#
e0dfe185 |
|
17-Jan-2024 |
Alexander Leidinger <netchild@FreeBSD.org> |
jail(8): add support for ZFS datasets Add zfs.dataset to jail(8) to add a list of ZFS datasets. Bump FreeBSD version for jail managers to switch to native dataset support. Datasets are attached to the jail after the jail creation and before the execution of any start command. Unlike current implementations in jail managers which attach datasets after the start command, this allows the zfs rc.d script to mount the datasets on start. Discussed with: jamie
|
#
4d65a7c6 |
|
24-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
usr.sbin: Automated cleanup of cdefs and other formatting Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
|
#
1d386b48 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
e8d7ae91 |
|
14-Dec-2022 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: fix a NULL pointer derefence in parsing ip6.addr settings. This is the counterpart to bd24e861b4ef, which did the same for ip4. PR: 268377 Reported by: ahkithaama at proton.me
|
#
466df976 |
|
04-Mar-2021 |
Kyle Evans <kevans@FreeBSD.org> |
jail(8): reset to root cpuset before attaching to run commands Recent changes have made it such that attaching to a jail will augment the attaching process' cpu mask with the jail's cpuset. While this is convenient for allowing the administrator to cpuset arbitrary programs that will attach to a jail, this is decidedly not convenient for executing long-running daemons during jail creation. This change inserts a reset of the process cpuset to the root cpuset between the fork and attach to execute a command. This allows commands executed to have the widest mask possible, and the administrator can cpuset(1) it back down inside the jail as needed. With this applied, one should be able to change a jail's cpuset at exec.poststart in addition to exec.created. The former was made difficult if jail(8) itself was running with a constrained set, as then some processes may have been spawned inside the jail with a non-root set. The latter is the preferred option so that processes starting in the jail are constrained appropriately up front. Note that all system commands are still run with the process' initial cpuset applied. PR: 253724 MFC after: 3 days Reviewed by: jamie Differential Revision: https://reviews.freebsd.org/D29008
|
#
66005c45 |
|
14-May-2020 |
Ryan Moeller <freqlabs@FreeBSD.org> |
jail: Add exec.prepare and exec.release command hooks This change introduces new jail command hooks that run before and after any other actions. The exec.prepare hook can be used for example to invoke a script that checks if the jail's root exists, creating it if it does not. Since arbitrary variables in jail.conf can be passed to the command, it can be pretty useful for templating jails. An example use case for exec.release would be to remove the filesystem of an ephemeral jail. The names "prepare" and "release" are borrowed from the names of similar hooks in libvirt. Reviewed by: jamie, manpages, mmacy Approved by: mmacy (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24829
|
#
be659d72 |
|
18-Jan-2019 |
Dmitry Morozovsky <marck@FreeBSD.org> |
Clarify error messages a bit. X-Found-With: r343112 MFC after: 1 month
|
#
bd24e861 |
|
17-Jan-2019 |
Eugene Grosbein <eugen@FreeBSD.org> |
jail(8): stop crashing with SIGSEGV inside run_command() function while processing not entirely correct jail.conf(5) file having something like "ip4.addr = 127.0.0.1;" and no "ip4 = ...;" so extrap variable stays NULL. Reported by: marck MFC after: 1 month
|
#
f6c0e63b |
|
15-Aug-2018 |
Alexander Leidinger <netchild@FreeBSD.org> |
- Add exec hook "exec.created". This is called when the jail is created and before exec.start is called. [1] - Bump __FreeBSD_version. This allows to attach ZFS datasets and various other things to be done before any command/service/rc-script is started in the new jail. PR: 228066 [1] Reviewed by: jamie [1] Submitted by: Stefan Grönke <stefan@gronke.net> [1] Differential Revision: https://reviews.freebsd.org/D15330 [1]
|
#
1de7b4b8 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
various: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
72130735 |
|
10-Nov-2017 |
Ed Maste <emaste@FreeBSD.org> |
Strip EOL whitespace in usr.sbin/{jail,jexec}
|
#
4c86c0fa |
|
14-Jul-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix up the order in which jail creation processes are run, to preserve the config file's order in the non-parallel-start case. PR: 209112 MFC after: 3 days
|
#
a99d8210 |
|
24-Apr-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Make jail(8) interpret escape codes in fstab the same as getfsent(3). PR: 208663 MFC after: 3 days
|
#
fcc43d06 |
|
16-Jan-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Clear errno before calling getpw*.
|
#
463a577b |
|
20-Oct-2015 |
Eitan Adler <eadler@FreeBSD.org> |
Fix a ton of speelling errors arc lint is helpful Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com Differential Revision: https://reviews.freebsd.org/D3337
|
#
07a7869f |
|
06-Feb-2015 |
Jamie Gritton <jamie@FreeBSD.org> |
Add mount.procfs jail parameter, so procfs can be mounted when a prison's root is in its fstab. Also fix a typo while I'm at it. PR: 197237 197066 MFC after: 3 days
|
#
eb28afe4 |
|
18-Dec-2014 |
Jamie Gritton <jamie@FreeBSD.org> |
Setgid before running a command as a specified user. Previously only initgroups(3) was called, what isn't quite enough. This brings jail(8) in line with jexec(8), which was already doing the right thing. PR: 195984 MFC after: 1 week
|
#
d031802b |
|
25-Nov-2014 |
Jamie Gritton <jamie@FreeBSD.org> |
In preparation for using clang's -Wcast-qual: Use __DECONST (instead of my own attempted re-invention) for the iov parameters to jail_get/set(2). Similarly remove the decost-ish hack from execvp's argv, except the __DECONST is only added at very end. While I'm at it, remove an unused variable and fix a comment typo.
|
#
b22b6abd |
|
04-Aug-2014 |
Steven Hartland <smh@FreeBSD.org> |
Added support for extra ifconfig args to jail ip4.addr & ip6.addr params This allows for CARP interfaces to be used in jails e.g. ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100" Before this change using exec.prestart to configure a CARP address would result in the wrong MAC being broadcast on startup as jail creates IP aliases to support ip[4|6].addr before exec.prestart is executed. PR: 191832 Reviewed by: jamie MFC after: 1 week X-MFC-With: r269340 Phabric: D528 Sponsored by: Multiplay
|
#
fbd868c9 |
|
12-Oct-2013 |
Hiroki Sato <hrs@FreeBSD.org> |
- Add mount.fdescfs parameter to jail(8). This is similar to mount.devfs but mounts fdescfs. The mount happens just after mount.devfs. - rc.d/jail now displays whole error message from jail(8) when a jail fails to start. Approved by: re (gjb)
|
#
bea2eefc |
|
28-Mar-2013 |
Jamie Gritton <jamie@FreeBSD.org> |
Reverse the order of some implicit commands (FS mounts and ifconfigs) when stopping jails. This matters particularly for nested filesystem mounts. PR: kern/177325 Submitted by: Harald Schmalzbauer MFC after: 3 days
|
#
e5935495 |
|
14-Feb-2013 |
Jamie Gritton <jamie@FreeBSD.org> |
Handle (ignore) when a process disappears before it can be tracked.
|
#
a6486f60 |
|
28-May-2012 |
Jamie Gritton <jamie@FreeBSD.org> |
When writing the jid via the -i flag, do it right when the jail is created, before any commands run. /etc/rc.d/jail depends on this.
|
#
8632fa3e |
|
24-May-2012 |
Jamie Gritton <jamie@FreeBSD.org> |
Don't try to set a null TERM environment. Submitted by: Mateusz Guzik <mjguzik gmail.com>
|
#
6fcbac3c |
|
03-May-2012 |
Jamie Gritton <jamie@FreeBSD.org> |
Add a meta-parameter IP__NULL to enum intparam, instead of mixing enum values and zeroes. This keeps clang happy (and is just good form). Submitted by: dim
|
#
0c4d49e9 |
|
27-Feb-2012 |
Jamie Gritton <jamie@FreeBSD.org> |
Use the defvs_ruleset paramater when mounting a jail's /dev, instead of a mount.devfs.ruleset pseudo-parameter.
|
#
1ca35de4 |
|
08-Feb-2012 |
Jamie Gritton <jamie@FreeBSD.org> |
Improvements in error messages: Some errors printed the jail name for unnamed (command line) jails. Attempting to create an already-existing jail from the command line returned with no error (even for non-root) due to bad logic in start_state. Ignore kvm_proc errors, which are typically caused by permission problems. Instead, stop ignoring permission errors when removing a jail (but continue to silently ignore other errors, i.e. the jail no longer existing). This makes non-root attempts at removing a jail give a clearer error message.
|
#
eadec913 |
|
06-Jul-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Don't report errors for the exit status of processes that are killed as part of jail removal (IP_STOP_TIMEOUT). Note a jail as "removed" even if it wasn't jail_remove() that did the deed, e.g. if it already went away because all its processes were killed.
|
#
60080230 |
|
22-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Advance to the next command before running anything, so errors found in finish_command can be processed properly. Call failed() once in next_command() instead of multiple times in run_command(). Continue processing commands when a no-wait operation (IP__OP or background command) succeeds.
|
#
c6eff841 |
|
21-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix a couple of NULL dereferences.
|
#
5fb611c2 |
|
20-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Following r222465: Check for IPv4 or IPv6 to be available by the kernel to not provoke errors trying to query options not available. Make it possible to compile out INET or INET6 only parts.
|
#
e16fb8fb |
|
20-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Linty stuff.
|
#
2b00f7ba |
|
18-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Move the actual create/remove (IP__OP) handling into run_command, and the cost of an ugly single-use global variable.
|
#
d8352076 |
|
17-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Update copyright dates and other whitespacey stuff.
|
#
3b40332c |
|
17-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Split run_command up into an outer function (next_command) that chooses a single command string to run, and an inner function (run_command) that runs that single string. Move the list of start/stop commands to run from a switch statement into an array, with a new placeholder parameter IP__OP for actually creating or removing the jail. When jail creation fails, revert all non-exec commands in reverse order.
|
#
2a194551 |
|
17-Jun-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Change cfstrings from an STAILQ into a TAILQ to allow commands to be traversed in reverse order.
|
#
aa02af54 |
|
10-Dec-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
run_command (mostly) cleanup: Make the parallelism limit a global instead of always passing it to run_command and finish_command. In the case of an empty command string, try to run any other strings the command may have. Replace JF_BACKGROUND with its sort-of opposite JF_SLEEPQ. Change j->comstring earlier to render JF_RUNQ unncessary. Change the if-else series to a more readable switch statement. Treat IP_STOP_TIMEOUT like a command, calling run_command which then calls term_procs. When the IP_STOP_TIMEOUT "command" finishes, it shouldn't mess with the parallelism limit. Make sufficient checks in finish_command and run_command so that the nonintuitive j->comstring null check isn't necessary to run them. Rename the "waiting" queue to "depend", because the "sleeping" and "runnable" queues are also used to wait for something.
|
#
5264032f |
|
04-Nov-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Check unmounts for a mount point of the right FS type.
|
#
8ebbf0e2 |
|
04-Nov-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Check paths for security: path must be absolute. mount paths must exist and have no symlinks beyond the jail's path itself. consolelog must exist (apart from the final component) and have no symlinks beyond the jail's path itself.
|
#
52a49622 |
|
04-Nov-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Reads the mount.fstab file, and put its lines separately into the IP__MOUNT_FROM_FSTAB internal parameter.
|
#
2671ee73 |
|
20-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Initial work on the new jail(8). There are more features to add, and some cleaning up to do on existing features, but this is pretty much what the final product will look like.
|