Date: Wed, 13 Aug 2014 21:21:33 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: How early can jails be started? Message-ID: <53EC0F1D.70802@freebsd.org> In-Reply-To: <alpine.BSF.2.11.1408131820440.96581@wonkity.com> References: <alpine.BSF.2.11.1408091848040.38134@wonkity.com> <53E6F664.10702@freebsd.org> <alpine.BSF.2.11.1408131820440.96581@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --u9gav1a3GL43aBO4nM8toh06AxSdLG5wr Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-08-13 21:08, Warren Block wrote: > On Sat, 9 Aug 2014, James Gritton wrote: >=20 >> On 8/9/2014 6:53 PM, Warren Block wrote: >>> Is it technically possible to start a jail much earlier in the boot >>> order? >>> >>> The reason is that a jailed DNS server could be used by the host if >>> it was started before any of the host's network services needed DNS. = >>> After /etc/rc.d/netwait, say. >>> >>> There may be other jailed services that would also benefit from an >>> early start, but DNS is something of a special case and the only one >>> that comes to mind. >> >> Sure - jails can go quite early. Technically, very near the beginning= =2E >> >> You'll want local filesystems, assuming you want your jail chrooted >> somewhere (you do for normal-use jails, but it's not as obviously true= >> for single-purpose jails). In the same situation, you'd want to >> depend on devfs so you can mount a devfs with the proper ruleset. >> >> If you want to add IP address aliases, you'll need networking set up, >> but if you just want to restrict to already existing addresses or run >> in an unrestricted IP setup, you don't even need that. Except ... >> >> Other than that, the only restriction is what you want to do with the >> jail. So for the DNS server example, it's whatever an unjailed DNS >> server would require. So yeah, something like netwait. >=20 > (Sorry for multiposting--I put this on the ezjail list also. But it's > generally applicable to ordinary jails too.) >=20 > It works... mostly. This file is /etc/rc.d/earlyjail: >=20 > #!/bin/sh > # PROVIDE: earlyjail > # REQUIRE: netwait > # KEYWORD: > # BEFORE: mountcritremote > /usr/local/etc/rc.d/ezjail start dns1 >=20 > That was a quick hack, not expected to work, but it did. However... >=20 > /usr/local/etc/rc.d/ezjail >=20 > When /etc/rc.d/jail runs much later in the startup, it tries to start > that jail again, and gets an error because of it. Seeing the error, it= > deletes /var/run/jail_dns1.id. ezjail uses those jail_*.id files to > detect which jails are running, and is sure that dns1 is not running. > jls does show things correctly. I'm not sure if there is a workaround > short of modifying /etc/rc.d/jail. >=20 > The second problem might be simpler to solve. With sendmail_enable=3D"= NO" > in the dns1 jail (so it can send status email), sendmail on the host is= > blocked: >=20 > sm-mta[679]: daemon Daemon0: problem creating SMTP socket > sm-mta[679]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: > cannot bind: Can't assign requested address >=20 > If the host sendmail is killed and restarted, it works. And of course > it also works when sendmail is started on the host first and the jails > use sendmail_enable=3D"NO". I'm not really sure what's going on there.= > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= Sendmail still starts with sendmail_enable=3D"NO" try sendmail_enable=3D"NONE" --=20 Allan Jude --u9gav1a3GL43aBO4nM8toh06AxSdLG5wr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJT7A8gAAoJEJrBFpNRJZKfOW4P/RPnc7onvesm5IKy2kwY8mcL 79XMOTottnBsLFi2IGtUK/oeNKjAj4xX0RIhMkYUyGhuMzBrko8ul7SZvTdh60rI c7882/wwRgk8xNttq/4tziphUwRhJAxAzaAfX5VAFs77hB3AFK4wRnUhSd0/T8yZ bqNnu32rkDat6pUq65CctH8H8mBPiS7B7A8y3V7PyeN8AU6zmRIjtio1Acjn8DgJ i8Oi23ZXY0mxnrQIkVrbIs92BipJEy7prvOitkGFMoHVQ+uGLN4oaIh8LJ0jjsnf exDbayEudJfTBSXmQzu6cojuaoHhoazE83VlN0NKj0GNcORnkz5QYtJhZlGiNTcu KF2/HDb4/sGFTZYDFLkGOXW/Aehlnd73GWLq+fj1r2+3pb3O0CfG6tbjT2BwskCE J94YxZQaHCNC3ho+MQbHmpSnvThw32I0SffESop+GOskqYm4JX6rlpoMSO0kVWqj efKD9uKSZhifr2BOcLcAlSVbSmRdAoeUSk6tMZNC1meYD6fWAPadBc4mcrLjRcoO fkIeguLVXixlU0znNf+g1NEQfdrCIAoO54MGYDQ/6kxPwdp5s2JHt5EmjZqw7gJ9 Da6l21+AtdyzuQkHdfIvCGGVPgHwdhhHMd8TvjljKuSx56FjA/GSsh+BuifMlls2 CIwIMxwNNyuKqrUe2sP9 =f0JJ -----END PGP SIGNATURE----- --u9gav1a3GL43aBO4nM8toh06AxSdLG5wr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53EC0F1D.70802>