source: src-sh/warden/scripts/backend/startjail.sh

Last change on this file was 3e1557a, checked in by William Katsak <wkatsak@…>, 5 months ago

Don't let warden guess ipv4 bridge addr if none configured

If user does not specify a bridge address, don't configure one.

Signed-off-by: William Katsak <wkatsak@…>

  • Property mode set to 100755
File size: 13.4 KB
Line 
1#/bin/sh
2# Script to startup a jail
3# Args $1 = jail-name
4#######################################################################
5
6# Source our functions
7PROGDIR="/usr/local/share/warden"
8
9# Source our variables
10. ${PROGDIR}/scripts/backend/functions.sh
11
12start_jail_vimage()
13{
14
15  BRIDGE=
16
17  # See if we need to create a new bridge, or use an existing one
18  _bridges=`get_bridge_interfaces`
19  if [ -n "${_bridges}" ] ; then
20     for _bridge in ${_bridges}
21     do
22        _members=`get_bridge_members ${_bridge}`
23        for _member in ${_members}
24        do
25           if [ "${_member}" = "${IFACE}" ] ; then
26              BRIDGE=${_bridge}
27              break
28           fi
29        done
30        if [ -n "${BRIDGE}" ] ; then
31           break
32        fi
33     done
34  fi
35
36  if [ -z "${BRIDGE}" ] ; then
37     BRIDGE=`ifconfig bridge create mtu ${MTU}`
38  fi
39  if [ -n "${IFACE}" ] ; then
40     if ! is_bridge_member "${BRIDGE}" "${IFACE}" ; then
41        ifconfig ${BRIDGE} addm ${IFACE}
42     fi
43  fi
44
45  # create epair for vimage jail
46  EPAIRA=`ifconfig epair create mtu ${MTU}`
47  ifconfig ${EPAIRA} up
48
49  EPAIRB=`echo ${EPAIRA}|sed -E "s/([0-9])a$/\1b/g"`
50  ifconfig ${BRIDGE} addm ${EPAIRA} up
51
52  if [ -n "${BRIDGEIP4}" ] ; then
53     if ! ipv4_configured "${BRIDGE}" ; then
54        ifconfig ${BRIDGE} inet "${BRIDGEIP4}"
55
56     elif ! ipv4_address_configured "${BRIDGE}" "${BRIDGEIP4}" ; then
57        ifconfig ${BRIDGE} inet alias "${BRIDGEIP4}"
58     fi
59  fi
60  if [ -n "${BRIDGEIPS4}" ] ; then
61     for _ip in ${BRIDGEIPS4}
62     do
63        if ! ipv4_address_configured "${BRIDGE}" "${_ip}" ; then
64           ifconfig ${BRIDGE} inet alias "${_ip}"
65        fi
66     done
67  fi
68
69  if [ -n "${BRIDGEIP6}" ] ; then
70     if ! ipv6_configured "${BRIDGE}" ; then
71        ifconfig ${BRIDGE} inet6 "${BRIDGEIP6}"
72
73     elif ! ipv6_address_configured "${BRIDGE}" "${BRIDGEIP6}" ; then
74        ifconfig ${BRIDGE} inet6 alias "${BRIDGEIP6}"
75     fi
76  fi
77  if [ -n "${BRIDGEIPS6}" ] ; then
78     for _ip in ${BRIDGEIPS6}
79     do
80        if ! ipv6_address_configured "${BRIDGE}" "${_ip}" ; then
81           ifconfig ${BRIDGE} inet6 alias "${_ip}"
82        fi
83     done
84  fi
85
86  # Start the jail now
87  echo "jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet"
88  jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet
89  if [ $? -ne 0 ] ; then
90     echo "ERROR: Failed starting jail with above command..."
91     umountjailxfs "${JAILNAME}"
92     exit 1
93  fi
94
95  JID="`jls | grep ${JAILDIR}$ | tr -s " " | cut -d " " -f 2`"
96
97  # Move epairb into jail
98  ifconfig ${EPAIRB} vnet ${JID}
99
100  # Configure the IPv4 addresses
101  if [ -n "${IP4}" ] ; then
102     echo "Setting IP4 address: ${IP4}"
103     jexec ${JID} ifconfig ${EPAIRB} inet "${IP4}"
104  fi
105  for ip4 in ${IPS4}
106  do
107     ipv4_configured ${EPAIRB} ${JID}
108     if [ "$?" = "0" ] ; then
109        if ! ipv4_address_configured "${EPAIRB}" "${ip4}" "${JID}" ; then
110           jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4}
111        fi
112     else
113        jexec ${JID} ifconfig ${EPAIRB} inet ${ip4}
114     fi
115  done
116
117  # Configure the IPv6 addresses
118  if [ -n "${IP6}" ] ; then
119     echo "Setting IP6 address: ${IP6}"
120     jexec ${JID} ifconfig ${EPAIRB} inet6 "${IP4}"
121  fi
122  for ip6 in ${IPS6}
123  do
124     ipv6_configured ${EPAIRB} ${JID}
125     if [ "$?" = "0" ] ; then
126        if ! ipv6_address_configured "${EPAIRB}" "${ip6}" "${JID}" ; then
127           jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6}
128        fi
129     else
130        jexec ${JID} ifconfig ${EPAIRB} inet6 ${ip6}
131     fi
132  done
133
134  #
135  # Configure default IPv4 gateway
136  #
137  if [ -n "${GATEWAY4}" ] ; then
138     jexec ${JID} route add -inet default ${GATEWAY4}
139
140  #
141  # No defaultrouter configured for IPv4, so if bridge IP address was
142  # configured, we set the default router to that IP.
143  #
144  elif [ -n "${BRIDGEIP4}" ] ; then
145     get_ip_and_netmask "${BRIDGEIP4}"
146     jexec ${JID} route add -inet default ${JIP}
147  fi
148
149  #
150  # Configure default IPv6 gateway
151  #
152  if [ -n "${GATEWAY6}" ] ; then
153     jexec ${JID} route add -inet6 default ${GATEWAY6}
154
155  #
156  # No defaultrouter configured for IPv6, so if bridge IP address was
157  # configured, we set the default router to that IP.
158  #
159  elif [ -n "${BRIDGEIP6}" ] ; then
160     get_ip_and_netmask "${BRIDGEIP6}"
161     jexec ${JID} route add -inet6 default ${JIP}
162  fi
163
164  #
165  # If enabled in warden.conf, set ourself to be a jail
166  # router with NAT. Don't use PF since it will panic the
167  # box when used with VIMAGE.
168  #
169  if [ "$NAT_ENABLE" == "true" ]; then
170        ip_forwarding=`sysctl -n net.inet.ip.forwarding`
171        if [ "${ip_forwarding}" = "0" ] ; then
172           sysctl net.inet.ip.forwarding=1
173        fi
174
175        ip6_forwarding=`sysctl -n net.inet6.ip6.forwarding`
176        if [ "${ip6_forwarding}" = "0" ] ; then
177           sysctl net.inet6.ip6.forwarding=1
178        fi
179
180        firewall_enable=`egrep '^firewall_enable' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
181        firewall_type=`egrep '^firewall_type' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
182
183        if [ "${firewall_enable}" != "YES" -o "${firewall_type}" != "open" ] ; then
184           tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX`
185     egrep -v '^firewall_(enable|type)' /etc/rc.conf >> "${tmp_rcconf}"
186
187     cat<<__EOF__>>"${tmp_rcconf}"
188firewall_enable="YES"
189firewall_type="open"
190__EOF__
191           if [ -s "${tmp_rcconf}" ] ; then
192              cp /etc/rc.conf /var/tmp/rc.conf.bak
193              mv "${tmp_rcconf}" /etc/rc.conf
194              if [ "$?" != "0" ] ; then
195                 mv /var/tmp/rc.conf.bak /etc/rc.conf
196              fi
197           fi
198           /etc/rc.d/ipfw forcerestart
199        fi
200
201        instance=`get_ipfw_nat_instance "${IFACE}"`
202        if [ -z "${instance}" ] ; then
203           priority=`get_ipfw_nat_priority`
204           instance=`get_ipfw_nat_instance`
205
206           ipfw "${priority}" add nat "${instance}" all from any to any
207           ipfw nat "${instance}" config if "${IFACE}" reset
208        fi
209  fi
210# End of jail VIMAGE startup function
211}
212
213# Function to start a jail up the normal way
214start_jail_standard()
215{
216  # Check for primary IPV4 / IPV6
217  if [ -n "$IP4" ] ; then
218    _ipflags="ip4.addr=${IP4}"
219    ifconfig $IFACE inet alias ${IP4}
220  fi
221  if [ -n "$IP6" ] ; then
222    _ipflags="${_ipflags} ip6.addr=${IP6}"
223    ifconfig $IFACE inet6 alias ${IP6}
224  fi
225
226  # Setup the extra IP4s for this jail
227  for _ip in $IPS4
228  do
229    ifconfig $IFACE inet alias ${_ip}
230    _ipflags="${_ipflags} ip4.addr=${_ip}"
231  done
232
233  # Setup the extra IP6s for this jail
234  for _ip in $IPS6
235  do
236    ifconfig $IFACE inet6 alias ${_ip}
237    _ipflags="${_ipflags} ip6.addr=${_ip}"
238  done
239
240  echo "jail -c path=${JAILDIR} ${_ipflags} host.hostname=${HOST} ${jFlags} persist"
241  jail -c path=${JAILDIR} ${_ipflags} host.hostname=${HOST} ${jFlags} persist
242  if [ $? -ne 0 ] ; then
243     echo "ERROR: Failed starting jail with above command..."
244     umountjailxfs "${JAILNAME}"
245     exit 1
246  fi
247
248  JID="`jls | grep ${JAILDIR}$ | tr -s " " | cut -d " " -f 2`"
249
250}
251
252JAILNAME="${1}"
253
254if [ -z "${JAILNAME}" ]
255then
256  echo "ERROR: No jail specified to start!"
257  exit 5
258fi
259
260if [ -z "${JDIR}" ]
261then
262  echo "ERROR: JDIR is unset!!!!"
263  exit 5
264fi
265
266JAILDIR="${JDIR}/${JAILNAME}"
267
268if [ ! -d "${JAILDIR}" ]
269then
270  echo "ERROR: No jail located at ${JAILDIR}"
271  exit 5
272fi
273
274# Make sure the jail is NOT already running
275jls | grep ${JAILDIR}$ >/dev/null 2>/dev/null
276if [ "$?" = "0" ]
277then
278  echo "ERROR: Jail appears to be running already!"
279  exit 6
280fi
281
282IFACE=
283
284DEFAULT=0
285
286# Make sure jail uses special interface if specified
287if [ -e "${JMETADIR}/iface" ] ; then
288  IFACE=`cat "${JMETADIR}/iface"`
289fi
290if [ -z "${IFACE}" ] ; then
291  if [ -n "$NIC" ] ; then
292    IFACE="$NIC"
293  else
294    IFACE=`get_default_interface`
295    DEFAULT=1
296  fi
297fi
298if [ -z "${IFACE}" ] ; then
299  echo "ERROR: no interface specified and a default doesn't exist!"
300  exit 6
301fi
302
303# Check if this interface is valid
304ifconfig $IFACE >/dev/null 2>/dev/null
305if [ $? -ne 0 ] ; then
306   echo "ERROR: No such network interface $IFACE"
307   echo "Please set a correct network interface in /usr/local/etc/warden.conf"
308   exit 6
309fi
310
311MTU=`ifconfig ${IFACE} | head -1 | sed -E 's/.*mtu ([0-9]+)/\1/g'`
312
313GATEWAY4=
314if [ -e "${JMETADIR}/defaultrouter-ipv4" ] ; then
315  GATEWAY4=`cat "${JMETADIR}/defaultrouter-ipv4"`
316fi
317GATEWAY6=
318if [ -e "${JMETADIR}/defaultrouter-ipv6" ] ; then
319  GATEWAY6=`cat "${JMETADIR}/defaultrouter-ipv6"`
320fi
321
322BRIDGEIP4=
323if [ -e "${JMETADIR}/bridge-ipv4" ] ; then
324  BRIDGEIP4=`cat "${JMETADIR}/bridge-ipv4"`
325fi
326
327BRIDGEIPS4=
328if [ -e "${JMETADIR}/alias-bridge-ipv4" ] ; then
329  while read line
330  do
331    BRIDGEIPS4="${BRIDGEIPS4} $line" 
332  done < ${JMETADIR}/alias-bridge-ipv4
333fi
334
335BRIDGEIP6=
336if [ -e "${JMETADIR}/bridge-ipv6" ] ; then
337  BRIDGEIP6=`cat "${JMETADIR}/bridge-ipv6"`
338fi
339
340BRIDGEIPS6=
341if [ -e "${JMETADIR}/alias-bridge-ipv6" ] ; then
342  while read line
343  do
344    BRIDGEIPS6="${BRIDGEIPS6} $line" 
345  done < ${JMETADIR}/alias-bridge-ipv6
346fi
347
348# Check if we need to enable vnet
349VIMAGEENABLE="NO"
350if [ -e "${JMETADIR}/vnet" ] ; then
351  VIMAGEENABLE="YES"
352fi
353
354set_warden_metadir
355
356if [ -e "${JMETADIR}/jail-linux" ] ; then
357   LINUXJAIL="YES"
358fi
359
360HOST="`cat ${JMETADIR}/host`"
361
362jFlags=""
363# Grab any additional jail flags
364if [ -e "${JMETADIR}/jail-flags" ] ; then
365  jFlags=`cat ${JMETADIR}/jail-flags`
366fi
367
368DEVFS_RULESET=""
369# Check if we have a devfs ruleset configured
370if [ -e "${JMETADIR}/devfs-ruleset" ] ; then
371  DEVFS_RULESET=`cat ${JMETADIR}/devfs-ruleset`
372fi
373
374# Make sure the dataset is mounted
375jDataSet=`mount | grep "on ${JAILDIR} " | awk '{print $1}'`
376if [ -z "$jDataSet" ] ; then
377  pDataSet=`mount | grep "on ${JDIR} " | awk '{print $1}'`
378  rc_halt "mount -t zfs $pDataSet/$JAILNAME $JAILDIR"
379  jDataSet="$oDataSet/$JAILNAME"
380fi
381
382# If the user has enabled mounting of ZFS dataset, lets export this dataset to the jail
383echo $jFlags | grep -q "allow.mount.zfs=1"
384if [ $? -eq 0 ] ; then
385   jProp=`zfs get -H jailed $jDataSet | awk '{print $3}'`
386   if [ "$jProp" = "off" ] ; then
387     rc_halt "zfs set jailed=on $jDataSet"
388     if [ ! -d "$JAILDIR" ] ; then mkdir ${JAILDIR} ; fi
389     rc_halt "mount -t zfs $jDataSet ${JAILDIR}"
390   fi
391fi
392if is_symlinked_mountpoint ${JAILDIR}/dev; then
393   echo "${JAILDIR}/dev has symlink as parent, not mounting"
394else
395   if [ -z $DEVFS_RULESET ]; then
396      mount -t devfs devfs "${JAILDIR}/dev"
397   else
398      mount -t devfs -o ruleset=$DEVFS_RULESET devfs "${JAILDIR}/dev"
399   fi
400fi
401
402if [ "$LINUXJAIL" = "YES" ] ; then
403  # Linux Jail
404  if is_symlinked_mountpoint ${JAILDIR}/proc; then
405     echo "${JAILDIR}/proc has symlink as parent, not mounting"
406  else
407     mount -t linprocfs linproc "${JAILDIR}/proc"
408  fi
409  if is_symlinked_mountpoint ${JAILDIR}/dev/fd; then
410     echo "${JAILDIR}/dev/fd has symlink as parent, not mounting"
411  else
412     mount -t fdescfs null "${JAILDIR}/dev/fd"
413  fi
414  if is_symlinked_mountpoint ${JAILDIR}/sys; then
415     echo "${JAILDIR}/sys has symlink as parent, not mounting"
416  else
417     mount -t linsysfs linsys "${JAILDIR}/sys"
418  fi
419  if [ -e "${JAILDIR}/lib/init/rw" ] ; then
420    if is_symlinked_mountpoint ${JAILDIR}/lib/init/rw; then
421       echo "${JAILDIR}/lib/init/rw has symlink as parent, not mounting"
422    else
423       mount -t tmpfs tmpfs "${JAILDIR}/lib/init/rw"
424    fi
425  fi
426else
427  # FreeBSD Jail
428  if is_symlinked_mountpoint ${JAILDIR}/proc; then
429     echo "${JAILDIR}/proc has symlink as parent, not mounting"
430  else
431     mount -t procfs proc "${JAILDIR}/proc"
432  fi
433
434  if [ -e "${JMETADIR}/jail-portjail" ] ; then mountjailxfs ${JAILNAME} ; fi
435fi
436
437# Check for user-supplied mounts
438if [ -e "${JMETADIR}/fstab" ] ; then
439   echo "Mounting user-supplied file-systems"
440   cp ${JMETADIR}/fstab /tmp/.wardenfstab.$$
441   sed -i '' "s|%%JAILDIR%%|${JAILDIR}|g" /tmp/.wardenfstab.$$
442   mount -a -F /tmp/.wardenfstab.$$
443   rm /tmp/.wardenfstab.$$
444fi
445
446IP4=
447if [ -e "${JMETADIR}/ipv4" ] ; then
448  IP4=`cat "${JMETADIR}/ipv4"`
449
450  # Check if somebody snuck in a IP without / on it
451  echo $IP4 | grep -q '/' 
452  if [ $? -ne 0 ] ; then
453     IP4="${IP4}/24"
454  fi
455fi
456
457IPS4=
458if [ -e "${JMETADIR}/alias-ipv4" ] ; then
459  while read line
460  do
461    IPS4="${IPS4} $line" 
462  done < ${JMETADIR}/alias-ipv4
463fi
464
465IP6=
466if [ -e "${JMETADIR}/ipv6" ] ; then
467  IP6=`cat "${JMETADIR}/ipv6"`
468  # Check if somebody snuck in a IP without / on it
469  echo $IP6 | grep -q '/' 
470  if [ $? -ne 0 ] ; then
471     IP6="${IP6}/64"
472  fi
473fi
474
475IPS6=
476if [ -e "${JMETADIR}/alias-ipv6" ] ; then
477  while read line
478  do
479    IPS6="${IPS6} $line" 
480  done < ${JMETADIR}/alias-ipv6
481fi
482
483# Are we using VIMAGE, if so start it up!
484if [ "$VIMAGEENABLE" = "YES" ] ; then
485  start_jail_vimage
486else
487  # Using a standard jail configuration
488  start_jail_standard
489fi
490
491# If the user has enabled mounting of ZFS dataset, lets export this dataset to the jail
492echo $jFlags | grep -q "allow.mount.zfs=1"
493if [ $? -eq 0 ] ; then
494   # Run the ZFS command to export the dataset
495   jDataSet=`mount | grep "on ${JAILDIR} " | awk '{print $1}'`
496   zfs jail $JID $jDataSet
497fi
498
499if [ "$LINUXJAIL" = "YES" ] ; then
500  # If we have a custom start script
501  if [ -e "${JMETADIR}/jail-start" ] ; then
502    sCmd=`cat ${JMETADIR}/jail-start`
503    echo "Starting jail with: ${sCmd}"
504    jexec ${JID} ${sCmd} 2>&1
505  else
506    # Check for different init styles
507    if [ -e "${JAILDIR}/etc/init.d/rc" ] ; then
508      jexec ${JID} /bin/sh /etc/init.d/rc 3 2>&1
509    elif [ -e "${JAILDIR}/etc/rc" ] ; then
510      jexec ${JID} /bin/sh /etc/rc 3 2>&1
511    fi
512  fi
513else
514  # If we have a custom start script
515  if [ -e "${JMETADIR}/jail-start" ] ; then
516    sCmd=`cat ${JMETADIR}/jail-start`
517    echo "Starting jail with: ${sCmd}"
518    jexec ${JID} ${sCmd} 2>&1
519  else
520    echo "Starting jail with: /etc/rc"
521    jexec ${JID} /bin/sh /etc/rc 2>&1
522  fi
523fi
524
525# Send notification of jail changes
526pc-systemflag WARDENUPDATE SUCCESS
Note: See TracBrowser for help on using the repository browser.