[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] Limiting SysV-IPC to certain jails



Dewayne Geraghty wrote:
> 
> I think this might be a cleaner and more general purpose solution.  I have
> a jail b1 that builds the port system, and it needs sysvipc.  So append the
> following line to /usr/local/etc/ezjail/b1
> 
> export jail_b1_parameters="allow.sysvipc allow.raw_sockets"
> 
> Then place the following into
> /usr/ports/sysutils/ezjails/files/patch-Makefile-parameters
> So it is applied during a port rebuild
> --- /usr/local/etc/rc.d/ezjail.orig     2012-01-10 06:44:01.000000000 +1100
> +++ ezjail.sh   2012-01-10 06:49:43.000000000 +1100
> @@ -112,6 +112,7 @@
> 
>        eval ezjail_zfs_datasets=\"\$jail_${ezjail_safename}_zfs_datasets\"
>        eval ezjail_cpuset=\"\$jail_${ezjail_safename}_cpuset\"
> +      eval ezjail_parameters=\"\$jail_${ezjail_safename}_parameters\"
> 
>        # Attach ZFS-datasets to the jail
>        for zfs in ${ezjail_zfs_datasets}; do
> @@ -123,6 +124,18 @@
>      done
>    fi
> 
> +  if [ "${action%crypto}" = "start" -o "${action}" = "restart" ]; then
> +     for ezjail in ${ezjail_list}; do
> +       ezjail_safename=`echo -n "${ezjail}" | tr -c '[:alnum:]' _`
> +       [ -f "/var/run/jail_${ezjail_safename}.id" ] && ezjail_id=`cat
> /var/run/jail_${ezjail_safename}.id`
> +       # Assign parameters to the newly created jail per man 8 jail
> +       eval ezjail_parameters=\"\$jail_${ezjail_safename}_parameters\"
> +       [ -z "${ezjail_parameters}" ] || /usr/sbin/jail -m jid=${ezjail_id}
> ${ezjail_parameters}
> +       # This should be in /etc/rc.d/jail, but...
> +       /usr/sbin/jail -m jid=${ezjail_id} name=${ezjail_safename}
> +     done
> +   fi
> +
>    # Can only detach after unmounting (from fstab.JAILNAME in
> /etc/rc.d/jail)
>    attach_detach_post
>  }
> 
> 
> Regards, Dewayne
> PS I'm not technical just a tenacious bastard, so there's probaby a better
> solution :)

The problem with this solution is that those parameters are applied to
the jail _after_ it went through the boot-up process. So if someone
thinks this will help for jails running e.g. postgres, it will not. So
the time allow.sysvipc is set is long after rc.d/postgres inside the is
started, so the postgres database will not start correctly.

Same problem applies to putting ZFS datasets into jails etc.pp.

The problem here is rc.d/jail, which is not capable of all the new jail
features like spawning a jail, applying settings to it and then starting
it up. So the only solution to this problem I see is, create a rc.d/jail
of our own for ezjail which does support all the new features. But using
it must be of course optional, which introduces the problem of keeping
compatibility to the basesystem rc.d/jail..

greetings,
Philipp