summaryrefslogtreecommitdiff
path: root/ezjail.sh
diff options
context:
space:
mode:
authorcryx <cryx@h3q.com>2009-12-28 22:09:17 +0000
committercryx <cryx@h3q.com>2009-12-28 22:09:17 +0000
commit7fd24086946f90347adc59a61beec621b555bdd7 (patch)
treee1d0d6d2c973410fcb8dc06ba100eb4c4397aae4 /ezjail.sh
parent12cf0c4f2130411e6408433d411eae8ee21e6da2 (diff)
Support for setting and using jail-bound ZFS datasets, cpuset(1) and setfib(1).
Jail-bound ZFS datasets still need the usual zfs+jail stuff like security.jail.mount_allowed=1 and security.jail.enforce_statfs=0 as well as "add path zfs unhide" in the devfs.rules for the jail. The setfib utility requires FIBs to be enabled via kernel-config. All features need at least FreeBSD 7.1-RELEASE.
Diffstat (limited to 'ezjail.sh')
-rwxr-xr-xezjail.sh16
1 files changed, 16 insertions, 0 deletions
diff --git a/ezjail.sh b/ezjail.sh
index 6df6358..eb5e251 100755
--- a/ezjail.sh
+++ b/ezjail.sh
@@ -65,6 +65,8 @@ do_cmd()
65 eval ezjail_attachparams=\"\$jail_${ezjail}_attachparams\" 65 eval ezjail_attachparams=\"\$jail_${ezjail}_attachparams\"
66 eval ezjail_attachblocking=\"\$jail_${ezjail}_attachblocking\" 66 eval ezjail_attachblocking=\"\$jail_${ezjail}_attachblocking\"
67 eval ezjail_forceblocking=\"\$jail_${ezjail}_forceblocking\" 67 eval ezjail_forceblocking=\"\$jail_${ezjail}_forceblocking\"
68 eval ezjail_zfs_datasets=\"\$jail_${ezjail}_zfs_datasets\"
69 eval ezjail_cpuset=\"\$jail_${ezjail}_cpuset\"
68 70
69 # Do we still have a root to run in? 71 # Do we still have a root to run in?
70 [ ! -d "${ezjail_rootdir}" ] && echo " Warning: root directory ${ezjail_rootdir} of ${ezjail} does not exist." && continue 72 [ ! -d "${ezjail_rootdir}" ] && echo " Warning: root directory ${ezjail_rootdir} of ${ezjail} does not exist." && continue
@@ -88,6 +90,20 @@ do_cmd()
88 # Pass control to jail script which does the actual work 90 # Pass control to jail script which does the actual work
89 [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} 91 [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass}
90 92
93 if [ "${action}" = "start" ]; then
94 ezjail_safename=`echo -n "${ezjail}" | tr -c '[:alnum:]' _`
95 # Get the JID of the jail
96 [ -f "/var/run/jail_${ezjail_safename}.id" ] && ezjail_id=`cat /var/run/jail_${ezjail_safename}.id` || return
97
98 # Attach ZFS-datasets to the jail
99 for zfs in ${ezjail_zfs_datasets}; do
100 /sbin/zfs jail ${ezjail_id} ${zfs} ||Êecho -n "Error: ${zfs} could not be configured"
101 done
102
103 # Configure processor sets for the jail via cpuset(1)
104 [ "${ezjail_cpuset}" ] && /usr/bin/cpuset -l ${ezjail_cpuset} -j ${ezjail_id} || echo -n "Error: The defined cpuset is malformed"
105 fi
106
91 # Can only detach after unmounting (from fstab.JAILNAME in /etc/rc.d/jail) 107 # Can only detach after unmounting (from fstab.JAILNAME in /etc/rc.d/jail)
92 attach_detach_post 108 attach_detach_post
93} 109}