source: src-sh/warden/scripts/backend/startjail.sh @ 0988d23

9.1-release9.2-releasereleng/10.0releng/10.0.1
Last change on this file since 0988d23 was 0988d23, checked in by Kris Moore <kris@…>, 13 months ago

Add my working directory for the new warden backend changes.

Includes patches from John Hixson (john@…) to change
how warden uses "nicknames" instead of IP addresses for jail
identification.

  • Property mode set to 100755
File size: 8.5 KB
Line 
1#/bin/sh
2# Script to startup a jail
3# Args $1 = jail-name
4#######################################################################
5
6# Source our functions
7PROGDIR="/usr/local/share/warden"
8
9# Source our variables
10. ${PROGDIR}/scripts/backend/functions.sh
11
12JAILNAME="${1}"
13
14if [ -z "${JAILNAME}" ]
15then
16  echo "ERROR: No jail specified to start!"
17  exit 5
18fi
19
20if [ -z "${JDIR}" ]
21then
22  echo "ERROR: JDIR is unset!!!!"
23  exit 5
24fi
25
26JAILDIR="${JDIR}/${JAILNAME}"
27
28if [ ! -d "${JAILDIR}" ]
29then
30  echo "ERROR: No jail located at ${JAILDIR}"
31  exit 5
32fi
33
34# Make sure the jail is NOT already running
35jls | grep ${JAILDIR}$ >/dev/null 2>/dev/null
36if [ "$?" = "0" ]
37then
38  echo "ERROR: Jail appears to be running already!"
39  exit 6
40fi
41
42IFACE=
43DEFAULT=0
44
45# Make sure jail uses special interface if specified
46if [ -e "${JMETADIR}/iface" ] ; then
47  IFACE=`cat "${JMETADIR}/iface"`
48fi
49if [ -z "${IFACE}" ] ; then
50   IFACE=`get_default_interface`
51   DEFAULT=1
52fi
53if [ -z "${IFACE}" ] ; then
54  echo "ERROR: no interface specified and a default doesn't exist!"
55  exit 6
56fi
57
58MTU=`ifconfig ${IFACE} | head -1 | sed -E 's/.*mtu ([0-9]+)/\1/g'`
59
60GATEWAY4=
61if [ -e "${JMETADIR}/defaultrouter-ipv4" ] ; then
62  GATEWAY4=`cat "${JMETADIR}/defaultrouter-ipv4"`
63fi
64GATEWAY6=
65if [ -e "${JMETADIR}/defaultrouter-ipv6" ] ; then
66  GATEWAY6=`cat "${JMETADIR}/defaultrouter-ipv6"`
67fi
68
69BRIDGEIP4=
70if [ -e "${JMETADIR}/bridge-ipv4" ] ; then
71  BRIDGEIP4=`cat "${JMETADIR}/bridge-ipv4"`
72fi
73
74BRIDGEIPS4=
75if [ -e "${JMETADIR}/alias-bridge-ipv4" ] ; then
76  while read line
77  do
78    BRIDGEIPS4="${BRIDGEIPS4} $line" 
79  done < ${JMETADIR}/alias-bridge-ipv4
80fi
81
82BRIDGEIP6=
83if [ -e "${JMETADIR}/bridge-ipv6" ] ; then
84  BRIDGEIP6=`cat "${JMETADIR}/bridge-ipv6"`
85fi
86
87BRIDGEIPS6=
88if [ -e "${JMETADIR}/alias-bridge-ipv6" ] ; then
89  while read line
90  do
91    BRIDGEIPS6="${BRIDGEIPS6} $line" 
92  done < ${JMETADIR}/alias-bridge-ipv6
93fi
94
95set_warden_metadir
96
97if [ -e "${JMETADIR}/jail-linux" ] ; then
98   LINUXJAIL="YES"
99fi
100
101HOST="`cat ${JMETADIR}/host`"
102
103if is_symlinked_mountpoint ${JAILDIR}/dev; then
104   echo "${JAILDIR}/dev has symlink as parent, not mounting"
105else
106   mount -t devfs devfs "${JAILDIR}/dev"
107fi
108
109if [ "$LINUXJAIL" = "YES" ] ; then
110  # Linux Jail
111  if is_symlinked_mountpoint ${JAILDIR}/proc; then
112     echo "${JAILDIR}/proc has symlink as parent, not mounting"
113  else
114     mount -t linprocfs linproc "${JAILDIR}/proc"
115  fi
116  if is_symlinked_mountpoint ${JAILDIR}/dev/fd; then
117     echo "${JAILDIR}/dev/fd has symlink as parent, not mounting"
118  else
119     mount -t fdescfs null "${JAILDIR}/dev/fd"
120  fi
121  if is_symlinked_mountpoint ${JAILDIR}/sys; then
122     echo "${JAILDIR}/sys has symlink as parent, not mounting"
123  else
124     mount -t linsysfs linsys "${JAILDIR}/sys"
125  fi
126  if [ -e "${JAILDIR}/lib/init/rw" ] ; then
127    if is_symlinked_mountpoint ${JAILDIR}/lib/init/rw; then
128       echo "${JAILDIR}/lib/init/rw has symlink as parent, not mounting"
129    else
130       mount -t tmpfs tmpfs "${JAILDIR}/lib/init/rw"
131    fi
132  fi
133else
134  # FreeBSD Jail
135  if is_symlinked_mountpoint ${JAILDIR}/proc; then
136     echo "${JAILDIR}/proc has symlink as parent, not mounting"
137  else
138     mount -t procfs proc "${JAILDIR}/proc"
139  fi
140
141  if [ -e "${JMETADIR}/jail-portjail" ] ; then mountjailxfs ${JAILNAME} ; fi
142fi
143
144IP4=
145if [ -e "${JMETADIR}/ipv4" ] ; then
146  IP4=`cat "${JMETADIR}/ipv4"`
147fi
148
149IPS4=
150if [ -e "${JMETADIR}/alias-ipv4" ] ; then
151  while read line
152  do
153    IPS4="${IPS4} $line" 
154  done < ${JMETADIR}/alias-ipv4
155fi
156
157IP6=
158if [ -e "${JMETADIR}/ipv6" ] ; then
159  IP6=`cat "${JMETADIR}/ipv6"`
160fi
161
162IPS6=
163if [ -e "${JMETADIR}/alias-ipv6" ] ; then
164  while read line
165  do
166    IPS6="${IPS6} $line" 
167  done < ${JMETADIR}/alias-ipv6
168fi
169
170BRIDGE=
171
172# See if we need to create a new bridge, or use an existing one
173_bridges=`get_bridge_interfaces`
174if [ -n "${_bridges}" ] ; then
175   for _bridge in ${_bridges}
176   do
177      _members=`get_bridge_members ${_bridge}`
178      for _member in ${_members}
179      do
180         if [ "${_member}" = "${IFACE}" ] ; then
181            BRIDGE=${_bridge}
182            break
183         fi
184      done
185      if [ -n "${BRIDGE}" ] ; then
186         break
187      fi
188   done
189fi
190
191if [ -z "${BRIDGE}" ] ; then
192   BRIDGE=`ifconfig bridge create mtu ${MTU}`
193fi
194if [ -n "${IFACE}" ] ; then
195   if ! is_bridge_member "${BRIDGE}" "${IFACE}" ; then
196      ifconfig ${BRIDGE} addm ${IFACE}
197   fi
198fi
199
200# create epair for vimage jail
201EPAIRA=`ifconfig epair create mtu ${MTU}`
202ifconfig ${EPAIRA} up
203
204EPAIRB=`echo ${EPAIRA}|sed -E "s/([0-9])a$/\1b/g"`
205ifconfig ${BRIDGE} addm ${EPAIRA} up
206
207if [ -n "${BRIDGEIP4}" ] ; then
208   if ! ipv4_configured "${BRIDGE}" ; then
209      ifconfig ${BRIDGE} inet "${BRIDGEIP4}"
210   else
211      ifconfig ${BRIDGE} inet alias "${BRIDGEIP4}"
212   fi
213fi
214if [ -n "${BRIDGEIPS4}" ] ; then
215   for _ip in ${BRIDGEIPS4}
216   do
217      ifconfig ${BRIDGE} inet alias "${_ip}"
218   done
219fi
220
221if [ -n "${BRIDGEIP6}" ] ; then
222   if ! ipv6_configured "${BRIDGE}" ; then
223      ifconfig ${BRIDGE} inet6 "${BRIDGEIP6}"
224   else
225      ifconfig ${BRIDGE} inet6 alias "${BRIDGEIP6}"
226   fi
227fi
228if [ -n "${BRIDGEIPS6}" ] ; then
229   for _ip in ${BRIDGEIPS6}
230   do
231      ifconfig ${BRIDGE} inet6 alias "${_ip}"
232   done
233fi
234
235jFlags=""
236# Grab any additional jail flags
237if [ -e "${JMETADIR}/jail-flags" ] ; then
238  jFlags=`cat ${JMETADIR}/jail-flags`
239fi
240
241# Start the jail now
242echo "jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet"
243jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet
244if [ $? -ne 0 ] ; then
245   echo "ERROR: Failed starting jail with above command..."
246   umountjailxfs "${JAILNAME}"
247   exit 1
248fi
249
250JID="`jls | grep ${JAILDIR}$ | tr -s " " | cut -d " " -f 2`"
251
252# Move epairb into jail
253ifconfig ${EPAIRB} vnet ${JID}
254
255# Configure the IPv4 addresses
256if [ -n "${IP4}" ] ; then
257   jexec ${JID} ifconfig ${EPAIRB} inet "${IP4}"
258fi
259for ip4 in ${IPS4}
260do
261   ipv4_configured ${EPAIRB} ${JID}
262   if [ "$?" = "0" ] ; then
263      jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4}
264   else
265      jexec ${JID} ifconfig ${EPAIRB} inet ${ip4}
266   fi
267done
268
269# Configure the IPv6 addresses
270if [ -n "${IP6}" ] ; then
271   jexec ${JID} ifconfig ${EPAIRB} inet6 "${IP4}"
272fi
273for ip6 in ${IPS6}
274do
275   ipv6_configured ${EPAIRB} ${JID}
276   if [ "$?" = "0" ] ; then
277      jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6}
278   else
279      jexec ${JID} ifconfig ${EPAIRB} inet6 ${ip6}
280   fi
281done
282
283#
284# Configure default IPv4 gateway
285#
286if [ -n "${GATEWAY4}" ] ; then
287   jexec ${JID} route add -inet default ${GATEWAY4}
288
289#
290# No defaultrouter configured for IPv4, so if bridge IP address was
291# configured, we set the default router to that IP.
292#
293elif [ -n "${BRIDGEIP4}" ] ; then
294   get_ip_and_netmask "${BRIDGEIP4}"
295   jexec ${JID} route add -inet default ${JIP}
296fi
297
298#
299# Configure default IPv6 gateway
300#
301if [ -n "${GATEWAY6}" ] ; then
302   jexec ${JID} route add -inet6 default ${GATEWAY6}
303
304#
305# No defaultrouter configured for IPv6, so if bridge IP address was
306# configured, we set the default router to that IP.
307#
308elif [ -n "${BRIDGEIP6}" ] ; then
309   get_ip_and_netmask "${BRIDGEIP6}"
310   jexec ${JID} route add -inet6 default ${JIP}
311fi
312
313#
314# Set ourself to be a jail router with NAT. Don't
315# use PF since it will panic the box when used
316# with VIMAGE.
317#
318sysctl net.inet.ip.forwarding=1
319sysctl net.inet6.ip6.forwarding=1
320
321tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX`
322
323egrep -v '^(firewall_(enable|type)|natd_(enable|interface|flags))' \
324   /etc/rc.conf >> "${tmp_rcconf}"
325cat<<__EOF__>>"${tmp_rcconf}"
326firewall_enable="YES"
327firewall_type="open"
328natd_enable="YES"
329natd_interface="${IFACE}"
330natd_flags="-dynamic -m"
331__EOF__
332if [ -s "${tmp_rcconf}" ] ; then
333   cp /etc/rc.conf /var/tmp/rc.conf.bak
334   mv "${tmp_rcconf}" /etc/rc.conf
335   if [ "$?" != "0" ] ; then
336      mv /var/tmp/rc.conf.bak /etc/rc.conf
337   fi
338fi
339
340ipfw list | grep -Eq '^00500 divert' 2>/dev/null
341if [ "$?" != "0" ] ; then
342   /etc/rc.d/ipfw restart
343   ipfw -q add 00050 divert 8668 ip4 from any to any via ${IFACE}
344fi
345
346if [ "$LINUXJAIL" = "YES" ] ; then
347  # If we have a custom start script
348  if [ -e "${JMETADIR}/jail-start" ] ; then
349    sCmd=`cat ${JMETADIR}/jail-start`
350    echo "Starting jail with: ${sCmd}"
351    jexec ${JID} ${sCmd} 2>&1
352  else
353    # Check for different init styles
354    if [ -e "${JAILDIR}/etc/init.d/rc" ] ; then
355      jexec ${JID} /bin/sh /etc/init.d/rc 3 2>&1
356    elif [ -e "${JAILDIR}/etc/rc" ] ; then
357      jexec ${JID} /bin/sh /etc/rc 3 2>&1
358    fi
359  fi
360else
361  # If we have a custom start script
362  if [ -e "${JMETADIR}/jail-start" ] ; then
363    sCmd=`cat ${JMETADIR}/jail-start`
364    echo "Starting jail with: ${sCmd}"
365    jexec ${JID} ${sCmd} 2>&1
366  else
367    echo "Starting jail with: /etc/rc"
368    jexec ${JID} /bin/sh /etc/rc 2>&1
369  fi
370fi
Note: See TracBrowser for help on using the repository browser.