Date: Sat, 18 Feb 2017 09:52:17 -0700 From: James Gritton <jamie@freebsd.org> To: Jeff Kletsky <freebsd@wagsky.com> Cc: freebsd-jail@freebsd.org Subject: Re: Using jail.conf array parameters in exec.* commands Message-ID: <804a21e85046d5c9f536c7faefc0fb05@freebsd.org> In-Reply-To: <5c11e326-cd4b-73e1-a681-9d116a0c1cd3@wagsky.com> References: <b54f6576-7627-f3c3-70b0-b2c9c54a4fd6@wagsky.com> <58A42DC7.5040702@gmail.com> <5c11e326-cd4b-73e1-a681-9d116a0c1cd3@wagsky.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2017-02-17 10:58, Jeff Kletsky wrote:
> ...
> I've been thinking about that for a while, especially as there isn't a
> way to "catch" an execution error in jail(8) itself, such as the vnet
> transition failing. (Yes, I'll open an issue on that once I'm convinced
> I can't do it with the current jail functionality.)
>
> To be able to call 'ifconfig interface vnet jail' the jail needs to
> exist already:
>
> # ifconfig ngeth3 vnet t2
> ifconfig: jail "t2" not found
>
> Further, the network needs to be up and running when services are
> started. ntpd, anything that binds to a specific interface (rather
> than *), anything that needs DNS (such as nginx providing proxy
> services), ...
>
>
> jail(8) tells me I have the following hooks available
>
> exec.prestart -- jail isn't created yet
> exec.start -- runs *in* the jail; typically starts execution
> exec.poststart -- runs in the host, after exec.start completes
>
> There isn't a "jail up, but not executing yet" hook in the host
> environment that I am aware of.
>
> There is a somewhat ugly approach along the lines of:
>
> exec.prestart -- do the setup on the host side
> exec.start -- '/bin/true' or 'return 0'-- don't do anything
> exec.poststart -- 'ifconfig interface vnet jail'-like things
> 'jexec jail sh /etc/rc > ${exec.consolelog}'
>
>
> Is there a better approach that someone out there knows of?
There's nothing better at this point - the ugly solution you mention is
the current best way. The exec.* options come from analogs of the
rc-script days, which precede vnet. The specific "ifconfig interface
vnet jail" thing was handled by the vnet.interface parameter, but it
would be good to have a more general set of exec scripts to run in the
create side post-create but pre-start.
But I'm not sure such a thing will appear. Aside from the cumbersome
naming of something between prestart and start, I can see this blowing
up: there could well be a situation where you want something run in the
host, something in the jail, something else in the host, something else
in the jail. I considered vnet.interface to be the common case, but
there will always be more specific work where the best solution is to
just run a script on the host side.
- Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?804a21e85046d5c9f536c7faefc0fb05>