From owner-freebsd-arch@FreeBSD.ORG Sun Oct 6 01:24:03 2013 Return-Path: Delivered-To: arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8DF14B9; Sun, 6 Oct 2013 01:24:03 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DDC022F36; Sun, 6 Oct 2013 01:24:01 +0000 (UTC) Received: from alph.d.allbsd.org (p4181-ipbf1307funabasi.chiba.ocn.ne.jp [123.225.173.181]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id r961NYrG091208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Oct 2013 10:23:45 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.7/8.14.5) with ESMTP id r961NUsu069101; Sun, 6 Oct 2013 10:23:33 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Sun, 06 Oct 2013 10:23:10 +0900 (JST) Message-Id: <20131006.102310.20550923549608963.hrs@allbsd.org> To: des@des.no Subject: Re: jail configuration From: Hiroki Sato In-Reply-To: <86d2o8k6zf.fsf@nine.des.no> References: <86k3igki36.fsf@nine.des.no> <13CA24D6AB415D428143D44749F57D720FBCA6EB@LTCFISWMSGMB21.FNFIS.com> <86d2o8k6zf.fsf@nine.des.no> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Sun_Oct__6_10_23_10_2013_987)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Sun, 06 Oct 2013 10:23:46 +0900 (JST) X-Spam-Status: No, score=-94.7 required=13.0 tests=CONTENT_TYPE_PRESENT, FAKEDWORD_BACKQUOTE, MIMEQENC, ONLY1HOPDIRECT, QENCPTR1, QENCPTR2, RCVD_IN_RP_RNBL, SAMEHELOBY2HOP,SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: arch@FreeBSD.org, dteske@FreeBSD.org, jamie@FreeBSD.org, slw@zxy.spb.ru X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Oct 2013 01:24:03 -0000 ----Security_Multipart0(Sun_Oct__6_10_23_10_2013_987)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Sun_Oct__6_10_23_10_2013_182)--" Content-Transfer-Encoding: 7bit ----Next_Part(Sun_Oct__6_10_23_10_2013_182)-- Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Dag-Erling Sm=F8rgrav wrote in <86d2o8k6zf.fsf@nine.des.no>: de> "Teske, Devin" writes: de> > I've been thinking about maybe writing a tool (or 2). Options on = the table: de> > de> > 1. Tool like sysrc that allows you to modify/maintain jail.conf f= rom CLI? de> > 2. Tool to migrate from rc.conf to jail.conf? de> > 3. Both? de> = de> A shell script that does 2. should be sufficient, IMHO. I tried to rewrite a rc.d/jail with backward compatibility. It still looks complex but LOC falls into one-half. I think we can remove the compat part later before 11.0. After the removal, this will be much similar to your patch. A patch for jail(8) is a small bug fix. a) config file support jail_enable=3D"YES" jail_conf=3D"/etc/jail.conf" # /etc/jail.conf if not specified. jail_list=3D"hosta hostb" # all of instances if not specified. b) old rc.conf variables support (will be removed eventually) jail_enable=3D"YES" jail_list=3D"hosta hostb" jail_hosta_hostname=3D"hosta.example.com" jail_hosta_ip=3D"192.168.2.1,192.168.2.2" jail_hosta_rootdir=3D"/jail/hosta" .... These configuration variables will be converted into /var/run/jail_{name}.conf. While this is basically backward compatible, procfs_enable and fdescfs_enable are not supported. c) mixed environment Even if /etc/jail.conf exists, rc.d/jail attempts to create and use /var/run/jail_{name}.conf when both jail_{name}_hostname and jail_{name}_rootdir are defined. If not defined, it attempts to use /etc/jail.conf (or $jail_conf). This decision is made in a per-jail basis. d) conversion from rc.conf variables to config file # /etc/rc.d/jail config /var/run/jail_{name}.conf is created. I think this do not break the existing configurations (more testing needed, of course) and one can convert by "rc.d/jail convert" and copy-n-paste the results to /etc/jail.conf. If one uses /etc/jail.conf, just $jail_enable variable will do the trick. What do you think about this? -- Hiroki ----Next_Part(Sun_Oct__6_10_23_10_2013_182)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="jail_20131006-1.diff" Index: etc/rc.d/jail =================================================================== --- etc/rc.d/jail (revision 256066) +++ etc/rc.d/jail (working copy) @@ -8,27 +8,84 @@ # BEFORE: securelevel # KEYWORD: nojail shutdown -# WARNING: This script deals with untrusted data (the data and -# processes inside the jails) and care must be taken when changing the -# code related to this! If you have any doubt whether a change is -# correct and have security impact, please get the patch reviewed by -# the FreeBSD Security Team prior to commit. - . /etc/rc.subr name="jail" rcvar="jail_enable" -start_precmd="jail_prestart" start_cmd="jail_start" stop_cmd="jail_stop" +config_cmd="jail_config" +console_cmd="jail_console" +status_cmd="jail_status" +extra_commands="config console status" +need_dad_wait= +: ${jail_conf:=/etc/jail.conf} +: ${jail_program:=/usr/sbin/jail} +: ${jail_consolecmd:=/bin/sh} +: ${jail_jexec:=/usr/sbin/jexec} +: ${jail_jls:=/usr/sbin/jls} -# init_variables _j -# Initialize the various jail variables for jail _j. +# extact_var jail name param num defval +# Extract value from ${jail_$jail_$name} or ${jail_$name} and +# set it to $param. If not defined, $defval is used. +# When $num is [0-9]*, ${jail_$jail_$name$num} are looked up and +# $param is set by using +=. +# When $num is YN or NY, the value is interpret as boolean. +extract_var() +{ + local i _j _name _param _num _def + _j=$1 + _name=$2 + _param=$3 + _num=$4 + _def=$5 + + case $_num in + YN) + eval : \${jail_${_j}_${_name}:=\${jail_${_name}:-${_def}}} + if checkyesno jail_${_j}_$_name; then + echo " $_param = 1;" + else + echo " $_param = 0;" + fi + ;; + NY) + eval : \${jail_${_j}_${_name}:=\${jail_${_name}:-${_def}}} + if checkyesno jail_${_j}_$_name; then + echo " $_param = 0;" + else + echo " $_param = 1;" + fi + ;; + [0-9]*) + i=$_num + while : ; do + eval _tmpargs=\"\${jail_${_j}_${_name}${i}:-\${jail_${_name}${i}:-${_def}}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param += \"$_tmpargs\";" + else + break; + fi + i=$(($i + 1)) + done + ;; + *) + eval _tmpargs=\"\${jail_${_j}_${_name}:-\${jail_${_name}:-${_def}}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param = \"$_tmpargs\";" + fi + ;; + esac +} + +# parse_options _j +# Parse options and create a temporary configuration file if necessary. # -init_variables() +parse_options() { - _j="$1" + local _j + _j=$1 if [ -z "$_j" ]; then warn "init_variables: you must specify a jail" @@ -36,53 +93,43 @@ fi eval _rootdir=\"\$jail_${_j}_rootdir\" + eval _hostname=\"\$jail_${_j}_hostname\" + if [ -z "$_rootdir" -o \ + -z "$_hostname" ]; then + if [ -r /etc/jail.${_j}.conf ]; then + _conf=/etc/jail.${_j}.conf + return 0 + elif [ -r "$jail_conf" ]; then + _conf="$jail_conf" + return 0 + else + warn "Invalid configuration for $_j " \ + "(no hostname or no path). " \ + "Jail $_j was ignored." + fi + return 1 + fi + eval _ip=\"\$jail_${_j}_ip\" + if [ -z "$_ip" ] && ! check_kern_features vimage; then + warn "no ipaddress specified and no vimage support. " \ + "Jail $_j was ignored." + return 1 + fi _devdir="${_rootdir}/dev" _fdescdir="${_devdir}/fd" _procdir="${_rootdir}/proc" - eval _hostname=\"\$jail_${_j}_hostname\" - eval _ip=\"\$jail_${_j}_ip\" - eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" - eval _exec=\"\$jail_${_j}_exec\" + _conf=/var/run/jail.${_j}.conf - i=0 - while : ; do - eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\" - [ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break - i=$((i + 1)) - done + # To relieve confusion, show a warning message. + if [ -r "$jail_conf" ]; then + warn "$_conf is created and used for jail $_j." + fi + /usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1 - eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" - - i=1 - while : ; do - eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\" - [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break - i=$((i + 1)) - done - - i=0 - while : ; do - eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\" - [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break - i=$((i + 1)) - done - - i=0 - while : ; do - eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\" - [ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break - i=$((i + 1)) - done - - eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\" - - i=0 - while : ; do - eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\" - [ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break - i=$((i + 1)) - done - + eval : \${jail_${_j}_flags:=${jail_flags}} + eval _exec=\"\$jail_${_j}_exec\" + eval _exec_start=\"\$jail_${_j}_exec_start\" + eval _exec_stop=\"\$jail_${_j}_exec_stop\" if [ -n "${_exec}" ]; then # simple/backward-compatible execution _exec_start="${_exec}" @@ -96,285 +143,86 @@ fi fi fi - - # The default jail ruleset will be used by rc.subr if none is specified. - eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" - eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" - [ -z "${_devfs}" ] && _devfs="NO" - eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\" - [ -z "${_fdescfs}" ] && _fdescfs="NO" - eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\" - [ -z "${_procfs}" ] && _procfs="NO" - - eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\" - [ -z "${_mount}" ] && _mount="NO" - # "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified. - eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" - [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" - eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags="-l -U root" - eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" - [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" + eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _parameters=\"\${jail_${_j}_parameters:-${jail_parameters}}\" - [ -z "${_parameters}" ] && _parameters="" - eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" + eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\" + ( + date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S" + echo "$_j {" + extract_var $_j hostname host.hostname - "" + extract_var $_j rootdir path - "" + if [ -n "$_ip" ]; then + extract_var $_j interface interface - "" + jail_handle_ips_option $_ip $_interface + alias=0 + while : ; do + eval _x=\"\$jail_${_jail}_ip_multi${alias}\" + [ -z "$_x" ] && break - # Debugging aid - # - debug "$_j devfs enable: $_devfs" - debug "$_j fdescfs enable: $_fdescfs" - debug "$_j procfs enable: $_procfs" - debug "$_j mount enable: $_mount" - debug "$_j hostname: $_hostname" - debug "$_j ip: $_ip" - jail_show_addresses ${_j} - debug "$_j interface: $_interface" - debug "$_j fib: $_fib" - debug "$_j root: $_rootdir" - debug "$_j devdir: $_devdir" - debug "$_j fdescdir: $_fdescdir" - debug "$_j procdir: $_procdir" - debug "$_j ruleset: $_ruleset" - debug "$_j fstab: $_fstab" - - i=0 - while : ; do - eval out=\"\${_exec_prestart${i}:-''}\" - if [ -z "$out" ]; then - break + jail_handle_ips_option $_x $_interface + alias=$(($alias + 1)) + done + case $need_dad_wait in + 1) + # Sleep to let DAD complete before + # starting services. + echo " exec.start += \"sleep " \ + $(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \ + "\";" + ;; + esac + # These are applicable only to non-vimage jails. + extract_var $_j fib exec.fib - "" + extract_var $_j socket_unixiproute_only \ + allow.raw_sockets NY YES + _vnet=0 + else + echo " vnet;" + _vnet=1 fi - debug "$_j exec pre-start #${i}: ${out}" - i=$((i + 1)) - done - debug "$_j exec start: $_exec_start" + echo " exec.clean;" + echo " exec.system_user = \"root\";" + echo " exec.jail_user = \"root\";" + extract_var $_j exec_prestart exec.prestart 0 "" + extract_var $_j exec_poststart exec.poststart 0 "" + extract_var $_j exec_prestop exec.prestop 0 "" + extract_var $_j exec_poststop exec.poststop 0 "" - i=1 - while : ; do - eval out=\"\${_exec_afterstart${i}:-''}\" + echo " exec.start += \"$_exec_start\";" + extract_var $_j exec_afterstart exec.start 1 "" + echo " exec.stop = \"$_exec_stop\";" - if [ -z "$out" ]; then - break; - fi + extract_var $_j consolelog exec.consolelog - \ + /var/log/jail_${_j}_console.log - debug "$_j exec after start #${i}: ${out}" - i=$((i + 1)) - done - - i=0 - while : ; do - eval out=\"\${_exec_poststart${i}:-''}\" - if [ -z "$out" ]; then - break + eval : \${jail_${_j}_devfs_enable:=${jail_devfs_enable:-NO}} + if checkyesno jail_${_j}_devfs_enable; then + echo " mount.devfs;" + extract_var $_j devfs_ruleset devfs_ruleset - 4 + if [ -r $_fstab ]; then + echo " mount.fstab = \"$_fstab\";" + fi fi - debug "$_j exec post-start #${i}: ${out}" - i=$((i + 1)) - done - i=0 - while : ; do - eval out=\"\${_exec_prestop${i}:-''}\" - if [ -z "$out" ]; then - break - fi - debug "$_j exec pre-stop #${i}: ${out}" - i=$((i + 1)) - done + # fdescfs and procfs should be added for backward compatibility. - debug "$_j exec stop: $_exec_stop" + echo " ${_parameters};" - i=0 - while : ; do - eval out=\"\${_exec_poststop${i}:-''}\" - if [ -z "$out" ]; then - break + eval : \${jail_${_j}_mount_enable:=${jail_mount_enable:-NO}} + if checkyesno jail_${_j}_mount_enable; then + echo " allow.mount;" >> $_conf fi - debug "$_j exec post-stop #${i}: ${out}" - i=$((i + 1)) - done - debug "$_j flags: $_flags" - debug "$_j consolelog: $_consolelog" - debug "$_j parameters: $_parameters" + extract_var $_j set_hostname_allow allow.set_hostname YN NO + extract_var $_j sysvipc_allow allow.sysvipc YN NO + echo "}" + ) >> $_conf - if [ -z "${_hostname}" ]; then - err 3 "$name: No hostname has been defined for ${_j}" - fi - if [ -z "${_rootdir}" ]; then - err 3 "$name: No root directory has been defined for ${_j}" - fi + return 0 } -# set_sysctl rc_knob mib msg -# If the mib sysctl is set according to what rc_knob -# specifies, this function does nothing. However if -# rc_knob is set differently than mib, then the mib -# is set accordingly and msg is displayed followed by -# an '=" sign and the word 'YES' or 'NO'. -# -set_sysctl() -{ - _knob="$1" - _mib="$2" - _msg="$3" - - _current=`${SYSCTL} -n $_mib 2>/dev/null` - if checkyesno $_knob ; then - if [ "$_current" -ne 1 ]; then - echo -n " ${_msg}=YES" - ${SYSCTL} 1>/dev/null ${_mib}=1 - fi - else - if [ "$_current" -ne 0 ]; then - echo -n " ${_msg}=NO" - ${SYSCTL} 1>/dev/null ${_mib}=0 - fi - fi -} - -# is_current_mountpoint() -# Is the directory mount point for a currently mounted file -# system? -# -is_current_mountpoint() -{ - local _dir _dir2 - - _dir=$1 - - _dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'` - [ ! -d "${_dir}" ] && return 1 - _dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'` - [ "${_dir}" = "${_dir2}" ] - return $? -} - -# is_symlinked_mountpoint() -# Is a mount point, or any of its parent directories, a symlink? -# -is_symlinked_mountpoint() -{ - local _dir - - _dir=$1 - - [ -L "$_dir" ] && return 0 - [ "$_dir" = "/" ] && return 1 - is_symlinked_mountpoint `dirname $_dir` - return $? -} - -# secure_umount -# Try to unmount a mount point without being vulnerable to -# symlink attacks. -# -secure_umount() -{ - local _dir - - _dir=$1 - - if is_current_mountpoint ${_dir}; then - umount -f ${_dir} >/dev/null 2>&1 - else - debug "Nothing mounted on ${_dir} - not unmounting" - fi -} - - -# jail_umount_fs -# This function unmounts certain special filesystems in the -# currently selected jail. The caller must call the init_variables() -# routine before calling this one. -# -jail_umount_fs() -{ - local _device _mountpt _rest - - if checkyesno _fdescfs; then - if [ -d "${_fdescdir}" ] ; then - secure_umount ${_fdescdir} - fi - fi - if checkyesno _devfs; then - if [ -d "${_devdir}" ] ; then - secure_umount ${_devdir} - fi - fi - if checkyesno _procfs; then - if [ -d "${_procdir}" ] ; then - secure_umount ${_procdir} - fi - fi - if checkyesno _mount; then - [ -f "${_fstab}" ] || warn "${_fstab} does not exist" - tail -r ${_fstab} | while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) - continue - ;; - esac - secure_umount ${_mountpt} - done - fi -} - -# jail_mount_fstab() -# Mount file systems from a per jail fstab while trying to -# secure against symlink attacks at the mount points. -# -# If we are certain we cannot secure against symlink attacks we -# do not mount all of the file systems (since we cannot just not -# mount the file system with the problematic mount point). -# -# The caller must call the init_variables() routine before -# calling this one. -# -jail_mount_fstab() -{ - local _device _mountpt _rest - - while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) - continue - ;; - esac - if is_symlinked_mountpoint ${_mountpt}; then - warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}" - return - fi - done <${_fstab} - mount -a -F "${_fstab}" -} - -# jail_show_addresses jail -# Debug print the input for the given _multi aliases -# for a jail for init_variables(). -# -jail_show_addresses() -{ - local _j _type alias - _j="$1" - alias=0 - - if [ -z "${_j}" ]; then - warn "jail_show_addresses: you must specify a jail" - return - fi - - while : ; do - eval _addr=\"\$jail_${_j}_ip_multi${alias}\" - if [ -n "${_addr}" ]; then - debug "${_j} ip_multi${alias}: $_addr" - alias=$((${alias} + 1)) - else - break - fi - done -} - -# jail_extract_address argument +# jail_extract_address argument iface # The second argument is the string from one of the _ip # or the _multi variables. In case of a comma separated list # only one argument must be passed in at a time. @@ -382,8 +230,9 @@ # jail_extract_address() { - local _i + local _i _interface _i=$1 + _interface=$2 if [ -z "${_i}" ]; then warn "jail_extract_address: called without input" @@ -439,12 +288,12 @@ _mask=${_mask:-/32} elif [ "${_type}" = "inet6" ]; then - # In case _maske is not set for IPv6, use /128. - _mask=${_mask:-/128} + # In case _maske is not set for IPv6, use /64. + _mask=${_mask:-/64} fi } -# jail_handle_ips_option {add,del} input +# jail_handle_ips_option input iface # Handle a single argument imput which can be a comma separated # list of addresses (theoretically with an option interface and # prefix/netmask/prefixlen). @@ -451,9 +300,9 @@ # jail_handle_ips_option() { - local _x _action _type _i - _action=$1 - _x=$2 + local _x _type _i _iface + _x=$1 + _iface=$2 if [ -z "${_x}" ]; then # No IP given. This can happen for the primary address @@ -468,282 +317,134 @@ *,*) # Extract the first argument and strip it off the list. _i=`expr "${_x}" : '^\([^,]*\)'` _x=`expr "${_x}" : "^[^,]*,\(.*\)"` - ;; + ;; *) _i=${_x} _x="" - ;; + ;; esac _type="" - _iface="" _addr="" _mask="" - jail_extract_address "${_i}" + jail_extract_address $_i $_iface # make sure we got an address. - case "${_addr}" in + case $_addr in "") continue ;; *) ;; esac # Append address to list of addresses for the jail command. - case "${_type}" in + case $_type in inet) - case "${_addrl}" in - "") _addrl="${_addr}" ;; - *) _addrl="${_addrl},${_addr}" ;; - esac - ;; + echo " ip4.addr += \"${_addr}${_mask}\";" + ;; inet6) - case "${_addr6l}" in - "") _addr6l="${_addr}" ;; - *) _addr6l="${_addr6l},${_addr}" ;; - esac - ;; + echo " ip6.addr += \"${_addr}${_mask}\";" + need_dad_wait=1 + ;; esac - - # Configure interface alias if requested by a given interface - # and if we could correctly parse everything. - case "${_iface}" in - "") continue ;; - esac - case "${_type}" in - inet) ;; - inet6) ipv6_address_count=$((ipv6_address_count + 1)) ;; - *) warn "Could not determine address family. Not going" \ - "to ${_action} address '${_addr}' for ${_jail}." - continue - ;; - esac - case "${_action}" in - add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias - ;; - del) # When removing the IP, ignore the _mask. - ifconfig ${_iface} ${_type} ${_addr} -alias - ;; - esac done } -# jail_ips {add,del} -# Extract the comma separated list of addresses and return them -# for the jail command. -# Handle more than one address via the _multi option as well. -# If an interface is given also add/remove an alias for the -# address with an optional netmask. -# -jail_ips() + +jail_config() { - local _action - _action=$1 - - case "${_action}" in - add) ;; - del) ;; - *) warn "jail_ips: invalid action '${_action}'" - return - ;; + case $1 in + _ALL) return ;; esac - - # Handle addresses. - ipv6_address_count=0 - jail_handle_ips_option ${_action} "${_ip}" - # Handle jail_xxx_ip_multi - alias=0 - while : ; do - eval _x=\"\$jail_${_jail}_ip_multi${alias}\" - case "${_x}" in - "") break ;; - *) jail_handle_ips_option ${_action} "${_x}" - alias=$((${alias} + 1)) - ;; - esac + for _jail in $@; do + if parse_options $_jail; then + echo "$_jail: parameters are in $_conf." + fi done - case ${ipv6_address_count} in - 0) ;; - *) # Sleep 1 second to let DAD complete before starting services. - sleep 1 - ;; - esac } -jail_prestart() +jail_console() { - if checkyesno jail_parallel_start; then - command_args='&' + if [ $# != 1 ]; then + err 3 "Specify a jail name." fi + case $1 in + _ALL) err 3 "Specify a jail name." ;; + esac + eval _cmd=\${jail_$1_consolecmd:-${jail_consolecmd}} + $jail_jexec $1 $_cmd } +jail_status() +{ + + $jail_jls -N +} + jail_start() { - echo -n 'Configuring jails:' - set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \ - set_hostname_allow - set_sysctl jail_socket_unixiproute_only \ - security.jail.socket_unixiproute_only unixiproute_only - set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \ - sysvipc_allow - echo '.' + if [ $# = 0 ]; then + return + fi + echo -n 'Starting jails:' + case $1 in + _ALL) + echo -n ' ' + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -c" + $command $rc_flags $command_args "*" + echo '.' + return + ;; + esac + _tmp=`mktemp -t jail` || exit 3 + for _jail in $@; do + parse_options $_jail || continue - echo -n 'Starting jails:' - _tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \ - err 3 "$name: Can't create temp dir, exiting..." - for _jail in ${jail_list} - do - init_variables $_jail - if [ -f /var/run/jail_${_jail}.id ]; then - echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]" - continue; - fi - _addrl="" - _addr6l="" - jail_ips "add" - if [ -n "${_fib}" ]; then - _setfib="setfib -F '${_fib}'" + eval rc_flags=\${jail_${_j}_flags:-$jail_flags} + eval command=\${jail_${_j}_program:-$jail_program} + if checkyesno jail_parallel_start; then + command_args="-i -f $_conf -c $_jail &" else - _setfib="" + command_args="-i -f $_conf -c $_jail" fi - if checkyesno _mount; then - info "Mounting fstab for jail ${_jail} (${_fstab})" - if [ ! -f "${_fstab}" ]; then - err 3 "$name: ${_fstab} does not exist" - fi - jail_mount_fstab - fi - if checkyesno _devfs; then - # If devfs is already mounted here, skip it. - df -t devfs "${_devdir}" >/dev/null - if [ $? -ne 0 ]; then - if is_symlinked_mountpoint ${_devdir}; then - warn "${_devdir} has symlink as parent - not starting jail ${_jail}" - continue - fi - info "Mounting devfs on ${_devdir}" - devfs_mount_jail "${_devdir}" ${_ruleset} - # Transitional symlink for old binaries - if [ ! -L "${_devdir}/log" ]; then - ln -sf ../var/run/log "${_devdir}/log" - fi - fi - - # XXX - It seems symlinks don't work when there - # is a devfs(5) device of the same name. - # Jail console output - # __pwd="`pwd`" - # cd "${_devdir}" - # ln -sf ../var/log/console console - # cd "$__pwd" - fi - if checkyesno _fdescfs; then - if is_symlinked_mountpoint ${_fdescdir}; then - warn "${_fdescdir} has symlink as parent, not mounting" - else - info "Mounting fdescfs on ${_fdescdir}" - mount -t fdescfs fdesc "${_fdescdir}" - fi - fi - if checkyesno _procfs; then - if is_symlinked_mountpoint ${_procdir}; then - warn "${_procdir} has symlink as parent, not mounting" - else - info "Mounting procfs onto ${_procdir}" - if [ -d "${_procdir}" ] ; then - mount -t procfs proc "${_procdir}" - fi - fi - fi - _tmp_jail=${_tmp_dir}/jail.$$ - - i=0 - while : ; do - eval out=\"\${_exec_prestart${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - - eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ - ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ - ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ - ${_consolelog} - echo ${_jail_id} > /var/run/jail_${_jail}.id - - i=0 - while : ; do - eval out=\"\${_exec_poststart${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done + case $_vnet in + 0) eval _fib=\${jail_${_j}_fib:-${jail_fib}} ;; + *) _fib= ;; + esac + if ${_fib:+${SETFIB_CMD} -F $_fib} \ + $command $rc_flags $command_args \ + >> $_tmp 2>&1 > ${_consolelog} 2>&1 - fi - killall -j ${_jail_id} -TERM > /dev/null 2>&1 - sleep 1 - killall -j ${_jail_id} -KILL > /dev/null 2>&1 - jail_umount_fs - echo -n " $_hostname" - - i=0 - while : ; do - eval out=\"\${_exec_poststop${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - fi - jail_ips "del" - rm /var/run/jail_${_jail}.id - else - echo " cannot stop jail ${_jail}. No jail id in /var/run" + case $1 in + _ALL) + echo -n ' ' + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -r" + $command $rc_flags $command_args "*" + echo '.' + return + ;; + esac + for _jail in $@; do + parse_options $_jail || continue + eval command=\${jail_${_j}_program:-$jail_program} + if $command -q -f $_conf -r $_jail; then + echo -n " ${_hostname:-${_jail}}" fi done echo '.' @@ -750,12 +451,7 @@ } load_rc_config $name -cmd="$1" -if [ $# -gt 0 ]; then - shift -fi -if [ -n "$*" ]; then - jail_list="$*" -fi - -run_rc_command "${cmd}" +case $# in +1) run_rc_command $@ ${jail_list:-_ALL} ;; +*) run_rc_command $@ ;; +esac Index: usr.sbin/jail/jail.c =================================================================== --- usr.sbin/jail/jail.c (revision 255979) +++ usr.sbin/jail/jail.c (working copy) @@ -470,10 +470,12 @@ if (dep_check(j)) continue; if (j->jid < 0) { - if (!(j->flags & (JF_DEPEND | JF_WILD)) - && verbose >= 0) - jail_quoted_warnx(j, - "not found", NULL); + if (!(j->flags & (JF_DEPEND|JF_WILD))) { + if (verbose >= 0) + jail_quoted_warnx(j, + "not found", NULL); + failed(j); + } goto jail_remove_done; } j->comparam = stopcommands; ----Next_Part(Sun_Oct__6_10_23_10_2013_182)---- ----Security_Multipart0(Sun_Oct__6_10_23_10_2013_987)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEABECAAYFAlJQu34ACgkQTyzT2CeTzy2Q2wCfUKcx7Wftbq8flp6g09qhYaxW E54AnjWliuTFHCD60p1JJ7j776Pad+1J =fkbb -----END PGP SIGNATURE----- ----Security_Multipart0(Sun_Oct__6_10_23_10_2013_987)---- From owner-freebsd-arch@FreeBSD.ORG Sun Oct 6 07:31:04 2013 Return-Path: Delivered-To: arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 05C51463; Sun, 6 Oct 2013 07:31:04 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BC04B2C22; Sun, 6 Oct 2013 07:31:03 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id B5B846E8B; Sun, 6 Oct 2013 07:31:02 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 526E45186D; Sun, 6 Oct 2013 09:31:06 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Hiroki Sato Subject: Re: jail configuration References: <86k3igki36.fsf@nine.des.no> <13CA24D6AB415D428143D44749F57D720FBCA6EB@LTCFISWMSGMB21.FNFIS.com> <86d2o8k6zf.fsf@nine.des.no> <20131006.102310.20550923549608963.hrs@allbsd.org> Date: Sun, 06 Oct 2013 09:31:06 +0200 In-Reply-To: <20131006.102310.20550923549608963.hrs@allbsd.org> (Hiroki Sato's message of "Sun, 06 Oct 2013 10:23:10 +0900 (JST)") Message-ID: <8638oerh39.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: arch@FreeBSD.org, dteske@FreeBSD.org, jamie@FreeBSD.org, slw@zxy.spb.ru X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Oct 2013 07:31:04 -0000 Hiroki Sato writes: > I tried to rewrite a rc.d/jail with backward compatibility. [...] > What do you think about this? I think it sounds fantastic (and like a lot of work!) I didn't look at the patch very closely, but I see that you print a warning when you generate a configuration for an old-style jail while jail.conf exists. I think you should *always* print that warning for every old-style jail so people will be reminded to convert. We should also remove the examples from /etc/defaults/rc.conf and replace the documentation for jail_${_j}_* in rc.conf(5) with a short paragraph that says they are for compatibility only. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-arch@FreeBSD.ORG Sun Oct 6 11:18:52 2013 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1B386BD for ; Sun, 6 Oct 2013 11:18:52 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D297224E8 for ; Sun, 6 Oct 2013 11:18:51 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id EEC026027; Sun, 6 Oct 2013 11:18:50 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 948515199F; Sun, 6 Oct 2013 13:18:54 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Peter Wemm Subject: Re: Userland patch level References: <8661tbsi40.fsf@nine.des.no> <52507F4A.1050707@wemm.org> Date: Sun, 06 Oct 2013 13:18:54 +0200 In-Reply-To: <52507F4A.1050707@wemm.org> (Peter Wemm's message of "Sat, 05 Oct 2013 14:06:18 -0700") Message-ID: <86hacuprz5.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Oct 2013 11:18:52 -0000 Peter Wemm writes: > IMHO, promoting the parsing strings like this is fraught with danger. The > canonical one-true-version is __FreeBSD_version, I'd much rather encourage > people to refer to that, and it is available in newvers.sh in the same way > that you're building it now. The kernel and userland versions do not necessarily match, even in supported configurations. newvers.sh is not necessarily available at run time. > freebsd-version.sh.in seems fragile as presented. It's missing > loader.conf.local parsing, hardcodes the assumption that you use /boot > (vs /efi), etc. I wasn't aware of loader.conf.local. I'll add support for it. I don't know anything about efi. As for hardcoding assumptions: like the man page says, this is a *best effort* which is intended to work in the common case, i.e. either "make buildworld buildkernel installworld installkernel" from a clean, consistent tree or "freebsd-update fetch install". > The usage string has a -i option that doesn't seem to exist. Thanks, I'll fix that. > Secteam does bump the osreldate for patch releases, right? We bump newvers.sh. > Woudn't that be sufficient for userland audit tools to reliably > identify vulnerable userlands? No. I don't particularly enjoy answering the same questions over and over again. If you have any more questions, please read one of the previous threads on this subject and / or the minutes from the security session at the Malta summit. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-arch@FreeBSD.ORG Sun Oct 6 19:05:34 2013 Return-Path: Delivered-To: arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D6DAA377; Sun, 6 Oct 2013 19:05:34 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 69CC72A4D; Sun, 6 Oct 2013 19:05:31 +0000 (UTC) Received: from alph.d.allbsd.org (p4181-ipbf1307funabasi.chiba.ocn.ne.jp [123.225.173.181]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id r96J59Qt010650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 7 Oct 2013 04:05:20 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.7/8.14.5) with ESMTP id r96J56pe079701; Mon, 7 Oct 2013 04:05:07 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Mon, 07 Oct 2013 04:04:11 +0900 (JST) Message-Id: <20131007.040411.272534607754482379.hrs@allbsd.org> To: current@FreeBSD.org Subject: CFT: rc.d/jail rewrite (was: jail configuration) From: Hiroki Sato X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D In-Reply-To: <8638oerh39.fsf@nine.des.no> X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Mon_Oct__7_04_04_11_2013_176)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Mon, 07 Oct 2013 04:05:21 +0900 (JST) X-Spam-Status: No, score=-94.9 required=13.0 tests=CONTENT_TYPE_PRESENT, FAKEDWORD_BACKQUOTE,MIMEQENC,ONLY1HOPDIRECT,QENCPTR2,RCVD_IN_RP_RNBL, SAMEHELOBY2HOP,SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: arch@FreeBSD.org, dteske@FreeBSD.org, jamie@FreeBSD.org, slw@zxy.spb.ru X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: current@FreeBSD.org List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Oct 2013 19:05:34 -0000 ----Security_Multipart0(Mon_Oct__7_04_04_11_2013_176)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Mon_Oct__7_04_04_11_2013_092)--" Content-Transfer-Encoding: 7bit ----Next_Part(Mon_Oct__7_04_04_11_2013_092)-- Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable [Please reply to freebsd-current@] Hi, Can anyone who are using jail_* variables in rc.conf test the attached patch? On freebsd-arch@ there is a discussion about deprecating jail__* variables in favor of jail.conf. This rewrite is one to support the both in a backward compatible way. I want to make sure if this does not break the existing configurations. The following is the entry in UPDATING: +20131007: + The rc.d/jail script has been updated to support jail(8) + configuration file. The "jail__*" rc.conf(5) variables + for per-jail configuration are automatically converted to + /var/run/jail..conf before the jail(8) utility is invoke= d. + This is transparently backward compatible. See the below about= some + incompatibilities. + + These variables are now deprecated in favor of jail(8) configur= ation + file. One can use "rc.d/jail config " command to genera= te + a jail(8) configuration file in /var/run/jail..conf with= out + running the jail(8) utility. The default pathname of the + configuration file is /etc/jail.conf and can be specified by + using $jail_conf or $jail__conf variables. + + Please note that jail_fdesc_enable and jail_procfs_enable are + not supported, and jail_devfs_ruleset accepts an integer at + this moment. Please consider to use exec.fstab for the + additional mount and rewrite the ruleset name with an integer. Dag-Erling Sm=F8rgrav wrote in <8638oerh39.fsf@nine.des.no>: de> I didn't look at the patch very closely, but I see that you print a= de> warning when you generate a configuration for an old-style jail whi= le de> jail.conf exists. I think you should *always* print that warning f= or de> every old-style jail so people will be reminded to convert. We sho= uld de> also remove the examples from /etc/defaults/rc.conf and replace the= de> documentation for jail_${_j}_* in rc.conf(5) with a short paragraph= that de> says they are for compatibility only. Thank you for your feedback. The warning message is always displayed in "rc.d/jail start", and rc.conf(5) and defaults/rc.conf are updated in this patch. -- Hiroki ----Next_Part(Mon_Oct__7_04_04_11_2013_092)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="jail_20131007-1.diff" Index: UPDATING =================================================================== --- UPDATING (revision 256090) +++ UPDATING (working copy) @@ -31,6 +31,26 @@ disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20131007: + The rc.d/jail script has been updated to support jail(8) + configuration file. The "jail__*" rc.conf(5) variables + for per-jail configuration are automatically converted to + /var/run/jail..conf before the jail(8) utility is invoked. + This is transparently backward compatible. See the below about some + incompatibilities. + + These variables are now deprecated in favor of jail(8) configuration + file. One can use "rc.d/jail config " command to generate + a jail(8) configuration file in /var/run/jail..conf without + running the jail(8) utility. The default pathname of the + configuration file is /etc/jail.conf and can be specified by + using $jail_conf or $jail__conf variables. + + Please note that jail_fdesc_enable and jail_procfs_enable are + not supported, and jail_devfs_ruleset accepts an integer at + this moment. Please consider to use exec.fstab for the + additional mount and rewrite the ruleset name with an integer. + 20130930: BIND has been removed from the base system. If all you need is a local resolver, simply enable and start the local_unbound Index: etc/rc.d/jail =================================================================== --- etc/rc.d/jail (revision 256090) +++ etc/rc.d/jail (working copy) @@ -8,81 +8,138 @@ # BEFORE: securelevel # KEYWORD: nojail shutdown -# WARNING: This script deals with untrusted data (the data and -# processes inside the jails) and care must be taken when changing the -# code related to this! If you have any doubt whether a change is -# correct and have security impact, please get the patch reviewed by -# the FreeBSD Security Team prior to commit. - . /etc/rc.subr name="jail" rcvar="jail_enable" -start_precmd="jail_prestart" start_cmd="jail_start" +start_postcmd="jail_warn" stop_cmd="jail_stop" +config_cmd="jail_config" +console_cmd="jail_console" +status_cmd="jail_status" +extra_commands="config console status" +: ${jail_conf:=/etc/jail.conf} +: ${jail_program:=/usr/sbin/jail} +: ${jail_consolecmd:=/bin/sh} +: ${jail_jexec:=/usr/sbin/jexec} +: ${jail_jls:=/usr/sbin/jls} -# init_variables _j -# Initialize the various jail variables for jail _j. +need_dad_wait= + +# extact_var jail name param num defval +# Extract value from ${jail_$jail_$name} or ${jail_$name} and +# set it to $param. If not defined, $defval is used. +# When $num is [0-9]*, ${jail_$jail_$name$num} are looked up and +# $param is set by using +=. +# When $num is YN or NY, the value is interpret as boolean. +extract_var() +{ + local i _j _name _param _num _def _name1 _name2 + _j=$1 + _name=$2 + _param=$3 + _num=$4 + _def=$5 + + case $_num in + YN) + _name1=jail_${_j}_${_name} + _name2=jail_${_name} + eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" + if checkyesno $_name1; then + echo " $_param = 1;" + else + echo " $_param = 0;" + fi + ;; + NY) + _name1=jail_${_j}_${_name} + _name2=jail_${_name} + eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" + if checkyesno $_name1; then + echo " $_param = 0;" + else + echo " $_param = 1;" + fi + ;; + [0-9]*) + i=$_num + while : ; do + _name1=jail_${_j}_${_name}${i} + _name2=jail_${_name}${i} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param += \"$_tmpargs\";" + else + break; + fi + i=$(($i + 1)) + done + ;; + *) + _name1=jail_${_j}_${_name} + _name2=jail_${_name} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param = \"$_tmpargs\";" + fi + ;; + esac +} + +# parse_options _j +# Parse options and create a temporary configuration file if necessary. # -init_variables() +parse_options() { - _j="$1" + local _j + _j=$1 + _confwarn=0 if [ -z "$_j" ]; then - warn "init_variables: you must specify a jail" + warn "parse_options: you must specify a jail" return fi - + eval _jconf=\"\${jail_${_j}_conf:-/etc/jail.${_j}.conf}\" eval _rootdir=\"\$jail_${_j}_rootdir\" - _devdir="${_rootdir}/dev" - _fdescdir="${_devdir}/fd" - _procdir="${_rootdir}/proc" eval _hostname=\"\$jail_${_j}_hostname\" + if [ -z "$_rootdir" -o \ + -z "$_hostname" ]; then + if [ -r "$_jconf" ]; then + _conf="$_jconf" + return 0 + elif [ -r "$jail_conf" ]; then + _conf="$jail_conf" + return 0 + else + warn "Invalid configuration for $_j " \ + "(no jail.conf, no hostname, or no path). " \ + "Jail $_j was ignored." + fi + return 1 + fi eval _ip=\"\$jail_${_j}_ip\" - eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" + if [ -z "$_ip" ] && ! check_kern_features vimage; then + warn "no ipaddress specified and no vimage support. " \ + "Jail $_j was ignored." + return 1 + fi + _conf=/var/run/jail.${_j}.conf + # + # To relieve confusion, show a warning message. + # + _confwarn=1 + if [ -r "$jail_conf" -o -r "$_jconf" ]; then + warn "$_conf is created and used for jail $_j." + fi + /usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1 + + eval : \${jail_${_j}_flags:=${jail_flags}} eval _exec=\"\$jail_${_j}_exec\" - - i=0 - while : ; do - eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\" - [ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break - i=$((i + 1)) - done - - eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" - - i=1 - while : ; do - eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\" - [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break - i=$((i + 1)) - done - - i=0 - while : ; do - eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\" - [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break - i=$((i + 1)) - done - - i=0 - while : ; do - eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\" - [ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break - i=$((i + 1)) - done - - eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\" - - i=0 - while : ; do - eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\" - [ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break - i=$((i + 1)) - done - + eval _exec_start=\"\$jail_${_j}_exec_start\" + eval _exec_stop=\"\$jail_${_j}_exec_stop\" if [ -n "${_exec}" ]; then # simple/backward-compatible execution _exec_start="${_exec}" @@ -96,285 +153,96 @@ fi fi fi - - # The default jail ruleset will be used by rc.subr if none is specified. - eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" - eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" - [ -z "${_devfs}" ] && _devfs="NO" - eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\" - [ -z "${_fdescfs}" ] && _fdescfs="NO" - eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\" - [ -z "${_procfs}" ] && _procfs="NO" - - eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\" - [ -z "${_mount}" ] && _mount="NO" - # "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified. - eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" - [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" - eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags="-l -U root" - eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" - [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" + eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _parameters=\"\${jail_${_j}_parameters:-${jail_parameters}}\" - [ -z "${_parameters}" ] && _parameters="" - eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" + eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\" + ( + date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S" + echo "$_j {" + extract_var $_j hostname host.hostname - "" + extract_var $_j rootdir path - "" + if [ -n "$_ip" ]; then + extract_var $_j interface interface - "" + jail_handle_ips_option $_ip $_interface + alias=0 + while : ; do + eval _x=\"\$jail_${_jail}_ip_multi${alias}\" + [ -z "$_x" ] && break - # Debugging aid - # - debug "$_j devfs enable: $_devfs" - debug "$_j fdescfs enable: $_fdescfs" - debug "$_j procfs enable: $_procfs" - debug "$_j mount enable: $_mount" - debug "$_j hostname: $_hostname" - debug "$_j ip: $_ip" - jail_show_addresses ${_j} - debug "$_j interface: $_interface" - debug "$_j fib: $_fib" - debug "$_j root: $_rootdir" - debug "$_j devdir: $_devdir" - debug "$_j fdescdir: $_fdescdir" - debug "$_j procdir: $_procdir" - debug "$_j ruleset: $_ruleset" - debug "$_j fstab: $_fstab" - - i=0 - while : ; do - eval out=\"\${_exec_prestart${i}:-''}\" - if [ -z "$out" ]; then - break + jail_handle_ips_option $_x $_interface + alias=$(($alias + 1)) + done + case $need_dad_wait in + 1) + # Sleep to let DAD complete before + # starting services. + echo " exec.start += \"sleep " \ + $(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \ + "\";" + ;; + esac + # These are applicable only to non-vimage jails. + extract_var $_j fib exec.fib - "" + extract_var $_j socket_unixiproute_only \ + allow.raw_sockets NY YES + else + echo " vnet;" + extract_var $_j vnet_interface vnet.interface - "" fi - debug "$_j exec pre-start #${i}: ${out}" - i=$((i + 1)) - done - debug "$_j exec start: $_exec_start" + echo " exec.clean;" + echo " exec.system_user = \"root\";" + echo " exec.jail_user = \"root\";" + extract_var $_j exec_prestart exec.prestart 0 "" + extract_var $_j exec_poststart exec.poststart 0 "" + extract_var $_j exec_prestop exec.prestop 0 "" + extract_var $_j exec_poststop exec.poststop 0 "" - i=1 - while : ; do - eval out=\"\${_exec_afterstart${i}:-''}\" + echo " exec.start += \"$_exec_start\";" + extract_var $_j exec_afterstart exec.start 1 "" + echo " exec.stop = \"$_exec_stop\";" - if [ -z "$out" ]; then - break; - fi + extract_var $_j consolelog exec.consolelog - \ + /var/log/jail_${_j}_console.log - debug "$_j exec after start #${i}: ${out}" - i=$((i + 1)) - done - - i=0 - while : ; do - eval out=\"\${_exec_poststart${i}:-''}\" - if [ -z "$out" ]; then - break + eval : \${jail_${_j}_devfs_enable:=${jail_devfs_enable:-NO}} + if checkyesno jail_${_j}_devfs_enable; then + echo " mount.devfs;" + case $_ruleset in + "") ;; + [0-9]*) echo " devfs_ruleset = \"$_ruleset\";" ;; + devfsrules_jail) + # XXX: This is the default value, + # Let jail(8) to use the default because + # mount(8) only accepts an integer. + # This should accept a ruleset name. + ;; + *) warn "devfs_ruleset must be integer." ;; + esac + if [ -r $_fstab ]; then + echo " mount.fstab = \"$_fstab\";" + fi fi - debug "$_j exec post-start #${i}: ${out}" - i=$((i + 1)) - done - i=0 - while : ; do - eval out=\"\${_exec_prestop${i}:-''}\" - if [ -z "$out" ]; then - break - fi - debug "$_j exec pre-stop #${i}: ${out}" - i=$((i + 1)) - done + # XXX: fdescfs and procfs should be added for + # backward compatibility. - debug "$_j exec stop: $_exec_stop" + echo " ${_parameters};" - i=0 - while : ; do - eval out=\"\${_exec_poststop${i}:-''}\" - if [ -z "$out" ]; then - break + eval : \${jail_${_j}_mount_enable:=${jail_mount_enable:-NO}} + if checkyesno jail_${_j}_mount_enable; then + echo " allow.mount;" >> $_conf fi - debug "$_j exec post-stop #${i}: ${out}" - i=$((i + 1)) - done - debug "$_j flags: $_flags" - debug "$_j consolelog: $_consolelog" - debug "$_j parameters: $_parameters" + extract_var $_j set_hostname_allow allow.set_hostname YN NO + extract_var $_j sysvipc_allow allow.sysvipc YN NO + echo "}" + ) >> $_conf - if [ -z "${_hostname}" ]; then - err 3 "$name: No hostname has been defined for ${_j}" - fi - if [ -z "${_rootdir}" ]; then - err 3 "$name: No root directory has been defined for ${_j}" - fi + return 0 } -# set_sysctl rc_knob mib msg -# If the mib sysctl is set according to what rc_knob -# specifies, this function does nothing. However if -# rc_knob is set differently than mib, then the mib -# is set accordingly and msg is displayed followed by -# an '=" sign and the word 'YES' or 'NO'. -# -set_sysctl() -{ - _knob="$1" - _mib="$2" - _msg="$3" - - _current=`${SYSCTL} -n $_mib 2>/dev/null` - if checkyesno $_knob ; then - if [ "$_current" -ne 1 ]; then - echo -n " ${_msg}=YES" - ${SYSCTL} 1>/dev/null ${_mib}=1 - fi - else - if [ "$_current" -ne 0 ]; then - echo -n " ${_msg}=NO" - ${SYSCTL} 1>/dev/null ${_mib}=0 - fi - fi -} - -# is_current_mountpoint() -# Is the directory mount point for a currently mounted file -# system? -# -is_current_mountpoint() -{ - local _dir _dir2 - - _dir=$1 - - _dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'` - [ ! -d "${_dir}" ] && return 1 - _dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'` - [ "${_dir}" = "${_dir2}" ] - return $? -} - -# is_symlinked_mountpoint() -# Is a mount point, or any of its parent directories, a symlink? -# -is_symlinked_mountpoint() -{ - local _dir - - _dir=$1 - - [ -L "$_dir" ] && return 0 - [ "$_dir" = "/" ] && return 1 - is_symlinked_mountpoint `dirname $_dir` - return $? -} - -# secure_umount -# Try to unmount a mount point without being vulnerable to -# symlink attacks. -# -secure_umount() -{ - local _dir - - _dir=$1 - - if is_current_mountpoint ${_dir}; then - umount -f ${_dir} >/dev/null 2>&1 - else - debug "Nothing mounted on ${_dir} - not unmounting" - fi -} - - -# jail_umount_fs -# This function unmounts certain special filesystems in the -# currently selected jail. The caller must call the init_variables() -# routine before calling this one. -# -jail_umount_fs() -{ - local _device _mountpt _rest - - if checkyesno _fdescfs; then - if [ -d "${_fdescdir}" ] ; then - secure_umount ${_fdescdir} - fi - fi - if checkyesno _devfs; then - if [ -d "${_devdir}" ] ; then - secure_umount ${_devdir} - fi - fi - if checkyesno _procfs; then - if [ -d "${_procdir}" ] ; then - secure_umount ${_procdir} - fi - fi - if checkyesno _mount; then - [ -f "${_fstab}" ] || warn "${_fstab} does not exist" - tail -r ${_fstab} | while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) - continue - ;; - esac - secure_umount ${_mountpt} - done - fi -} - -# jail_mount_fstab() -# Mount file systems from a per jail fstab while trying to -# secure against symlink attacks at the mount points. -# -# If we are certain we cannot secure against symlink attacks we -# do not mount all of the file systems (since we cannot just not -# mount the file system with the problematic mount point). -# -# The caller must call the init_variables() routine before -# calling this one. -# -jail_mount_fstab() -{ - local _device _mountpt _rest - - while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) - continue - ;; - esac - if is_symlinked_mountpoint ${_mountpt}; then - warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}" - return - fi - done <${_fstab} - mount -a -F "${_fstab}" -} - -# jail_show_addresses jail -# Debug print the input for the given _multi aliases -# for a jail for init_variables(). -# -jail_show_addresses() -{ - local _j _type alias - _j="$1" - alias=0 - - if [ -z "${_j}" ]; then - warn "jail_show_addresses: you must specify a jail" - return - fi - - while : ; do - eval _addr=\"\$jail_${_j}_ip_multi${alias}\" - if [ -n "${_addr}" ]; then - debug "${_j} ip_multi${alias}: $_addr" - alias=$((${alias} + 1)) - else - break - fi - done -} - -# jail_extract_address argument +# jail_extract_address argument iface # The second argument is the string from one of the _ip # or the _multi variables. In case of a comma separated list # only one argument must be passed in at a time. @@ -382,8 +250,9 @@ # jail_extract_address() { - local _i + local _i _interface _i=$1 + _interface=$2 if [ -z "${_i}" ]; then warn "jail_extract_address: called without input" @@ -439,12 +308,12 @@ _mask=${_mask:-/32} elif [ "${_type}" = "inet6" ]; then - # In case _maske is not set for IPv6, use /128. - _mask=${_mask:-/128} + # In case _maske is not set for IPv6, use /64. + _mask=${_mask:-/64} fi } -# jail_handle_ips_option {add,del} input +# jail_handle_ips_option input iface # Handle a single argument imput which can be a comma separated # list of addresses (theoretically with an option interface and # prefix/netmask/prefixlen). @@ -451,9 +320,9 @@ # jail_handle_ips_option() { - local _x _action _type _i - _action=$1 - _x=$2 + local _x _type _i _iface + _x=$1 + _iface=$2 if [ -z "${_x}" ]; then # No IP given. This can happen for the primary address @@ -468,294 +337,146 @@ *,*) # Extract the first argument and strip it off the list. _i=`expr "${_x}" : '^\([^,]*\)'` _x=`expr "${_x}" : "^[^,]*,\(.*\)"` - ;; + ;; *) _i=${_x} _x="" - ;; + ;; esac _type="" - _iface="" _addr="" _mask="" - jail_extract_address "${_i}" + jail_extract_address $_i $_iface # make sure we got an address. - case "${_addr}" in + case $_addr in "") continue ;; *) ;; esac # Append address to list of addresses for the jail command. - case "${_type}" in + case $_type in inet) - case "${_addrl}" in - "") _addrl="${_addr}" ;; - *) _addrl="${_addrl},${_addr}" ;; - esac - ;; + echo " ip4.addr += \"${_addr}${_mask}\";" + ;; inet6) - case "${_addr6l}" in - "") _addr6l="${_addr}" ;; - *) _addr6l="${_addr6l},${_addr}" ;; - esac - ;; + echo " ip6.addr += \"${_addr}${_mask}\";" + need_dad_wait=1 + ;; esac - - # Configure interface alias if requested by a given interface - # and if we could correctly parse everything. - case "${_iface}" in - "") continue ;; - esac - case "${_type}" in - inet) ;; - inet6) ipv6_address_count=$((ipv6_address_count + 1)) ;; - *) warn "Could not determine address family. Not going" \ - "to ${_action} address '${_addr}' for ${_jail}." - continue - ;; - esac - case "${_action}" in - add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias - ;; - del) # When removing the IP, ignore the _mask. - ifconfig ${_iface} ${_type} ${_addr} -alias - ;; - esac done } -# jail_ips {add,del} -# Extract the comma separated list of addresses and return them -# for the jail command. -# Handle more than one address via the _multi option as well. -# If an interface is given also add/remove an alias for the -# address with an optional netmask. -# -jail_ips() +jail_config() { - local _action - _action=$1 - - case "${_action}" in - add) ;; - del) ;; - *) warn "jail_ips: invalid action '${_action}'" - return - ;; + case $1 in + _ALL) return ;; esac + for _jail in $@; do + if parse_options $_jail; then + echo "$_jail: parameters are in $_conf." + fi + done +} - # Handle addresses. - ipv6_address_count=0 - jail_handle_ips_option ${_action} "${_ip}" - # Handle jail_xxx_ip_multi - alias=0 - while : ; do - eval _x=\"\$jail_${_jail}_ip_multi${alias}\" - case "${_x}" in - "") break ;; - *) jail_handle_ips_option ${_action} "${_x}" - alias=$((${alias} + 1)) - ;; - esac - done - case ${ipv6_address_count} in - 0) ;; - *) # Sleep 1 second to let DAD complete before starting services. - sleep 1 - ;; +jail_console() +{ + # One argument that is not _ALL. + case $#:$1 in + 1:_ALL) err 3 "Specify a jail name." ;; + 1:*) ;; + *) err 3 "Specify a jail name." ;; esac + eval _cmd=\${jail_$1_consolecmd:-$jail_consolecmd} + $jail_jexec $1 $_cmd } -jail_prestart() +jail_status() { - if checkyesno jail_parallel_start; then - command_args='&' - fi + + $jail_jls -N } jail_start() { - echo -n 'Configuring jails:' - set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \ - set_hostname_allow - set_sysctl jail_socket_unixiproute_only \ - security.jail.socket_unixiproute_only unixiproute_only - set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \ - sysvipc_allow - echo '.' + if [ $# = 0 ]; then + return + fi + echo -n 'Starting jails:' + case $1 in + _ALL) + echo -n ' ' + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -c" + $command $rc_flags $command_args "*" + echo '.' + return + ;; + esac + _tmp=`mktemp -t jail` || exit 3 + for _jail in $@; do + parse_options $_jail || continue - echo -n 'Starting jails:' - _tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \ - err 3 "$name: Can't create temp dir, exiting..." - for _jail in ${jail_list} - do - init_variables $_jail - if [ -f /var/run/jail_${_jail}.id ]; then - echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]" - continue; - fi - _addrl="" - _addr6l="" - jail_ips "add" - if [ -n "${_fib}" ]; then - _setfib="setfib -F '${_fib}'" + eval rc_flags=\${jail_${_j}_flags:-$jail_flags} + eval command=\${jail_${_j}_program:-$jail_program} + if checkyesno jail_parallel_start; then + command_args="-i -f $_conf -c $_jail &" else - _setfib="" + command_args="-i -f $_conf -c $_jail" fi - if checkyesno _mount; then - info "Mounting fstab for jail ${_jail} (${_fstab})" - if [ ! -f "${_fstab}" ]; then - err 3 "$name: ${_fstab} does not exist" - fi - jail_mount_fstab - fi - if checkyesno _devfs; then - # If devfs is already mounted here, skip it. - df -t devfs "${_devdir}" >/dev/null - if [ $? -ne 0 ]; then - if is_symlinked_mountpoint ${_devdir}; then - warn "${_devdir} has symlink as parent - not starting jail ${_jail}" - continue - fi - info "Mounting devfs on ${_devdir}" - devfs_mount_jail "${_devdir}" ${_ruleset} - # Transitional symlink for old binaries - if [ ! -L "${_devdir}/log" ]; then - ln -sf ../var/run/log "${_devdir}/log" - fi - fi - - # XXX - It seems symlinks don't work when there - # is a devfs(5) device of the same name. - # Jail console output - # __pwd="`pwd`" - # cd "${_devdir}" - # ln -sf ../var/log/console console - # cd "$__pwd" - fi - if checkyesno _fdescfs; then - if is_symlinked_mountpoint ${_fdescdir}; then - warn "${_fdescdir} has symlink as parent, not mounting" - else - info "Mounting fdescfs on ${_fdescdir}" - mount -t fdescfs fdesc "${_fdescdir}" - fi - fi - if checkyesno _procfs; then - if is_symlinked_mountpoint ${_procdir}; then - warn "${_procdir} has symlink as parent, not mounting" - else - info "Mounting procfs onto ${_procdir}" - if [ -d "${_procdir}" ] ; then - mount -t procfs proc "${_procdir}" - fi - fi - fi - _tmp_jail=${_tmp_dir}/jail.$$ - - i=0 - while : ; do - eval out=\"\${_exec_prestart${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - - eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ - ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ - ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ - ${_consolelog} - echo ${_jail_id} > /var/run/jail_${_jail}.id - - i=0 - while : ; do - eval out=\"\${_exec_poststart${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done + if $command $rc_flags $command_args \ + >> $_tmp 2>&1 > ${_consolelog} 2>&1 - fi - killall -j ${_jail_id} -TERM > /dev/null 2>&1 - sleep 1 - killall -j ${_jail_id} -KILL > /dev/null 2>&1 - jail_umount_fs - echo -n " $_hostname" - - i=0 - while : ; do - eval out=\"\${_exec_poststop${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - fi - jail_ips "del" - rm /var/run/jail_${_jail}.id - else - echo " cannot stop jail ${_jail}. No jail id in /var/run" + case $1 in + _ALL) + echo -n ' ' + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -r" + $command $rc_flags $command_args "*" + echo '.' + return + ;; + esac + for _jail in $@; do + parse_options $_jail || continue + eval command=\${jail_${_j}_program:-$jail_program} + if $command -q -f $_conf -r $_jail; then + echo -n " ${_hostname:-${_jail}}" fi done echo '.' } +jail_warn() +{ + + # To relieve confusion, show a warning message. + case $_confwarn in + 1) warn "Per-jail configuration via jail_* variables " \ + "is obsolete. Please consider to migrate to $jail_conf." + ;; + esac +} + load_rc_config $name -cmd="$1" -if [ $# -gt 0 ]; then - shift -fi -if [ -n "$*" ]; then - jail_list="$*" -fi - -run_rc_command "${cmd}" +case $# in +1) run_rc_command $@ ${jail_list:-_ALL} ;; +*) run_rc_command $@ ;; +esac Index: etc/rc.subr =================================================================== --- etc/rc.subr (revision 256090) +++ etc/rc.subr (working copy) @@ -1463,28 +1463,6 @@ return 0 } -# devfs_mount_jail dir [ruleset] -# Mounts a devfs file system appropriate for jails -# on the directory dir. If ruleset is specified, the ruleset -# it names will be used instead. If present, ruleset must -# be the name of a ruleset as defined in a devfs.rules(5) file. -# This function returns non-zero if an error occurs. -# -devfs_mount_jail() -{ - local jdev rs _me - jdev="$1" - [ -n "$2" ] && rs=$2 || rs="devfsrules_jail" - _me="devfs_mount_jail" - - devfs_init_rulesets - if ! devfs_domount "$jdev" $rs; then - warn "$_me: devfs was not mounted on $jdev" - return 1 - fi - return 0 -} - # Provide a function for normalizing the mounting of memory # filesystems. This should allow the rest of the code here to remain # as close as possible between 5-current and 4-stable. Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf (revision 256090) +++ etc/defaults/rc.conf (working copy) @@ -674,45 +674,12 @@ opensm_enable="NO" # Opensm(8) for infiniband devices defaults to off ############################################################## -### Jail Configuration ####################################### +### Jail Configuration (see rc.conf(5) manual page) ########## ############################################################## jail_enable="NO" # Set to NO to disable starting of any jails jail_parallel_start="NO" # Start jails in the background jail_list="" # Space separated list of names of jails -jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname -jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail -jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail -# -# To use rc's built-in jail infrastructure create entries for -# each jail, specified in jail_list, with the following variables. -# NOTES: -# - replace 'example' with the jail's name. -# - except rootdir, hostname, ip and the _multi addresses, -# all of the following variables may be made global jail variables -# if you don't specify a jail name (ie. jail_interface, jail_devfs_ruleset). -# -#jail_example_rootdir="/usr/jail/default" # Jail's root directory -#jail_example_hostname="default.domain.com" # Jail's hostname -#jail_example_interface="" # Jail's interface variable to create IP aliases on -#jail_example_fib="0" # Routing table for setfib(1) -#jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6 address -#jail_example_ip_multi0="2001:db8::10" # and another IPv6 address -#jail_example_exec_start="/bin/sh /etc/rc" # command to execute in jail for starting -#jail_example_exec_afterstart0="/bin/sh command" # command to execute after the one for - # starting the jail. More than one can be - # specified using a trailing number -#jail_example_exec_stop="/bin/sh /etc/rc.shutdown" # command to execute in jail for stopping -#jail_example_devfs_enable="NO" # mount devfs in the jail -#jail_example_devfs_ruleset="ruleset_name" # devfs ruleset to apply to jail - - # usually you want "devfsrules_jail". -#jail_example_fdescfs_enable="NO" # mount fdescfs in the jail -#jail_example_procfs_enable="NO" # mount procfs in jail -#jail_example_mount_enable="NO" # mount/umount jail's fs -#jail_example_fstab="" # fstab(5) for mount/umount -#jail_example_flags="-l -U root" # flags for jail(8) -#jail_example_parameters="allow.raw_sockets=1" # extra parameters for this jail - ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## ### scripts to source rc_conf_files overrides safely. ## Index: share/man/man5/rc.conf.5 =================================================================== --- share/man/man5/rc.conf.5 (revision 256090) +++ share/man/man5/rc.conf.5 (working copy) @@ -3891,14 +3891,32 @@ If set to .Dq Li NO , any configured jails will not be started. +.It Va jail_conf +.Pq Vt str +The configuration filename used by +.Xr jail 8 +utility. +The default value is +.Pa /etc/jail.conf . .It Va jail_parallel_start .Pq Vt bool If set to .Dq Li YES , all configured jails will be started in the background (in parallel). +.It Va jail_flags +.Pq Vt str +Unset by default. +When set, use as default value for +.Va jail_ Ns Ao Ar jname Ac Ns Va _flags +for every jail in +.Va jail_list . .It Va jail_list .Pq Vt str A space separated list of names for jails. +If this variable is empty, +all of +.Xr jail 8 +instances in the configuration file will be configured. This is purely a configuration aid to help identify and configure multiple jails. The names specified in this list will be used to @@ -3908,171 +3926,41 @@ .Dq Li 0 .Pq zero is not allowed. +.It Va jail_* variables +Note that older releases supported per-jail configuration via +.Xr rc.conf 5 +variables. +For example, +hostname of a jail named +.Li vjail +was able to be set by +.Li jail_vjail_hostname . +These per-jail configuration variables are now obsolete in favor of +.Xr jail 8 +configuration file. +For backward compatibility, +when per-jail configuration variables are defined, +.Xr jail 8 +configuration files are created as +.Pa /var/run/jail. Ns Ao Ar jname Ac Ns Pa .conf +and used. .Pp -Assuming that the jail in question was named -.Li vjail , -you would have the following dependent variables: -.Bd -literal -jail_vjail_hostname="jail.example.com" -jail_vjail_ip="192.0.2.100" -jail_vjail_rootdir="/var/jails/vjail/root" -.Ed -.Pp -.It Va jail_flags -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _flags -for every jail in -.Va jail_list . -.It Va jail_interface -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _interface -for every jail in -.Va jail_list . -.It Va jail_fstab -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab -for every jail in -.Va jail_list . -.It Va jail_mount_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -sets -.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable -to -.Dq Li YES -by default for every jail in -.Va jail_list . -.It Va jail_devfs_ruleset -.Pq Vt str -Unset by default. -When set, sets -.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset -to given value for every jail in -.Va jail_list . -.It Va jail_devfs_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -sets -.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable -to -.Dq Li YES -by default for every jail in -.Va jail_list . -.It Va jail_fdescfs_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -sets -.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable -to -.Dq Li YES -by default for every jail in -.Va jail_list . -.It Va jail_procfs_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -sets -.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable -to -.Dq Li YES -by default for every jail in -.Va jail_list . -.It Va jail_exec_prestart Ns Aq Ar N -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart Ns Aq Ar N -for every jail in -.Va jail_list . -.It Va jail_exec_start -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start -for every jail in -.Va jail_list . -.It Va jail_exec_afterstart Ns Aq Ar N -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_afterstart Ns Aq Ar N -for every jail in -.Va jail_list . -.It Va jail_exec_poststart Ns Aq Ar N -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart Ns Aq Ar N -for every jail in -.Va jail_list . -.It Va jail_exec_prestop Ns Aq Ar N -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop Ns Aq Ar N -for every jail in -.Va jail_list . -.It Va jail_exec_stop -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop -for every jail in -.Va jail_list . -.It Va jail_exec_poststop Ns Aq Ar N -.Pq Vt str -Unset by default. -When set, use as default value for -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop Ns Aq Ar N -for every jail in -.Va jail_list . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir -.Pq Vt str -Unset by default. -Set to the root directory used by jail -.Va jname . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _hostname -.Pq Vt str -Unset by default. -Set to the fully qualified domain name (FQDN) assigned to jail -.Va jname . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _parameters -.Pq Vt str -Unset by default. -Set extra parameters for jail -.Va jname , -such as -.Dq Li allow.chflags -or -.Dq Li children.max . -See -.Xr jail 8 -for a list of available parameters. -Note that the following parameters are already defined by +The following per-jail parameters are handled by .Pa rc.d/jail script out of their corresponding .Nm -variables: +variables. +In addition to them, parameters in +.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters +will be added to the configuration file. +They must be a semi-colon +.Pq Ql \&; +delimited list of +.Dq key=value . +For more details, +see +.Xr jail 8 +manual page. .Bl -tag -width "host.hostname" -offset indent .It Li path set from @@ -4080,202 +3968,85 @@ .It Li host.hostname set from .Va jail_ Ns Ao Ar jname Ac Ns Va _hostname -.It Li command +.It Li exec.consolelog set from -.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start +.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog . +The default value is +.Pa /var/log/jail_ Ao Ar jname Ac Pa _console.log . +.It Li interface +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _interface . +.It Li vnet.interface +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface . +This implies +.Li vnet +parameter will be enabled and cannot be specified with +.Va jail_ Ns Ao Ar jname Ac Ns Va _interface , +.Va jail_ Ns Ao Ar jname Ac Ns Va _ip +and/or +.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n +at the same time. +.It Li fstab +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab +.It Li exec.fib +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _fib +.It Li exec.start +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start . +The parameter name was +.Li command +in some older releases. +.It Li exec.prestart +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart +.It Li exec.poststart +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart +.It Li exec.stop +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop +.It Li exec.prestop +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop +.It Li exec.poststop +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop .It Li ip4.addr set if .Va jail_ Ns Ao Ar jname Ac Ns Va _ip -contains IPv4 addresses +or +.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n +contain IPv4 addresses .It Li ip6.addr set if -.Va jail_ Ns Ao Ar jname Ac Ns Va _ip6 -contains IPv6 addresses +.Va jail_ Ns Ao Ar jname Ac Ns Va _ip +or +.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n +contain IPv6 addresses +.It Li allow.mount +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable +.It Li mount.devfs +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable +.It Li devfs_ruleset +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . +This must be an integer, +not a string. +.It Li allow.set_hostname +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow +.It Li allow.rawsocket +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only +.It Li allow.sysvipc +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow .El -.It Va jail_ Ns Ao Ar jname Ac Ns Va _ip -.Pq Vt str -Unset by default. -Set to the (primary) IPv4 and/or IPv6 address(es) assigned to the jail. -The argument can be a sole address or a comma separated list of addresses. -Additionally each address can be prefixed by the name of an interface -followed by a pipe to overwrite -.Va jail_ Ns Ao Ar jname Ac Ns Va _interface -or -.Va jail_interface -and/or suffixed by a netmask, prefixlen or prefix. -In case no netmask, prefixlen or prefix is given, -.Sq /32 -will be used for IPv4 and -.Sq /128 -will be used for an IPv6 address. -If no address is given for the jail then the jail will be started with -no networking support. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n -.Pq Vt str -Unset by default. -Set additional IPv4 and/or IPv6 address(es) assigned to the jail. -The sequence starts with -.Dq Li _multi0 -and the numbers have to be strictly ascending. -These entries follow the same syntax as their primary -.Va jail_ Ns Ao Ar jname Ac Ns Va _ip -entry. -The order of the entries can be important as the first address for -each address family found will be the primary address of the jail. -See -.Va ip-addresses -option in -.Xr jail 8 -for more details. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _flags -.Pq Vt str -Set to -.Dq Li -l -U root -by default. -These are flags to pass to -.Xr jail 8 . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _interface -.Pq Vt str -Unset by default. -When set, sets the interface to use when setting IP address alias. -Note that the alias is created at jail startup and removed at jail shutdown. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _fib -.Pq Vt str -Unset by default. -When set, the jail is started with the specified forwarding table (sometimes -referred to as a routing table) via -.Xr setfib 1 . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _fstab -.Pq Vt str -Set to -.Pa /etc/fstab. Ns Aq Ar jname -by default. -This is the file system information file to use for jail -.Va jname . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -mount all file systems from -.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab -at jail startup. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset -.Pq Vt str -Unset by default. -When set, defines the device file system ruleset file to use for jail -.Va jname . -.It Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -mount the device file system inside jail -.Ar jname -at jail startup. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -mount the file-descriptor file system inside jail -.Ar jname -at jail startup. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable -.Pq Vt bool -Set to -.Dq Li NO -by default. -When set to -.Dq Li YES , -mount the process file system inside jail -.Ar jname -at jail startup. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart Ns Aq Ar N -.Pq Vt str -Unset by default. -This is the command run as -.Ar N Ns -th command -before jail startup, where -.Ar N -is 0, 1, and so on. -It is run outside the jail. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start -.Pq Vt str -Set to -.Dq Li /bin/sh /etc/rc -by default. -This is the command executed in a jail at jail startup. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_afterstart Ns Aq Ar N -.Pq Vt str -Unset by default. -This is the command run as -.Ar N Ns -th command -in a jail -after jail startup, where -.Ar N -is 1, 2, and so on. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart Ns Aq Ar N -.Pq Vt str -Unset by default. -This is the command run as -.Ar N Ns -th command -after jail startup, where -.Ar N -is 0, 1, and so on. -It is run outside the jail. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop Ns Aq Ar N -.Pq Vt str -Unset by default. -This is the command run as -.Ar N Ns -th command -before jail shutdown, where -.Ar N -is 0, 1, and so on. -It is run outside the jail. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop -.Pq Vt str -Set to -.Dq Li /bin/sh /etc/rc.shutdown -by default. -This is the command executed in a jail at jail shutdown. -.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop Ns Aq Ar N -.Pq Vt str -Unset by default. -This is the command run as -.Ar N Ns -th command -after jail shutdown, where -.Ar N -is 0, 1, and so on. -It is run outside the jail. -.It Va jail_set_hostname_allow -.Pq Vt bool -If set to -.Dq Li NO , -do not allow the root user in a jail to set its hostname. -.It Va jail_socket_unixiproute_only -.Pq Vt bool -If set to -.Dq Li YES , -do not allow any sockets, -besides UNIX/IP/route sockets, -to be used within a jail. -.It Va jail_sysvipc_allow -.Pq Vt bool -If set to -.Dq Li YES , -allow applications within a jail to use System V IPC. .\" ----------------------------------------------------- .It Va harvest_interrupt .Pq Vt bool Index: usr.sbin/jail/jail.c =================================================================== --- usr.sbin/jail/jail.c (revision 256090) +++ usr.sbin/jail/jail.c (working copy) @@ -470,10 +470,12 @@ if (dep_check(j)) continue; if (j->jid < 0) { - if (!(j->flags & (JF_DEPEND | JF_WILD)) - && verbose >= 0) - jail_quoted_warnx(j, - "not found", NULL); + if (!(j->flags & (JF_DEPEND|JF_WILD))) { + if (verbose >= 0) + jail_quoted_warnx(j, + "not found", NULL); + failed(j); + } goto jail_remove_done; } j->comparam = stopcommands; ----Next_Part(Mon_Oct__7_04_04_11_2013_092)---- ----Security_Multipart0(Mon_Oct__7_04_04_11_2013_176)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEABECAAYFAlJRtCsACgkQTyzT2CeTzy1z3QCeJ6/3B1fnadI52oGwyepBf6KX 4iUAoNdGI+MKRXsAn4QLzej5+rvkMYxZ =sH1M -----END PGP SIGNATURE----- ----Security_Multipart0(Mon_Oct__7_04_04_11_2013_176)---- From owner-freebsd-arch@FreeBSD.ORG Wed Oct 9 09:34:49 2013 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1319D186 for ; Wed, 9 Oct 2013 09:34:49 +0000 (UTC) (envelope-from kamel.alipoor@gmail.com) Received: from mail-qe0-x232.google.com (mail-qe0-x232.google.com [IPv6:2607:f8b0:400d:c02::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C9CEA281A for ; Wed, 9 Oct 2013 09:34:48 +0000 (UTC) Received: by mail-qe0-f50.google.com with SMTP id a11so436292qen.37 for ; Wed, 09 Oct 2013 02:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:reply-to:from:to:subject:date:mime-version:content-type :content-transfer-encoding; bh=I2oot/BTSFAxNuzXqLTRB1T2nJfrMwJ4Q9LPvffpVd0=; b=PN/8syn9HrjNuV28nICE/VGOm4PWCNqWMy61IPzt90BCbsFGglk0QhAsLP+WACr9ec H+N56FUO4DfAECOWj/usgO1c5WxwnieoFrSym1FCQ1sIMgDVbeVs70d2Xp3zhWLBYJmy U5DqQPm2bZkwoi21djocvsJ5FfGE1r99M0KhRmmN8iWCLmMbKMXhhS4TM0LJBakFZuXP QMEB56YMe1gxHFOviL23isyvxZp1i9NJ1ZHew06RkjOfskZmWgdX3Zrlgk2yZoVlhtSF pqsSGgYUUMJtYqrWT9vtzgA/trFD2uP76b1oZemAql4sK1xh+1ojCxqVD4JSXM3BSLVZ jLSw== X-Received: by 10.49.53.10 with SMTP id x10mr8026451qeo.46.1381311288063; Wed, 09 Oct 2013 02:34:48 -0700 (PDT) Received: from Almani-VAIO ([130.255.231.40]) by mx.google.com with ESMTPSA id y9sm84259705qaj.9.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 09 Oct 2013 02:34:47 -0700 (PDT) Message-ID: <02dcfa36-41556-01a65449291088@almani-vaio> From: Global Researchers Journals To: freebsd-arch@freebsd.org Subject: Call for Paper October 2013 |Volume 3 : Issue 10| Date: Wed, 9 Oct 2013 13:04:47 +0330 X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Global Researchers Journals List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2013 09:34:49 -0000 Call for Paper Dear Colleagues You are cordially invited to submit or recommend papers to: [1]http://www.grjournals.com October 2013 (Volume 3 | Issue 10) · Journal of Physiology and Pharmacology Advances (JPPA) [2]http://grjournals.com/Default.aspx?tabid=6605&articleType=CategoryVi ew&categoryId=2302 · Journal of Animal Production Advances (JAPA) [3]http://grjournals.com/Default.aspx?tabid=6606&articleType=CategoryVi ew&categoryId=2301 · Journal of Veterinary Advances (JVA) http://grjournals.com/Default.aspx?tabid=6604&articleType=CategoryView& categoryId=2303 · Journal of Animal Science Advances (JASA) [4]http://grjournals.com/Default.aspx?tabid=6529&articleType=Category View&categoryId=2272 Top 20 Hottest Articles (Last 7 Days) [5]http://www.scopemed.org/ Global Researchers Journals, a fast track peer-reviewed and open access academic journal published by Grjournals Publishing, which is one of the largest open access journal publishers around the world. Grjournals is using online article submission, review and tracking system for quality and quick review processing. Journal provides rapid publication of research article. After 30 days Rapid Review Process by the editorial/review board members or outside experts, an accepted paperwill be placed under In Press within 24 hours and will be published in the next issue. Instructions for authors are available on our website: [6]http://www.grjournals.com Submitted papers must follow the Instructions to authors to be considered for review and publication. Refereeing of manuscripts is conducted anonymously and the identity of the referees is not disclosed. The manuscripts which get an acceptance will publish with DOI number. Your Manuscript(s) can be one of these kinds: Review, Original Article, Case Report, Short Communications, Technical Notes, Mini Review Article and Hypothesis. Some of Abstracted/Index in: CAB reviews, Chemical Abstract Service (CAS), Genamics JournalSeek, Index Directory of Open Access Journals (DOAJ), Index Electronic Journals Library and SCIRUS, ISC and the World most Popular University Electronic Library. [7]http://grjournals.com/Defaul t.aspx?tabid=7329 Now you can clear the clutter by accessing your favorite journals online: · Full text, full archive that's always there when you need it · Easy access anywhere, anytime and anyhow · Impact your practice, not the environment NOTICE: Authors that cite [8]www.grjournals.com manuscripts as reference in their ISI articles, they can send their manuscripts to one of above journals as FREE of charge. After evaluation and get an acceptance it will publish without any Article Processing Fee with DOI. We apologize if you have received this email twice, or our journal is not your field. With Warm Regards Sincerely, Grjournals team Site: [9]www.grjournals.com E_Mail: [10]grjournals@gmail.com References 1. http://www.grjournals.com/ 2. http://grjournals.com/Default.aspx?tabid=6605&articleType=CategoryView&categoryId=2302 3. http://grjournals.com/Default.aspx?tabid=6606&articleType=CategoryView&categoryId=2301 4. http://grjournals.com/Default.aspx?tabid=6529&articleType=CategoryView&categoryId=2272 5. http://www.scopemed.org/ 6. http://www.grjournals.com/ 7. http://grjournals.com/Default.aspx?tabid=7329 8. http://www.grjournals.com/ 9. http://www.grjournals.com/ 10. mailto:grjournals@gmail.com From owner-freebsd-arch@FreeBSD.ORG Wed Oct 9 11:19:23 2013 Return-Path: Delivered-To: arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A0146C80 for ; Wed, 9 Oct 2013 11:19:23 +0000 (UTC) (envelope-from amy.cole@researchandmarkets.org) Received: from mailsender14.researchandmarkets.org (unknown [IPv6:2a01:258:f000:4:e4a1:315c:77f9:5f52]) by mx1.freebsd.org (Postfix) with SMTP id A5B732E5B for ; Wed, 9 Oct 2013 11:19:20 +0000 (UTC) From: "Amy Cole" To: Subject: =?utf-8?B?SGFkb29wIE1hcmtldCAtIEdsb2JhbCBJbmR1c3RyeSBBbmFseXNpcywgU2l6ZSwgU2hhcmUsIEdyb3d0aCwgVHJlbmRzLCBBbmQgRm9yZWNhc3QsIDIwMTIgLSAyMDE4?= Date: Wed, 09 Oct 2013 11:19:00 GMT X-Mailer: RMSmtp MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20131009111923.A0146C80@hub.freebsd.org> X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Amy Cole List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2013 11:19:23 -0000 An exponential increase in the amount of data generated is a major contrib= uting factor to the growth of Hadoop (High-availability distributed object= -oriented platform) solution. Banking, Financial Services and Insurance (B= FSI), retail, healthcare and life sciences, media and entertainment, gover= nment, and telecommunication sectors among others are generating a massive= amount of data creating the need for a tool to handle and analyze big dat= a. =20 Hadoop is a cost effective solution and can manage structured as well as u= nstructured data unlike traditional solutions such as RDBMS (relational da= tabase management system). The need to track and analyze consumer behavior= , maintain inventory and space, target marketing offers on the basis of co= nsumer preferences and attract and retain consumers, are some of the facto= rs pushing the demand for Hadoop architecture solutions. =20 This study provides competitive analysis of the Hadoop market by type, by = application and by geography. The report also contains further segmentatio= n by type and by applications across major geographies along with country-= wise breakdown of the market across key geographies. In addition, it provi= des current and forecast market size by revenue for its wide range of indu= strial applications for the period 2011 to 2018. The report also analyzes = macro economic factors influencing and inhibiting the growth of the Hadoop= market. Porter=27s five forces analysis offers insights on market competi= tion throughout its value chain. The market attractiveness analysis highli= ghts key investing areas in this industry. =20 This study includes profiles of key players in the market and the strategi= es adopted by them to capture the market. The report also provides recent = developments and barriers of the market which will help emerging players t= o design their strategies in an effective manner. This study is expected t= o help designers, manufacturers, suppliers and distributors of the Hadoop = industry in formulating and developing their strategies. =20 The in-depth research and high level analysis will allow Hadoop market ven= dors and research and development agencies to make informed decisions abou= t the Hadoop market, formulate growth strategies and gain competitive adva= ntage. =20 For more information please click on: =20 http://www.researchandmarkets.com/publication/p2hpzj/hadoop_market_global_= industry_analysis_siz =20 Title Index: =20 Chapter 1 Preface =20 1.1 Research description =20 1.2 Research scope =20 1.3 Research methodology =20 Chapter 2 Executive Summary =20 Chapter 3 Market Overview =20 3.1 Key findings =20 3.2 Market definition =20 3.3 Market evolution =20 3.4 Market dynamics =20 3.5 Porter=27s five forces analysis =20 3.6 Market attractiveness analysis =20 3.7 Market trends and future outlook =20 Chapter 4 Hadoop Market Analysis and Forecast, by Type =20 4.1 Overview =20 4.2 Hadoop software market =20 4.3 Hadoop hardware market =20 4.4 Hadoop services market =20 Chapter 5 Hadoop Market Analysis and Forecast, by Application =20 5.1 Overview =20 5.2 Banking, Financial Services and Insurance (BFSI) =20 5.3 Manufacturing =20 5.4 Retail =20 5.5 Telecommunications =20 5.6 Healthcare and life sciences =20 5.7 Media and entertainment =20 5.8 Natural resources =20 5.9 Trade and transportation =20 5.10 Government sector =20 5.11 IT and ITES =20 5.12 Others =20 Chapter 6 Hadoop Market Analysis and Forecast, by Geography =20 6.1 Overview =20 6.2 North America Hadoop market =20 6.3 Europe Hadoop market =20 6.4 Asia Pacific Hadoop market =20 6.5 RoW Hadoop market =20 Chapter 7 Competitive Landscape =20 7.1 Market share by key players =20 Chapter 8 Company Profiles =20 8.1 Cloudera Inc. =20 8.2 Horton Works =20 8.3 IBM Corp. =20 8.4 Pentaho =20 8.5 MapR Technologies Inc. =20 8.6 Karmasphere Inc. =20 8.7 EMC - Greenplum =20 8.8 HStreaming LLC =20 8.9 Cisco Systems, Inc. =20 8.10 Teradata Corp. =20 Pricing: =20 Electronic (Single User): EUR 3431 =20 Electronic (1 - 5 Users): EUR 5671 =20 Electronic (Enterprisewide): EUR 7911 =20 Ordering - Three easy ways to place your order: =20 1] Order online at http://www.researchandmarkets.com/publication/p2hpzj/ha= doop_market_global_industry_analysis_siz =20 2] Order by fax: Print an Order form from http://www.researchandmarkets.co= m/publication/p2hpzj/hadoop_market_global_industry_analysis_siz and Fax to= +353 1 4100 980 =20 3] Order by mail: Print an Order form from http://www.researchandmarkets.c= om/publication/p2hpzj/hadoop_market_global_industry_analysis_siz and post = to Research and Markets, Guinness Center, Taylors Lane, Dublin 8. Ireland.= =20 Thank you for your consideration. =20 Best Regards, =20 Amy Cole =20 Senior Manager =20 Research and Markets Ltd =20 amy.cole@researchandmarkets.com =20 Subscribe: Click on http://www.researchandmarkets.com/register.asp You can= subscribe free for regular details on new research in your sector. =20 Please note you are currently subscribed as arch@freebsd.org =20 If you no longer wish to receive our market research updates, please reply= to this message with Suppression Request as the subject line, or use the = link below =20 http://www.researchandmarkets.com/u.asp?f=3Du&ec=3Dp2hpzj&e=3Darch@freebsd= org =20 From owner-freebsd-arch@FreeBSD.ORG Wed Oct 9 19:09:46 2013 Return-Path: Delivered-To: arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id B3166F42 for ; Wed, 9 Oct 2013 19:09:46 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 795862E23 for ; Wed, 9 Oct 2013 19:09:46 +0000 (UTC) Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132]) by mx1.stack.nl (Postfix) with ESMTP id B6003358C67; Wed, 9 Oct 2013 21:09:43 +0200 (CEST) Received: by turtle.stack.nl (Postfix, from userid 1677) id 8E1E4CB4E; Wed, 9 Oct 2013 21:09:43 +0200 (CEST) Date: Wed, 9 Oct 2013 21:09:43 +0200 From: Jilles Tjoelker To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Subject: Re: Userland patch level Message-ID: <20131009190943.GA1800@stack.nl> References: <8661tbsi40.fsf@nine.des.no> <52506076.2090803@mu.org> <86siwfqyqk.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86siwfqyqk.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: arch@freebsd.org, Alfred Perlstein X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2013 19:09:46 -0000 On Sat, Oct 05, 2013 at 09:55:15PM +0200, Dag-Erling Smørgrav wrote: > This was initially meant to be little more than "echo X.Y-RELEASE-pZ" > and to be used only by portaudit / pkg audit / what have you, which is > why it's hidden away in /libexec, but considering how much it's grown > from inception to implementation, it might make more sense to put it > in a more accessible location. The fact that it has a man page seems to suggest /bin or /sbin is a more appropriate location. -- Jilles Tjoelker From owner-freebsd-arch@FreeBSD.ORG Wed Oct 9 19:41:43 2013 Return-Path: Delivered-To: arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 83BCE830 for ; Wed, 9 Oct 2013 19:41:43 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4503E2093 for ; Wed, 9 Oct 2013 19:41:43 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 70D7B66D6; Wed, 9 Oct 2013 19:41:42 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 9CBDB236; Wed, 9 Oct 2013 21:41:36 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jilles Tjoelker Subject: Re: Userland patch level References: <8661tbsi40.fsf@nine.des.no> <52506076.2090803@mu.org> <86siwfqyqk.fsf@nine.des.no> <20131009190943.GA1800@stack.nl> Date: Wed, 09 Oct 2013 21:41:36 +0200 In-Reply-To: <20131009190943.GA1800@stack.nl> (Jilles Tjoelker's message of "Wed, 9 Oct 2013 21:09:43 +0200") Message-ID: <864n8qjkpb.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: arch@freebsd.org, Alfred Perlstein X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2013 19:41:43 -0000 Jilles Tjoelker writes: > The fact that it has a man page seems to suggest /bin or /sbin is a more > appropriate location. I'm sorry, are you implying that we should only document those parts of the system that are exposed to the user? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-arch@FreeBSD.ORG Fri Oct 11 12:37:06 2013 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 146A4441; Fri, 11 Oct 2013 12:37:06 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: from mail-oa0-x22d.google.com (mail-oa0-x22d.google.com [IPv6:2607:f8b0:4003:c02::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 94581221E; Fri, 11 Oct 2013 12:37:05 +0000 (UTC) Received: by mail-oa0-f45.google.com with SMTP id o17so2367014oag.32 for ; Fri, 11 Oct 2013 05:37:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qRAJ5+Fweq5riYSRWT0qVTvhYUPEfYkCMziahkj9NlM=; b=YR40qGcOOht/xw6ImDaWTWq+6ytzcmhRIfdAca+CNUnsZSay8h4Y6evpADYOLtloYx 6hPF+PhFOj5RRVF5hwOozEEUKfaWhPRyA+wcIG+0Qs43LOI7wXgMh5X4jZ6Be6bfL5HZ EHclXyDvUuMLb2DaCmsyg+UOdHud4+RpntYppoPYmfsrbU9UpO/78Mt3GtTiLP+PsJoF +xZ6z1k9e4ShYmr5axM/8Sw7BBVrAKCMQiP3niJU6/BW/awixNNmUPbinn6ZCaRkOkRN gjW/mzxgEwQeNY/8mCjoxcu8P3MQepiCt7GTmdXgSgECFU0MV7baLUg1TrREO6UK5dhv RB7w== MIME-Version: 1.0 X-Received: by 10.60.63.9 with SMTP id c9mr14133184oes.35.1381495024552; Fri, 11 Oct 2013 05:37:04 -0700 (PDT) Received: by 10.76.13.228 with HTTP; Fri, 11 Oct 2013 05:37:04 -0700 (PDT) In-Reply-To: References: <522A1C73.9030402@mu.org> Date: Fri, 11 Oct 2013 08:37:04 -0400 Message-ID: Subject: Re: New iSCSI stack. From: Outback Dingo To: =?ISO-8859-2?Q?Edward_Tomasz_Napiera=B3a?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-scsi@freebsd.org, "freebsd-arch@freebsd.org" , Alfred Perlstein , "freebsd-current@FreeBSD.org" X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Oct 2013 12:37:06 -0000 On Wed, Sep 11, 2013 at 5:14 PM, Edward Tomasz Napiera=C5=82a wrote: > I'm working on last few minor nits to get this into the tree. Give me fe= w > days, > I'll prepare a patch against 9-STABLE. > > Quick question, is there a specific reason why ctld doesnt create the file / device for iscsi, or fc ? the previous iscsi would read the config file and create the file / device ... it now appears to be a manual process.