source: src-sh/warden/scripts/backend/startjail.sh

Last change on this file was e4da50e, checked in by Kris Moore <kris@…>, 5 months ago

Fix a bug in warden, use the specified default interface

  • Property mode set to 100755
File size: 11.8 KB
Line 
1#/bin/sh
2# Script to startup a jail
3# Args $1 = jail-name
4#######################################################################
5
6# Source our functions
7PROGDIR="/usr/local/share/warden"
8
9# Source our variables
10. ${PROGDIR}/scripts/backend/functions.sh
11
12start_jail_vimage()
13{
14
15  BRIDGE=
16
17  # See if we need to create a new bridge, or use an existing one
18  _bridges=`get_bridge_interfaces`
19  if [ -n "${_bridges}" ] ; then
20     for _bridge in ${_bridges}
21     do
22        _members=`get_bridge_members ${_bridge}`
23        for _member in ${_members}
24        do
25           if [ "${_member}" = "${IFACE}" ] ; then
26              BRIDGE=${_bridge}
27              break
28           fi
29        done
30        if [ -n "${BRIDGE}" ] ; then
31           break
32        fi
33     done
34  fi
35
36  if [ -z "${BRIDGE}" ] ; then
37     BRIDGE=`ifconfig bridge create mtu ${MTU}`
38  fi
39  if [ -n "${IFACE}" ] ; then
40     if ! is_bridge_member "${BRIDGE}" "${IFACE}" ; then
41        ifconfig ${BRIDGE} addm ${IFACE}
42     fi
43  fi
44
45  # create epair for vimage jail
46  EPAIRA=`ifconfig epair create mtu ${MTU}`
47  ifconfig ${EPAIRA} up
48
49  EPAIRB=`echo ${EPAIRA}|sed -E "s/([0-9])a$/\1b/g"`
50  ifconfig ${BRIDGE} addm ${EPAIRA} up
51
52  # If no bridge specified, and IP4 is enabled, lets suggest one
53  if [ -z "$BRIDGEIP4" -a -n "$IP4" ] ; then
54     BRIDGEIP4="`echo $IP4 | cut -d '.' -f 1-3`.254"
55  fi
56
57  if [ -n "${BRIDGEIP4}" ] ; then
58     if ! ipv4_configured "${BRIDGE}" ; then
59        ifconfig ${BRIDGE} inet "${BRIDGEIP4}"
60
61     elif ! ipv4_address_configured "${BRIDGE}" "${BRIDGEIP4}" ; then
62        ifconfig ${BRIDGE} inet alias "${BRIDGEIP4}"
63     fi
64  fi
65  if [ -n "${BRIDGEIPS4}" ] ; then
66     for _ip in ${BRIDGEIPS4}
67     do
68        if ! ipv4_address_configured "${BRIDGE}" "${_ip}" ; then
69           ifconfig ${BRIDGE} inet alias "${_ip}"
70        fi
71     done
72  fi
73
74  if [ -n "${BRIDGEIP6}" ] ; then
75     if ! ipv6_configured "${BRIDGE}" ; then
76        ifconfig ${BRIDGE} inet6 "${BRIDGEIP6}"
77
78     elif ! ipv6_address_configured "${BRIDGE}" "${BRIDGEIP6}" ; then
79        ifconfig ${BRIDGE} inet6 alias "${BRIDGEIP6}"
80     fi
81  fi
82  if [ -n "${BRIDGEIPS6}" ] ; then
83     for _ip in ${BRIDGEIPS6}
84     do
85        if ! ipv6_address_configured "${BRIDGE}" "${_ip}" ; then
86           ifconfig ${BRIDGE} inet6 alias "${_ip}"
87        fi
88     done
89  fi
90
91  # Start the jail now
92  echo "jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet"
93  jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet
94  if [ $? -ne 0 ] ; then
95     echo "ERROR: Failed starting jail with above command..."
96     umountjailxfs "${JAILNAME}"
97     exit 1
98  fi
99
100  JID="`jls | grep ${JAILDIR}$ | tr -s " " | cut -d " " -f 2`"
101
102  # Move epairb into jail
103  ifconfig ${EPAIRB} vnet ${JID}
104
105  # Configure the IPv4 addresses
106  if [ -n "${IP4}" ] ; then
107     echo "Setting IP4 address: ${IP4}"
108     jexec ${JID} ifconfig ${EPAIRB} inet "${IP4}"
109  fi
110  for ip4 in ${IPS4}
111  do
112     ipv4_configured ${EPAIRB} ${JID}
113     if [ "$?" = "0" ] ; then
114        if ! ipv4_address_configured "${EPAIRB}" "${ip4}" "${JID}" ; then
115           jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4}
116        fi
117     else
118        jexec ${JID} ifconfig ${EPAIRB} inet ${ip4}
119     fi
120  done
121
122  # Configure the IPv6 addresses
123  if [ -n "${IP6}" ] ; then
124     echo "Setting IP6 address: ${IP6}"
125     jexec ${JID} ifconfig ${EPAIRB} inet6 "${IP4}"
126  fi
127  for ip6 in ${IPS6}
128  do
129     ipv6_configured ${EPAIRB} ${JID}
130     if [ "$?" = "0" ] ; then
131        if ! ipv6_address_configured "${EPAIRB}" "${ip6}" "${JID}" ; then
132           jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6}
133        fi
134     else
135        jexec ${JID} ifconfig ${EPAIRB} inet6 ${ip6}
136     fi
137  done
138
139  #
140  # Configure default IPv4 gateway
141  #
142  if [ -n "${GATEWAY4}" ] ; then
143     jexec ${JID} route add -inet default ${GATEWAY4}
144
145  #
146  # No defaultrouter configured for IPv4, so if bridge IP address was
147  # configured, we set the default router to that IP.
148  #
149  elif [ -n "${BRIDGEIP4}" ] ; then
150     get_ip_and_netmask "${BRIDGEIP4}"
151     jexec ${JID} route add -inet default ${JIP}
152  fi
153
154  #
155  # Configure default IPv6 gateway
156  #
157  if [ -n "${GATEWAY6}" ] ; then
158     jexec ${JID} route add -inet6 default ${GATEWAY6}
159
160  #
161  # No defaultrouter configured for IPv6, so if bridge IP address was
162  # configured, we set the default router to that IP.
163  #
164  elif [ -n "${BRIDGEIP6}" ] ; then
165     get_ip_and_netmask "${BRIDGEIP6}"
166     jexec ${JID} route add -inet6 default ${JIP}
167  fi
168
169  #
170  # Set ourself to be a jail router with NAT. Don't
171  # use PF since it will panic the box when used
172  # with VIMAGE.
173  #
174  ip_forwarding=`sysctl -n net.inet.ip.forwarding`
175  if [ "${ip_forwarding}" = "0" ] ; then
176     sysctl net.inet.ip.forwarding=1
177  fi
178
179  ip6_forwarding=`sysctl -n net.inet6.ip6.forwarding`
180  if [ "${ip6_forwarding}" = "0" ] ; then
181     sysctl net.inet6.ip6.forwarding=1
182  fi
183
184  firewall_enable=`egrep '^firewall_enable' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
185  firewall_type=`egrep '^firewall_type' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
186
187  if [ "${firewall_enable}" != "YES" -o "${firewall_type}" != "open" ] ; then
188     tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX`
189     egrep -v '^firewall_(enable|type)' /etc/rc.conf >> "${tmp_rcconf}"
190
191     cat<<__EOF__>>"${tmp_rcconf}"
192firewall_enable="YES"
193firewall_type="open"
194__EOF__
195
196     if [ -s "${tmp_rcconf}" ] ; then
197        cp /etc/rc.conf /var/tmp/rc.conf.bak
198        mv "${tmp_rcconf}" /etc/rc.conf
199        if [ "$?" != "0" ] ; then
200           mv /var/tmp/rc.conf.bak /etc/rc.conf
201        fi
202     fi
203     /etc/rc.d/ipfw forcerestart
204  fi
205
206  instance=`get_ipfw_nat_instance "${IFACE}"`
207  if [ -z "${instance}" ] ; then
208     priority=`get_ipfw_nat_priority`
209     instance=`get_ipfw_nat_instance`
210
211     ipfw "${priority}" add nat "${instance}" all from any to any
212     ipfw nat "${instance}" config if "${IFACE}" reset
213  fi
214# End of jail VIMAGE startup function
215}
216
217# Function to start a jail up the normal way
218start_jail_standard()
219{
220  # Check for primary IPV4 / IPV6
221  if [ -n "$IP4" ] ; then
222    _ipflags="ip4.addr=${IP4}"
223    ifconfig $IFACE inet alias ${IP4}
224  fi
225  if [ -n "$IP6" ] ; then
226    _ipflags="${_ipflags} ip6.addr=${IP6}"
227    ifconfig $IFACE inet6 alias ${IP6}
228  fi
229
230  # Setup the extra IP4s for this jail
231  for _ip in $IPS4
232  do
233    ifconfig $IFACE inet alias ${_ip}
234    _ipflags="${_ipflags} ip4.addr=${_ip}"
235  done
236
237  # Setup the extra IP6s for this jail
238  for _ip in $IPS6
239  do
240    ifconfig $IFACE inet6 alias ${_ip}
241    _ipflags="${_ipflags} ip6.addr=${_ip}"
242  done
243
244  echo "jail -c path=${JAILDIR} ${_ipflags} host.hostname=${HOST} ${jFlags} persist"
245  jail -c path=${JAILDIR} ${_ipflags} host.hostname=${HOST} ${jFlags} persist
246  if [ $? -ne 0 ] ; then
247     echo "ERROR: Failed starting jail with above command..."
248     umountjailxfs "${JAILNAME}"
249     exit 1
250  fi
251
252  JID="`jls | grep ${JAILDIR}$ | tr -s " " | cut -d " " -f 2`"
253
254}
255
256JAILNAME="${1}"
257
258if [ -z "${JAILNAME}" ]
259then
260  echo "ERROR: No jail specified to start!"
261  exit 5
262fi
263
264if [ -z "${JDIR}" ]
265then
266  echo "ERROR: JDIR is unset!!!!"
267  exit 5
268fi
269
270JAILDIR="${JDIR}/${JAILNAME}"
271
272if [ ! -d "${JAILDIR}" ]
273then
274  echo "ERROR: No jail located at ${JAILDIR}"
275  exit 5
276fi
277
278# Make sure the jail is NOT already running
279jls | grep ${JAILDIR}$ >/dev/null 2>/dev/null
280if [ "$?" = "0" ]
281then
282  echo "ERROR: Jail appears to be running already!"
283  exit 6
284fi
285
286IFACE=
287
288DEFAULT=0
289
290# Make sure jail uses special interface if specified
291if [ -e "${JMETADIR}/iface" ] ; then
292  IFACE=`cat "${JMETADIR}/iface"`
293fi
294if [ -z "${IFACE}" ] ; then
295  if [ -n "$NIC" ] ; then
296    IFACE="$NIC"
297  else
298    IFACE=`get_default_interface`
299    DEFAULT=1
300  fi
301fi
302if [ -z "${IFACE}" ] ; then
303  echo "ERROR: no interface specified and a default doesn't exist!"
304  exit 6
305fi
306
307MTU=`ifconfig ${IFACE} | head -1 | sed -E 's/.*mtu ([0-9]+)/\1/g'`
308
309GATEWAY4=
310if [ -e "${JMETADIR}/defaultrouter-ipv4" ] ; then
311  GATEWAY4=`cat "${JMETADIR}/defaultrouter-ipv4"`
312fi
313GATEWAY6=
314if [ -e "${JMETADIR}/defaultrouter-ipv6" ] ; then
315  GATEWAY6=`cat "${JMETADIR}/defaultrouter-ipv6"`
316fi
317
318BRIDGEIP4=
319if [ -e "${JMETADIR}/bridge-ipv4" ] ; then
320  BRIDGEIP4=`cat "${JMETADIR}/bridge-ipv4"`
321fi
322
323BRIDGEIPS4=
324if [ -e "${JMETADIR}/alias-bridge-ipv4" ] ; then
325  while read line
326  do
327    BRIDGEIPS4="${BRIDGEIPS4} $line" 
328  done < ${JMETADIR}/alias-bridge-ipv4
329fi
330
331BRIDGEIP6=
332if [ -e "${JMETADIR}/bridge-ipv6" ] ; then
333  BRIDGEIP6=`cat "${JMETADIR}/bridge-ipv6"`
334fi
335
336BRIDGEIPS6=
337if [ -e "${JMETADIR}/alias-bridge-ipv6" ] ; then
338  while read line
339  do
340    BRIDGEIPS6="${BRIDGEIPS6} $line" 
341  done < ${JMETADIR}/alias-bridge-ipv6
342fi
343
344# Check if we need to enable vnet
345VIMAGEENABLE="NO"
346if [ -e "${JMETADIR}/vnet" ] ; then
347  VIMAGEENABLE="YES"
348fi
349
350set_warden_metadir
351
352if [ -e "${JMETADIR}/jail-linux" ] ; then
353   LINUXJAIL="YES"
354fi
355
356HOST="`cat ${JMETADIR}/host`"
357
358if is_symlinked_mountpoint ${JAILDIR}/dev; then
359   echo "${JAILDIR}/dev has symlink as parent, not mounting"
360else
361   mount -t devfs devfs "${JAILDIR}/dev"
362fi
363
364if [ "$LINUXJAIL" = "YES" ] ; then
365  # Linux Jail
366  if is_symlinked_mountpoint ${JAILDIR}/proc; then
367     echo "${JAILDIR}/proc has symlink as parent, not mounting"
368  else
369     mount -t linprocfs linproc "${JAILDIR}/proc"
370  fi
371  if is_symlinked_mountpoint ${JAILDIR}/dev/fd; then
372     echo "${JAILDIR}/dev/fd has symlink as parent, not mounting"
373  else
374     mount -t fdescfs null "${JAILDIR}/dev/fd"
375  fi
376  if is_symlinked_mountpoint ${JAILDIR}/sys; then
377     echo "${JAILDIR}/sys has symlink as parent, not mounting"
378  else
379     mount -t linsysfs linsys "${JAILDIR}/sys"
380  fi
381  if [ -e "${JAILDIR}/lib/init/rw" ] ; then
382    if is_symlinked_mountpoint ${JAILDIR}/lib/init/rw; then
383       echo "${JAILDIR}/lib/init/rw has symlink as parent, not mounting"
384    else
385       mount -t tmpfs tmpfs "${JAILDIR}/lib/init/rw"
386    fi
387  fi
388else
389  # FreeBSD Jail
390  if is_symlinked_mountpoint ${JAILDIR}/proc; then
391     echo "${JAILDIR}/proc has symlink as parent, not mounting"
392  else
393     mount -t procfs proc "${JAILDIR}/proc"
394  fi
395
396  if [ -e "${JMETADIR}/jail-portjail" ] ; then mountjailxfs ${JAILNAME} ; fi
397fi
398
399# Check for user-supplied mounts
400if [ -e "${JMETADIR}/fstab" ] ; then
401   echo "Mounting user-supplied file-systems"
402   cp ${JMETADIR}/fstab /tmp/.wardenfstab.$$
403   sed -i '' "s|%%JAILDIR%%|${JAILDIR}|g" /tmp/.wardenfstab.$$
404   mount -a -F /tmp/.wardenfstab.$$
405   rm /tmp/.wardenfstab.$$
406fi
407
408IP4=
409if [ -e "${JMETADIR}/ipv4" ] ; then
410  IP4=`cat "${JMETADIR}/ipv4"`
411
412  # Check if somebody snuck in a IP without / on it
413  echo $IP4 | grep -q '/' 
414  if [ $? -ne 0 ] ; then
415     IP4="${IP4}/24"
416  fi
417fi
418
419IPS4=
420if [ -e "${JMETADIR}/alias-ipv4" ] ; then
421  while read line
422  do
423    IPS4="${IPS4} $line" 
424  done < ${JMETADIR}/alias-ipv4
425fi
426
427IP6=
428if [ -e "${JMETADIR}/ipv6" ] ; then
429  IP6=`cat "${JMETADIR}/ipv6"`
430  # Check if somebody snuck in a IP without / on it
431  echo $IP6 | grep -q '/' 
432  if [ $? -ne 0 ] ; then
433     IP6="${IP6}/64"
434  fi
435fi
436
437IPS6=
438if [ -e "${JMETADIR}/alias-ipv6" ] ; then
439  while read line
440  do
441    IPS6="${IPS6} $line" 
442  done < ${JMETADIR}/alias-ipv6
443fi
444
445jFlags=""
446# Grab any additional jail flags
447if [ -e "${JMETADIR}/jail-flags" ] ; then
448  jFlags=`cat ${JMETADIR}/jail-flags`
449fi
450
451# Are we using VIMAGE, if so start it up!
452if [ "$VIMAGEENABLE" = "YES" ] ; then
453  start_jail_vimage
454else
455  # Using a standard jail configuration
456  start_jail_standard
457fi
458
459if [ "$LINUXJAIL" = "YES" ] ; then
460  # If we have a custom start script
461  if [ -e "${JMETADIR}/jail-start" ] ; then
462    sCmd=`cat ${JMETADIR}/jail-start`
463    echo "Starting jail with: ${sCmd}"
464    jexec ${JID} ${sCmd} 2>&1
465  else
466    # Check for different init styles
467    if [ -e "${JAILDIR}/etc/init.d/rc" ] ; then
468      jexec ${JID} /bin/sh /etc/init.d/rc 3 2>&1
469    elif [ -e "${JAILDIR}/etc/rc" ] ; then
470      jexec ${JID} /bin/sh /etc/rc 3 2>&1
471    fi
472  fi
473else
474  # If we have a custom start script
475  if [ -e "${JMETADIR}/jail-start" ] ; then
476    sCmd=`cat ${JMETADIR}/jail-start`
477    echo "Starting jail with: ${sCmd}"
478    jexec ${JID} ${sCmd} 2>&1
479  else
480    echo "Starting jail with: /etc/rc"
481    jexec ${JID} /bin/sh /etc/rc 2>&1
482  fi
483fi
484
Note: See TracBrowser for help on using the repository browser.