jail revision 156441 
1#!/bin/sh
2#
3# $FreeBSD: head/etc/rc.d/jail 156441 2006-03-08 20:40:37Z fjoe $
4#
5
6# PROVIDE: jail
7# REQUIRE: LOGIN cleanvar
8# BEFORE: securelevel
9# KEYWORD: nojail shutdown
10
11. /etc/rc.subr
12
13name="jail"
14rcvar=`set_rcvar`
15start_cmd="jail_start"
16stop_cmd="jail_stop"
17
18# init_variables _j
19#	Initialize the various jail variables for jail _j.
20#
21init_variables()
22{
23	_j="$1"
24
25	if [ -z "$_j" ]; then
26		warn "init_variables: you must specify a jail"
27		return
28	fi
29
30	eval jail_rootdir=\"\$jail_${_j}_rootdir\"
31	jail_devdir="${jail_rootdir}/dev"
32	jail_fdescdir="${jail_devdir}/fd"
33	jail_procdir="${jail_rootdir}/proc"
34	eval jail_hostname=\"\$jail_${_j}_hostname\"
35	eval jail_ip=\"\$jail_${_j}_ip\"
36	eval jail_exec=\"\$jail_${_j}_exec\"
37	eval jail_exec_start=\"\$jail_${_j}_exec_start\"
38	eval jail_exec_stop=\"\$jail_${_j}_exec_stop\"
39	if [ -n "${jail_exec}" ]; then
40		#   simple/backward-compatible execution
41		jail_exec_start="${jail_exec}"
42		jail_exec_stop=""
43	else
44		#   flexible execution
45		if [ -z "${jail_exec_start}" ]; then
46			jail_exec_start="/bin/sh /etc/rc"
47			if [ -z "${jail_exec_stop}" ]; then
48				jail_exec_stop="/bin/sh /etc/rc.shutdown"
49			fi
50		fi
51	fi
52
53	# The default jail ruleset will be used by rc.subr if none is specified.
54	eval jail_ruleset=\"\$jail_${_j}_devfs_ruleset\"
55	eval jail_devfs=\"\$jail_${_j}_devfs_enable\"
56	[ -z "${jail_devfs}" ] && jail_devfs="NO"
57	eval jail_fdescfs=\"\$jail_${_j}_fdescfs_enable\"
58	[ -z "${jail_fdescfs}" ] && jail_fdescfs="NO"
59	eval jail_procfs=\"\$jail_${_j}_procfs_enable\"
60	[ -z "${jail_procfs}" ] && jail_procfs="NO"
61
62	eval jail_mount=\"\$jail_${_j}_mount_enable\"
63	[ -z "${jail_mount}" ] && jail_mount="NO"
64	# "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified.
65	eval jail_fstab=\"\$jail_${_j}_fstab\"
66	[ -z "${jail_fstab}" ] && jail_fstab="/etc/fstab.${_j}"
67	eval jail_flags=\"\$jail_${_j}_flags\"
68	[ -z "${jail_flags}" ] && jail_flags="-l -U root"
69
70	# Debugging aid
71	#
72	debug "$_j devfs enable: $jail_devfs"
73	debug "$_j fdescfs enable: $jail_fdescfs"
74	debug "$_j procfs enable: $jail_procfs"
75	debug "$_j mount enable: $jail_mount"
76	debug "$_j hostname: $jail_hostname"
77	debug "$_j ip: $jail_ip"
78	debug "$_j root: $jail_rootdir"
79	debug "$_j devdir: $jail_devdir"
80	debug "$_j fdescdir: $jail_fdescdir"
81	debug "$_j procdir: $jail_procdir"
82	debug "$_j ruleset: $jail_ruleset"
83	debug "$_j fstab: $jail_fstab"
84	debug "$_j exec start: $jail_exec_start"
85	debug "$_j exec stop: $jail_exec_stop"
86	debug "$_j flags: $jail_flags"
87}
88
89# set_sysctl rc_knob mib msg
90#	If the mib sysctl is set according to what rc_knob
91#	specifies, this function does nothing. However if
92#	rc_knob is set differently than mib, then the mib
93#	is set accordingly and msg is displayed followed by
94#	an '=" sign and the word 'YES' or 'NO'.
95#
96set_sysctl()
97{
98	_knob="$1"
99	_mib="$2"
100	_msg="$3"
101
102	_current=`${SYSCTL} -n $_mib 2>/dev/null`
103	if checkyesno $_knob ; then
104		if [ "$_current" -ne 1 ]; then
105			echo -n " ${_msg}=YES"
106			${SYSCTL_W} 1>/dev/null ${_mib}=1
107		fi
108	else
109		if [ "$_current" -ne 0 ]; then
110			echo -n " ${_msg}=NO"
111			${SYSCTL_W} 1>/dev/null ${_mib}=0
112		fi
113	fi
114}
115
116# jail_umount_fs
117#	This function unmounts certain special filesystems in the
118#	currently selected jail. The caller must call the init_variables()
119#	routine before calling this one.
120#
121jail_umount_fs()
122{
123	if checkyesno jail_fdescfs; then
124		if [ -d "${jail_fdescdir}" ] ; then
125			umount -f ${jail_fdescdir} >/dev/null 2>&1
126		fi
127	fi
128	if checkyesno jail_devfs; then
129		if [ -d "${jail_devdir}" ] ; then
130			umount -f ${jail_devdir} >/dev/null 2>&1
131		fi
132	fi
133	if checkyesno jail_procfs; then
134		if [ -d "${jail_procdir}" ] ; then
135			umount -f ${jail_procdir} >/dev/null 2>&1
136		fi
137	fi
138	if checkyesno jail_mount; then
139		[ -f "${jail_fstab}" ] || warn "${jail_fstab} does not exist"
140		umount -a -F "${jail_fstab}" >/dev/null 2>&1
141	fi
142}
143
144jail_start()
145{
146	echo -n 'Configuring jails:'
147	set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \
148	    set_hostname_allow
149	set_sysctl jail_socket_unixiproute_only \
150	    security.jail.socket_unixiproute_only unixiproute_only
151	set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \
152	    sysvipc_allow
153	echo '.'
154
155	echo -n 'Starting jails:'
156	_tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \
157	    err 3 "$name: Can't create temp dir, exiting..."
158	for _jail in ${jail_list}
159	do
160		init_variables $_jail
161		if [ -f /var/run/jail_${_jail}.id ]; then
162			echo -n " [${jail_hostname} already running (/var/run/jail_${_jail}.id exists)]"
163			continue;
164		fi
165		if checkyesno jail_mount; then
166			info "Mounting fstab for jail ${_jail} (${jail_fstab})"
167			if [ ! -f "${jail_fstab}" ]; then
168				err 3 "$name: ${jail_fstab} does not exist"
169			fi
170			mount -a -F "${jail_fstab}"
171		fi
172		if checkyesno jail_devfs; then
173			# If devfs is already mounted here, skip it.
174			df -t devfs "${jail_devdir}" >/dev/null
175			if [ $? -ne 0 ]; then
176				info "Mounting devfs on ${jail_devdir}"
177				devfs_mount_jail "${jail_devdir}" ${jail_ruleset}
178				# Transitional symlink for old binaries
179				if [ ! -L "${jail_devdir}/log" ]; then
180					__pwd="`pwd`"
181					cd "${jail_devdir}"
182					ln -sf ../var/run/log log
183					cd "$__pwd"
184				fi
185			fi
186
187			# XXX - It seems symlinks don't work when there
188			#	is a devfs(5) device of the same name.
189			# Jail console output
190			#	__pwd="`pwd`"
191			#	cd "${jail_devdir}"
192			#	ln -sf ../var/log/console console
193			#	cd "$__pwd"
194		fi
195		if checkyesno jail_fdescfs; then
196			info "Mounting fdescfs on ${jail_fdescdir}"
197			mount -t fdescfs fdesc "${jail_fdescdir}"
198		fi
199		if checkyesno jail_procfs; then
200			info "Mounting procfs onto ${jail_procdir}"
201			if [ -d "${jail_procdir}" ] ; then
202				mount -t procfs proc "${jail_procdir}"
203			fi
204		fi
205		_tmp_jail=${_tmp_dir}/jail.$$
206		eval jail ${jail_flags} -i ${jail_rootdir} ${jail_hostname} \
207			${jail_ip} ${jail_exec_start} > ${_tmp_jail} 2>&1
208		[ "$?" -eq 0 ] && echo -n " $jail_hostname"
209		_jail_id=$(head -1 ${_tmp_jail})
210		tail +2 ${_tmp_jail} >${jail_rootdir}/var/log/console.log
211		rm -f ${_tmp_jail}
212		echo ${_jail_id} > /var/run/jail_${_jail}.id
213	done
214	rmdir ${_tmp_dir}
215	echo '.'
216}
217
218jail_stop()
219{
220	echo -n 'Stopping jails:'
221	for _jail in ${jail_list}
222	do
223		if [ -f "/var/run/jail_${_jail}.id" ]; then
224			_jail_id=$(cat /var/run/jail_${_jail}.id)
225			if [ ! -z "${_jail_id}" ]; then
226				init_variables $_jail
227				if [ -n "${jail_exec_stop}" ]; then
228					eval env -i /usr/sbin/jexec ${_jail_id} ${jail_exec_stop} \
229						>> ${jail_rootdir}/var/log/console.log 2>&1
230				fi
231				killall -j ${_jail_id} -TERM > /dev/null 2>&1
232				sleep 1
233				killall -j ${_jail_id} -KILL > /dev/null 2>&1
234				jail_umount_fs
235				echo -n " $jail_hostname"
236			fi
237			rm /var/run/jail_${_jail}.id
238		else
239			echo "cannot stop jail ${_jail}. No jail id in /var/run"
240		fi
241	done
242	echo '.'
243}
244
245load_rc_config $name
246cmd="$1"
247if [ $# -gt 0 ]; then
248	shift
249fi
250if [ -n "$*" ]; then
251	jail_list="$*"
252fi
253run_rc_command "${cmd}"
254