rootdir="/usr/jail/default" # Jails root directory
+#jail_example_hostname="default.domain.com" # Jails hostname
+#jail_example_ip="192.168.0.10" # Jails IP number
+#jail_example_exec="/bin/sh /etc/rc" # command to execute in jail
+#jail_example_devfs="NO" # mount devfs in jail
+#jail_example_devfs_ruleset="666" # devfs ruleset to apply to jail
+#jail_example_procfs="NO" # mount procfs in jail
+#
+# NOTE: replace 'example' with the jail's name from jail_list
##############################################################
### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: etc/rc.d/devfs
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/devfs,v
retrieving revision 1.5
diff -u -r1.5 devfs
--- etc/rc.d/devfs 6 May 2003 01:10:33 -0000 1.5
+++ etc/rc.d/devfs 6 May 2003 16:24:39 -0000
@@ -39,3 +39,21 @@
load_rc_config $name
run_rc_command "$1"
+
+# Standard Jail ruleset
+if checkyesno devfs_jail_ruleset_enable ; then
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} delset
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 100 hide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 200 path ptyp* unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 300 path ttyp* unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 400 path null unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 500 path zero unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 600 path random unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 610 path urandom unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 700 path fd unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 800 path fd/* unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 810 path mdctl unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 900 path stdin unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 910 path stdout unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 920 path stderr unhide
+fi
Index: etc/rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.4
diff -u -r1.4 jail
--- etc/rc.d/jail 5 May 2003 15:38:41 -0000 1.4
+++ etc/rc.d/jail 21 Jun 2003 20:22:44 -0000
@@ -6,7 +6,7 @@
# PROVIDE: jail
# REQUIRE: LOGIN
# BEFORE: securelevel
-# KEYWORD: FreeBSD
+# KEYWORD: FreeBSD shutdown
. /etc/rc.subr
@@ -15,6 +15,15 @@
start_cmd="jail_start"
stop_cmd="jail_stop"
+create_dev_links()
+{
+ local devdir=$1
+ local source=$2
+ local target=$3
+
+ (cd ${devdir} && ln -sf ${source} ${target})
+}
+
jail_start()
{
echo -n 'Configuring jails:'
@@ -50,18 +59,91 @@
for _jail in ${jail_list}
do
eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+ jail_devdir="${jail_rootdir}/dev"
+ jail_procdir="${jail_rootdir}/proc"
+
eval jail_hostname=\"\$jail_${_jail}_hostname\"
eval jail_ip=\"\$jail_${_jail}_ip\"
eval jail_exec=\"\$jail_${_jail}_exec\"
[ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc"
-
+
+ eval jail_devfs=\"\$jail_${_jail}_devfs\"
+ [ -z ${jail_devfs} ] && jail_devfs="NO"
+
+ eval jail_ruleset=\"\$jail_${_jail}_devfs_ruleset\"
+ [ -z ${jail_ruleset} ] && jail_ruleset="${jail_default_ruleset}"
+
+ eval jail_procfs=\"\$jail_${_jail}_procfs\"
+ [ -z ${jail_procfs} ] && jail_procfs="NO"
+
+ if checkyesno jail_devfs; then
+ if [ -d ${jail_devdir} ] ; then
+ mount -t devfs dev ${jail_devdir}
+
+ if [ -n "${jail_ruleset}" ]; then
+ # Apply devfs ruleset
+ devfs -m ${jail_devdir} ruleset ${jail_ruleset}
+
+ # for libkvm (ab)users
+ create_dev_links ${jail_devdir} null mem
+ create_dev_links ${jail_devdir} null kmem
+
+ # create_dev_links ${jail_devdir} null console
+ fi
+
+ # Transitional symlink for old binaries
+ if [ ! -L ${jail_devdir}/log ]; then
+ create_dev_links ${jail_devdir} ../var/run/log
log
+ fi
+
+ # Jail console output
+ create_dev_links ${jail_devdir} ../var/log/console
console
+ fi
+ fi
+
+ if checkyesno jail_procfs; then
+ if [ -d ${jail_procdir} ] ; then
+ mount -t procfs proc ${jail_procdir}
+ fi
+ fi
+
jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
done
}
jail_stop()
{
- kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print $2};')
+ if checkyesno jail_stop_jailer; then
+ rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};')
+ else
+ rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};')
+ fi
+ if [ -n "${rc_pid}" ]; then
+ kill -TERM $rc_pid
+ wait_for_pids $rc_pid
+ fi
+ for _jail in ${jail_list}
+ do
+ eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+ jail_devdir="${jail_rootdir}/dev"
+ jail_procdir="${jail_rootdir}/proc"
+ eval jail_devfs=\"\$jail_${_jail}_devfs\"
+ [ -z ${jail_devfs} ] && jail_devfs="NO"
+ eval jail_procfs=\"\$jail_${_jail}_procfs\"
+ [ -z ${jail_procfs} ] && jail_procfs="NO"
+
+ if checkyesno jail_devfs; then
+ if [ -d ${jail_devdir} ] ; then
+ umount -f ${jail_devdir} >/dev/null 2>&1
+ fi
+ fi
+
+ if checkyesno jail_procfs; then
+ if [ -d ${jail_procdir} ] ; then
+ umount -f ${jail_procdir} >/dev/null 2>&1
+ fi
+ fi
+ done
}
Index: share/man/man5/rc.conf.5
===================================================================
RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
retrieving revision 1.197
diff -u -r1.197 rc.conf.5
--- share/man/man5/rc.conf.5 28 Jul 2003 13:56:00 -0000 1.197
+++ share/man/man5/rc.conf.5 29 Jul 2003 22:12:05 -0000
@@ -2431,12 +2431,25 @@
jail_vjail_ip="192.168.1.100"
jail_vjail_rootdir="/var/jails/vjail/root"
jail_vjail_exec="/bin/sh /etc/rc"
+jail_vjail_devfs="YES"
+jail_vjail_devfs_ruleset="666"
+jail_vjail_procfs="NO"
.Ed
.Pp
-The last one is optional.
-It defaults to
+The last four are optional. jail_<jailname>_exec defaults to
.Pa /etc/rc
if it is not set.
+jail_<jailname>_devfs and jail_<jailname>_procfs default to
+not mounting the devfs/procfs on the jail.
+jail_<jailname>_devfs_ruleset defaults to using devfs ruleset 666.
+.It Va jail_default_ruleset
+.Pq Vt int
+The default ruleset to apply to a jail that has devfs enabled, but
+no jail_<jailname>_devfs_ruleset defined. By default it is set to
+666. A Standard Jail rule set is provided in rc.d/devfs to enable
+it set devfs_jail_ruleset_enable to YES. If this ruleset conflicts
+with your rulesets change devfs_jail_ruleset_num from 666 to another
+value.
.It Va jail_set_hostname_allow
.Pq Vt bool
If set to
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
