#!/bin/sh # # $Id$ # . /etc/rc.subr jail_name=${jail}${jail_service:+_$jail_service} jail_fib=0 name=jail_${jail_name} rcvar=${name}_enable cfg=/usr/local/etc/jail [ -f "$cfg/jail.conf" ] && . "$cfg/jail.conf" [ -f "$cfg/${jail}.conf" ] && . "$cfg/${jail}.conf" [ -f "$cfg/${jail_name}.conf" ] && . "$cfg/${jail_name}.conf" RUNJAILED="/usr/sbin/setfib $jail_fib /usr/local/sbin/runjailed" JEXEC="/usr/sbin/setfib $jail_fib /usr/sbin/jexec" CHROOT="/usr/sbin/setfib $jail_fib /usr/sbin/chroot" start_cmd=jail_start stop_cmd=jail_stop jailbase="$jailbase/$jail" sandboxbase="$sandboxbase/$jail" buildbase="$buildbase/$jail" [ "YES" = "$jail_buildroot" ] && jail_root="$buildbase" || jail_root="" _jid=$(jls -j $jail jid 2>/dev/null) && JID=$_jid [ -n "$jail_pidfile" ] && pidfile="$jailbase$jail_pidfile" [ -n "$jail_user" ] && eval ${name}_user="$jail_user" jail_checkfiles () { local i [ -z "$jail_checkfiles" ] && return for i in $jail_checkfiles do cmp -sz "$jail_root$i" "$sandboxbase$i" || cp -fp "$jail_root$i" "$sandboxbase$i" done } jail_apply_devfs_ruleset () { [ -z "$jail_ruleset" ] && return devfs_ruleset="$jail_ruleset" devfs_init_rulesets devfs_set_ruleset $devfs_ruleset $jailbase/dev devfs_apply_ruleset $devfs_ruleset $jailbase/dev } jail_devlog () { [ "YES" != "$jail_devlog" ] && return cd $jailbase/dev && ln -s ../var/run/log log } jail_create_virecover () { [ "YES" != "$jail_create_virecover" ] && return mkdir $jailbase/var/tmp/vi.recover && chmod 1777 $jailbase/var/tmp/vi.recover } jail_mount () { local dev mntpnt fstype opts dump pass [ "YES" != "$jail_mount" ] && return grep -v '^#' $cfg/${jail}.fstab | while read dev mntpnt fstype opts dump pass do case "$dev" in JAIL/*) dev="$sandboxbase${dev#JAIL}";; ROOT/*) dev="${dev#ROOT}";; *) dev="$jail_root$dev";; esac mntpnt="$jailbase${mntpnt%/}" [ "nullfs" = "$fstype" ] && { [ -d "$dev" ] || mkdir -p "$dev" || return 1 } [ -d "$mntpnt" ] || mkdir -p "$mntpnt" || return 1 mount -t "$fstype" -o "$opts" "$dev" "$mntpnt" || return 1 done && jail_apply_devfs_ruleset && jail_devlog && jail_create_virecover } jail_start_jail () { local params [ "YES" != "$jail_start_jail" ] && return [ -z "$jail_ip" ] && { [ -z "$jail_iface" ] && params="ip4=inherit ip6=inherit" || params="vnet" for iface in $jail_iface do eval bridge='$jail_iface_'"$iface"'_bridge' [ -n "$bridge" ] && { case "$iface" in epair[0-9]*) echo "WARNING: using old style epair interface" >&2 ifconfig "${iface}" create up > /dev/null eval mtu='$jail_iface_'"$iface"'_mtu' [ -n "$mtu" ] && { ifconfig "${iface}a" mtu "$mtu" > /dev/null ifconfig "${iface}b" mtu "$mtu" > /dev/null } ifconfig "$bridge" addm "${iface}a" ifconfig "${iface}b" name "${iface}" > /dev/null ;; "$jail"[0-9]*) epair="$(ifconfig epair create up)" eval mtu='$jail_iface_'"$iface"'_mtu' [ -n "$mtu" ] && { ifconfig "${epair}" mtu "$mtu" > /dev/null ifconfig "${epair%a}b" mtu "$mtu" > /dev/null } ifconfig "${epair%a}b" name "${iface}" > /dev/null ifconfig "$bridge" addm "${epair}" ;; *) echo "Wrong iface name $iface" >&2 exit 1 esac } params="$params vnet.interface=$iface" done } || { params="ip4.addr=$jail_ip" [ -n "$jail_iface" ] && ifconfig "$jail_iface" alias "$jail_ip/32" } [ -z "$jail_securelevel" ] && params="$params securelevel=3" || [ "NO" = "$jail_securelevel" ] || params="$params securelevel=$jail_securelevel" [ "YES" = "$jail_sysvipc" ] && params="$params sysvshm=new sysvsem=new sysvmsg=new" [ "YES" = "$jail_sockets" ] && params="$params allow.raw_sockets=1" jail -c name="$jail" host.hostname="$jail_hostname" path="$jailbase" \ persist=1 allow.set_hostname=0 $params [ -z "$jail_ip" -a -n "$jail_iface" ] && { for iface in $jail_iface do eval ifconfig='$jail_iface_'"$iface" [ -n "$ifconfig" ] && $RUNJAILED -j "$jail" ifconfig "$iface" $ifconfig eval ifconfig='$jail_iface_'"$iface"'_ipv6' [ -n "$ifconfig" ] && $RUNJAILED -j "$jail" ifconfig "$iface" $ifconfig done } if [ -n "$jail_defaultrouter" ] then $RUNJAILED -j "$jail" route add default "$jail_defaultrouter" > /dev/null fi if [ -n "$jail_ipv6_defaultrouter" ] then $RUNJAILED -j "$jail" route -6 add default "$jail_ipv6_defaultrouter" > /dev/null fi } jail_start () { local args printf "Starting $name: " [ -d "$jailbase" ] && jail_mount && jail_checkfiles && jail_start_jail && if [ -n "$jail_start_cmd" ] then $jail_start_cmd else case "$jail_method" in runjailed) $RUNJAILED -j $jail ${jail_user:+-u $jail_user} \ $command $command_args ;; runchrooted) $RUNJAILED -c $jailbase \ ${jail_user:+-u $jail_user} \ $command $command_args ;; jexec) $JEXEC ${jail_user:+-u $jail_user} $jail \ $command $command_args ;; chroot) $CHROOT ${jail_user:+-u $jail_user} $jailbase \ $command $command_args ;; esac fi && echo done. || echo failed. } jail_umount () { [ "YES" != "$jail_mount" ] && return grep -v '^#' $cfg/${jail}.fstab | { pnts="" while read dev mntpnt other do pnts="$jailbase$mntpnt $pnts" done umount $pnts } } # Deprecated jail_stoppid () { echo "Using deprecated jail_stoppid" [ -z "$pidfile" ] && echo "no pidfile" && return 1 [ ! -f "$pidfile" ] && echo "No $pidfile. Not running?" && return 1 read pid _junk < "$pidfile" if ! kill -0 $pid then echo "$pid not running" return 1 fi kill -${1:-TERM} "$pid" wait_for_pids "$pid" } jail_stop () { printf "Stopping $name: " if [ -n "$jail_stop_cmd" ] then $jail_stop_cmd elif [ -n "$rc_pid" ] then kill -"${sig_stop:-TERM}" "$rc_pid" wait_for_pids "$rc_pid" fi [ "YES" = "$jail_start_jail" -a -n "$_jid" ] && { jail -r $jail [ -n "$jail_iface" ] && { [ -n "$jail_ip" ] && ifconfig "$jail_iface" delete "$jail_ip" || { } for iface in $jail_iface do eval bridge='$jail_iface_'"$iface"'_bridge' [ -n "$bridge" ] && { ifconfig "${iface}" destroy || { echo -n "$iface is not available, sleeping..." sleep 1 echo " retrying" ifconfig "${iface}" destroy } } done } } jail_umount echo done. } enabled=${name}_enable eval $enabled'=${'$enabled':-NO}' load_rc_config $name run_rc_command "$1"