Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On 04.08.2003 01:04, Mike Makonnen wrote: On Sun, Aug 03, 2003 at 04:11:12PM +0200, Jens Rehsack wrote: the patch works for me very well. I've checked what's been done and had only small recommendations: - Wouldn't it be better to configure the devfs rules by /etc/devfs.conf or is it impossible? - Even it would be a good thing, if I could specify a ruleset for each jail, and fallback to devfs_ruleset_jail if no jail_example_devfs_ruleset is specified? Ok. Here's a retooled patch. It now includes a devfs rule specification format that we can even use in the general case (i.e. - for /dev). The default rules for a jail are included in it. It's in etc/defaults/devfs.rules and should be self-explanatory. I also put back Scott's code in rc.d/jail for handlind rulesets for individual jails. But I kept the default jail ruleset hard-coded. I don't see the poing of creating yet another knob for it. If a user doesn't want the default that's what the individual knobs for the jails are there for :) Let me know how it goes. On 04.08.2003 01:09, Mike Makonnen wrote: the patch is attached this time. Hi Mike, sorry that testing took a while, but it failed completely first time on my machine I didn't find the time to debug. 1st: you have a typo in etc/rc.d/jail sed /\[-z/\[ -z/ 2nd: you include the 'devfs_ruleset_hide' several times, and each time the devfs call for it hides all previous unhidden. So you have to remove the 'add include $devfs_ruleset_hide' from the unhiding rulesets. 3rd: I don't know why, but I had your etc/default/devfs.rules content 5 times in my etc/defaults/debfs.rules The parsing subr fails with this content and so the jails didn't came up. So it was my fault (even I cannot explain, 'cause I removed /usr/src/etc before I cvsup'ed and applied the patch). By the way, now it works. Great step for flexible jails!!! Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On 02.08.2003 01:29, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote: On 29.07.2003 19:21, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. You can mail me the patch first, so that I can test it before you commit it, if you want. Hi Jens, Can you apply the attached patches and let me know how it goes? Cheers. Hi Mike, hi Scot, the patch works for me very well. I've checked what's been done and had only small recommendations: - Wouldn't it be better to configure the devfs rules by /etc/devfs.conf or is it impossible? - Even it would be a good thing, if I could specify a ruleset for each jail, and fallback to devfs_ruleset_jail if no jail_example_devfs_ruleset is specified? Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On 03.08.2003 16:11, Jens Rehsack wrote: On 02.08.2003 01:29, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote: On 29.07.2003 19:21, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. You can mail me the patch first, so that I can test it before you commit it, if you want. Hi Jens, Can you apply the attached patches and let me know how it goes? Cheers. Hi Mike, hi Scot, the patch works for me very well. Ahh - being able to read benefits clearly :-) Without having rc_debug=YES turned on the boot process shows an error: devfs_link: not found. It's called from within etc/rc.d/jails to link /var/log/log etc. Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On Sun, Aug 03, 2003 at 04:11:12PM +0200, Jens Rehsack wrote: the patch works for me very well. I've checked what's been done and had only small recommendations: - Wouldn't it be better to configure the devfs rules by /etc/devfs.conf or is it impossible? - Even it would be a good thing, if I could specify a ruleset for each jail, and fallback to devfs_ruleset_jail if no jail_example_devfs_ruleset is specified? Ok. Here's a retooled patch. It now includes a devfs rule specification format that we can even use in the general case (i.e. - for /dev). The default rules for a jail are included in it. It's in etc/defaults/devfs.rules and should be self-explanatory. I also put back Scott's code in rc.d/jail for handlind rulesets for individual jails. But I kept the default jail ruleset hard-coded. I don't see the poing of creating yet another knob for it. If a user doesn't want the default that's what the individual knobs for the jails are there for :) Let me know how it goes. Cheers. -- Mike Makonnen | GPG-KEY: http://www.identd.net/~mtm/mtm.asc [EMAIL PROTECTED] | D228 1A6F C64E 120A A1C9 A3AA DAE1 E2AF DBCC 68B9 [EMAIL PROTECTED]| FreeBSD - Unleash the Daemon! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On 02.08.2003 01:29, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote: On 29.07.2003 19:21, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. You can mail me the patch first, so that I can test it before you commit it, if you want. Hi Jens, Can you apply the attached patches and let me know how it goes? Cheers. Is there a difference to those Scot send me yesterday evening? If not, I'm working on it, but after a hard week I took a free day today and tomorrow starts with an meeting. So don't expect results of test before monday morning (7:00 GMT) Best regards, Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote:
On 29.07.2003 19:21, Mike Makonnen wrote:
On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote:
Yeah, I'll take care of this. I had asked scott to mail me his final
patch so I could commit it, but I never heard back from him. I'll
dig out the revisions from my mail archives and combine the
two.
You can mail me the patch first, so that I can test it before you
commit it, if you want.
Hi Jens,
Can you apply the attached patches and let me know how it goes?
Cheers.
--
Mike Makonnen | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
[EMAIL PROTECTED] | D228 1A6F C64E 120A A1C9 A3AA DAE1 E2AF DBCC 68B9
[EMAIL PROTECTED]| FreeBSD - Unleash the Daemon!
Index: etc/rc.subr
===
RCS file: /home/ncvs/src/etc/rc.subr,v
retrieving revision 1.13
diff -u -r1.13 rc.subr
--- etc/rc.subr 9 Jun 2003 17:31:06 - 1.13
+++ etc/rc.subr 1 Aug 2003 23:05:21 -
@@ -1033,3 +1033,160 @@
esac
fi
}
+
+# devfs_init_rulesets
+# Initialize default system supplied rulesets.
+#
+devfs_init_rulesets()
+{
+ local rsHide rsBasic rsLogin rsJail _me
+ rsHide=$devfs_ruleset_hide
+ rsBasic=$devfs_ruleset_basic
+ rsLogin=$devfs_ruleset_login
+ rsJail=$devfs_ruleset_jail
+ _me=devfs_init_rulesets
+
+ # Go through this only once
+ if [ -n $devfs_rulesets_init ]; then
+ debug $_me: devfs rulesets already initialized
+ return
+ fi
+
+ # Hide: Hide all devices
+ #
+ /sbin/devfs rule -s $rsHide delset
+ /sbin/devfs rule -s $rsHide add hide
+
+ # Basic: Basic devices typically necessary
+ #
+ /sbin/devfs rule -s $rsBasic delset
+ /sbin/devfs rule -s $rsBasic add path null unhide
+ /sbin/devfs rule -s $rsBasic add path zero unhide
+ /sbin/devfs rule -s $rsBasic add path random unhide
+ /sbin/devfs rule -s $rsBasic add path urandom unhide
+
+ # Login: Devices typically needed to support loged-in users
+ #
+ /sbin/devfs rule -s $rsLogin delset
+ /sbin/devfs rule -s $rsLogin add path 'ptyp*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyq*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyr*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptys*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyP*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyQ*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyR*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyS*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyp*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyq*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyr*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttys*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyP*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyQ*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyR*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyS*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'fd/*' unhide
+ /sbin/devfs rule -s $rsLogin add path stdin unhide
+ /sbin/devfs rule -s $rsLogin add path stdout unhide
+ /sbin/devfs rule -s $rsLogin add path stderr unhide
+
+ # Jail: Devices typically usefull in a jail
+ #
+ /sbin/devfs rule -s $rsJail add path '*' include $rsHide
+ /sbin/devfs rule -s $rsJail add path '*' include $rsBasic
+ /sbin/devfs rule -s $rsJail add path '*' include $rsLogin
+
+ devfs_rulesets_init=1
+ debug $_me: devfs rulesets initialized
+}
+
+# devfs_set_ruleset ruleset [dir]
+# Sets the default ruleset of dir to ruleset.
+# Returns non-zero if it could not set it successfully.
+#
+devfs_set_ruleset()
+{
+ local devdir rs _me
+ rs=$1
+ [ -n $2 ] devdir=-m $2 || devdir=
+ _me=devfs_set_ruleset
+
+ if [ -z $rs ]; then
+ warn $_me: you must specify a ruleset number
+ return 1
+ fi
+ debug $_me: setting ruleset ($rs) on mount-point (${devdir#-m })
+ if ! /sbin/devfs $devdir ruleset $rs ; then
+ warn $_me: unable to set ruleset $rs to ${devdir#-m }
+ return 1
+ fi
+ return 0
+}
+
+# devfs_apply_ruleset ruleset [dir]
+# Apply ruleset number $ruleset to the devfs mountpoint $dir.
+# Returns 0 on success or non-zero if it could not apply
+# the ruleset.
+#
+devfs_apply_ruleset()
+{
+ local devdir rs _me
+ rs=$1
+ [ -n $2 ] devdir=-m $2 || devdir=
+ _me=devfs_apply_ruleset
+
+ if [ -z $rs ]; then
+ warn $_me: you must specify a ruleset
+ return 1
+ fi
+ debug $_me: applying ruleset ($rs) to mount-point (${devdir#-m })
+ if ! /sbin/devfs $devdir rule -s $rs applyset ; then
[PATCH] jail NG schript patch for mounting devfs and procfsautomatically
Hi all, hi Clement,
I updated the rcng jail start script to mount devfs and procfs
into the jail if wanted. Adding entries to /etc/fstab didn't
work properly, because the jail filesystem wasn't mounted when
the startup process wants to mount it.
Going this way allows us to control which jail could be used
via ssh (or another remote shell), too.
Any comments gladly welcome.
If it's useful for FreeBSD, I will write the rc.conf(5) update,
too. Please inform me to do this.
Regards,
Jens
--- etc/rc.d/jail.orig Mon May 5 15:38:41 2003
+++ etc/rc.d/jail Tue Jul 29 14:49:34 2003
@@ -53,6 +53,16 @@
eval jail_hostname=\\$jail_${_jail}_hostname\
eval jail_ip=\\$jail_${_jail}_ip\
eval jail_exec=\\$jail_${_jail}_exec\
+ eval jail_devfs=\\$jail_${_jail}_mount_devfs\
+ eval jail_procfs=\\$jail_${_jail}_mount_procfs\
+ if [ -n ${jail_devfs} ] checkyesno jail_devfs ; then
+ echo Mounting devfs to ${jail_rootdir}/dev
+ mount -t devfs devfs ${jail_rootdir}/dev
+ fi;
+ if [ -n ${jail_procfs} ] checkyesno jail_procfs ; then
+ echo Mounting procfs to ${jail_rootdir}/proc
+ mount -t procfs procfs ${jail_rootdir}/proc
+ fi;
[ -z ${jail_exec} ] jail_exec=/bin/sh /etc/rc
jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On Tue, 29 Jul 2003, Jens Rehsack wrote: I updated the rcng jail start script to mount devfs and procfs into the jail if wanted. Adding entries to /etc/fstab didn't work properly, because the jail filesystem wasn't mounted when the startup process wants to mount it. Going this way allows us to control which jail could be used via ssh (or another remote shell), too. Any comments gladly welcome. If it's useful for FreeBSD, I will write the rc.conf(5) update, too. Please inform me to do this. Neat. Someone, and unfortunately I appear to have lost track of who, had some tweaks to the rcNG scripts to set up some reasonable devfs rules for a jail, and apply them to the devfs mounted in a jail. Otherwise, you risk exposing undesired device nodes to the virtual environment. I suspect a search of the -current archives will turn up who, but I think a necessary part of a solution here will be to make sure jails are set up with the right devfs contents. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On 29.07.2003 18:47, Robert Watson wrote: On Tue, 29 Jul 2003, Jens Rehsack wrote: I updated the rcng jail start script to mount devfs and procfs into the jail if wanted. Adding entries to /etc/fstab didn't work properly, because the jail filesystem wasn't mounted when the startup process wants to mount it. Going this way allows us to control which jail could be used via ssh (or another remote shell), too. Any comments gladly welcome. If it's useful for FreeBSD, I will write the rc.conf(5) update, too. Please inform me to do this. Neat. :-) Someone, and unfortunately I appear to have lost track of who, had some tweaks to the rcNG scripts to set up some reasonable devfs rules for a jail, and apply them to the devfs mounted in a jail. Otherwise, you risk exposing undesired device nodes to the virtual environment. I suspect a search of the -current archives will turn up who, but I think a necessary part of a solution here will be to make sure jails are set up with the right devfs contents. Sorry, overseen. Sct W. Hetzel was the submitter, but it never becomes committed. If could be be so kind, please :-) (of course, not without prove it first) Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: On 29.07.2003 18:47, Robert Watson wrote: Someone, and unfortunately I appear to have lost track of who, had some tweaks to the rcNG scripts to set up some reasonable devfs rules for a jail, and apply them to the devfs mounted in a jail. Otherwise, you risk exposing undesired device nodes to the virtual environment. I suspect a search of the -current archives will turn up who, but I think a necessary part of a solution here will be to make sure jails are set up with the right devfs contents. Sorry, overseen. Sct W. Hetzel was the submitter, but it never becomes committed. If could be be so kind, please :-) (of course, not without prove it first) Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. Cheers. -- Mike Makonnen | GPG-KEY: http://www.identd.net/~mtm/mtm.asc [EMAIL PROTECTED] | D228 1A6F C64E 120A A1C9 A3AA DAE1 E2AF DBCC 68B9 [EMAIL PROTECTED]| FreeBSD - Unleash the Daemon! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically
On 29.07.2003 19:21, Mike Makonnen wrote: On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. You can mail me the patch first, so that I can test it before you commit it, if you want. Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
