source: src-sh/warden/scripts/backend/startjail.sh @ 96c50776

9.2-releasereleng/10.0releng/10.0.1releng/10.0.2releng/10.0.3
Last change on this file since 96c50776 was 96c50776, checked in by Kris Moore <kris@…>, 16 months ago

Add a bit o' magic to warden backend, if user forgot to specify
a bridge address for IPV4, we can add one on the fly

  • Property mode set to 100755
File size: 10.1 KB
Line 
1#/bin/sh
2# Script to startup a jail
3# Args $1 = jail-name
4#######################################################################
5
6# Source our functions
7PROGDIR="/usr/local/share/warden"
8
9# Source our variables
10. ${PROGDIR}/scripts/backend/functions.sh
11
12JAILNAME="${1}"
13
14if [ -z "${JAILNAME}" ]
15then
16  echo "ERROR: No jail specified to start!"
17  exit 5
18fi
19
20if [ -z "${JDIR}" ]
21then
22  echo "ERROR: JDIR is unset!!!!"
23  exit 5
24fi
25
26JAILDIR="${JDIR}/${JAILNAME}"
27
28if [ ! -d "${JAILDIR}" ]
29then
30  echo "ERROR: No jail located at ${JAILDIR}"
31  exit 5
32fi
33
34# Make sure the jail is NOT already running
35jls | grep ${JAILDIR}$ >/dev/null 2>/dev/null
36if [ "$?" = "0" ]
37then
38  echo "ERROR: Jail appears to be running already!"
39  exit 6
40fi
41
42IFACE=
43DEFAULT=0
44
45# Make sure jail uses special interface if specified
46if [ -e "${JMETADIR}/iface" ] ; then
47  IFACE=`cat "${JMETADIR}/iface"`
48fi
49if [ -z "${IFACE}" ] ; then
50   IFACE=`get_default_interface`
51   DEFAULT=1
52fi
53if [ -z "${IFACE}" ] ; then
54  echo "ERROR: no interface specified and a default doesn't exist!"
55  exit 6
56fi
57
58MTU=`ifconfig ${IFACE} | head -1 | sed -E 's/.*mtu ([0-9]+)/\1/g'`
59
60GATEWAY4=
61if [ -e "${JMETADIR}/defaultrouter-ipv4" ] ; then
62  GATEWAY4=`cat "${JMETADIR}/defaultrouter-ipv4"`
63fi
64GATEWAY6=
65if [ -e "${JMETADIR}/defaultrouter-ipv6" ] ; then
66  GATEWAY6=`cat "${JMETADIR}/defaultrouter-ipv6"`
67fi
68
69BRIDGEIP4=
70if [ -e "${JMETADIR}/bridge-ipv4" ] ; then
71  BRIDGEIP4=`cat "${JMETADIR}/bridge-ipv4"`
72fi
73
74BRIDGEIPS4=
75if [ -e "${JMETADIR}/alias-bridge-ipv4" ] ; then
76  while read line
77  do
78    BRIDGEIPS4="${BRIDGEIPS4} $line" 
79  done < ${JMETADIR}/alias-bridge-ipv4
80fi
81
82BRIDGEIP6=
83if [ -e "${JMETADIR}/bridge-ipv6" ] ; then
84  BRIDGEIP6=`cat "${JMETADIR}/bridge-ipv6"`
85fi
86
87BRIDGEIPS6=
88if [ -e "${JMETADIR}/alias-bridge-ipv6" ] ; then
89  while read line
90  do
91    BRIDGEIPS6="${BRIDGEIPS6} $line" 
92  done < ${JMETADIR}/alias-bridge-ipv6
93fi
94
95set_warden_metadir
96
97if [ -e "${JMETADIR}/jail-linux" ] ; then
98   LINUXJAIL="YES"
99fi
100
101HOST="`cat ${JMETADIR}/host`"
102
103if is_symlinked_mountpoint ${JAILDIR}/dev; then
104   echo "${JAILDIR}/dev has symlink as parent, not mounting"
105else
106   mount -t devfs devfs "${JAILDIR}/dev"
107fi
108
109if [ "$LINUXJAIL" = "YES" ] ; then
110  # Linux Jail
111  if is_symlinked_mountpoint ${JAILDIR}/proc; then
112     echo "${JAILDIR}/proc has symlink as parent, not mounting"
113  else
114     mount -t linprocfs linproc "${JAILDIR}/proc"
115  fi
116  if is_symlinked_mountpoint ${JAILDIR}/dev/fd; then
117     echo "${JAILDIR}/dev/fd has symlink as parent, not mounting"
118  else
119     mount -t fdescfs null "${JAILDIR}/dev/fd"
120  fi
121  if is_symlinked_mountpoint ${JAILDIR}/sys; then
122     echo "${JAILDIR}/sys has symlink as parent, not mounting"
123  else
124     mount -t linsysfs linsys "${JAILDIR}/sys"
125  fi
126  if [ -e "${JAILDIR}/lib/init/rw" ] ; then
127    if is_symlinked_mountpoint ${JAILDIR}/lib/init/rw; then
128       echo "${JAILDIR}/lib/init/rw has symlink as parent, not mounting"
129    else
130       mount -t tmpfs tmpfs "${JAILDIR}/lib/init/rw"
131    fi
132  fi
133else
134  # FreeBSD Jail
135  if is_symlinked_mountpoint ${JAILDIR}/proc; then
136     echo "${JAILDIR}/proc has symlink as parent, not mounting"
137  else
138     mount -t procfs proc "${JAILDIR}/proc"
139  fi
140
141  if [ -e "${JMETADIR}/jail-portjail" ] ; then mountjailxfs ${JAILNAME} ; fi
142fi
143
144# Check for user-supplied mounts
145if [ -e "${JMETADIR}/fstab" ] ; then
146   echo "Mounting user-supplied file-systems"
147   cp ${JMETADIR}/fstab /tmp/.wardenfstab.$$
148   sed -i '' "s|%%JAILDIR%%|${JAILDIR}|g" /tmp/.wardenfstab.$$
149   mount -a -F /tmp/.wardenfstab.$$
150   rm /tmp/.wardenfstab.$$
151fi
152
153IP4=
154if [ -e "${JMETADIR}/ipv4" ] ; then
155  IP4=`cat "${JMETADIR}/ipv4"`
156
157  # Check if somebody snuck in a IP without / on it
158  echo $IP4 | grep -q '/' 
159  if [ $? -ne 0 ] ; then
160     IP4="${IP4}/24"
161  fi
162fi
163
164IPS4=
165if [ -e "${JMETADIR}/alias-ipv4" ] ; then
166  while read line
167  do
168    IPS4="${IPS4} $line" 
169  done < ${JMETADIR}/alias-ipv4
170fi
171
172IP6=
173if [ -e "${JMETADIR}/ipv6" ] ; then
174  IP6=`cat "${JMETADIR}/ipv6"`
175  # Check if somebody snuck in a IP without / on it
176  echo $IP6 | grep -q '/' 
177  if [ $? -ne 0 ] ; then
178     IP6="${IP6}/64"
179  fi
180fi
181
182IPS6=
183if [ -e "${JMETADIR}/alias-ipv6" ] ; then
184  while read line
185  do
186    IPS6="${IPS6} $line" 
187  done < ${JMETADIR}/alias-ipv6
188fi
189
190BRIDGE=
191
192# See if we need to create a new bridge, or use an existing one
193_bridges=`get_bridge_interfaces`
194if [ -n "${_bridges}" ] ; then
195   for _bridge in ${_bridges}
196   do
197      _members=`get_bridge_members ${_bridge}`
198      for _member in ${_members}
199      do
200         if [ "${_member}" = "${IFACE}" ] ; then
201            BRIDGE=${_bridge}
202            break
203         fi
204      done
205      if [ -n "${BRIDGE}" ] ; then
206         break
207      fi
208   done
209fi
210
211if [ -z "${BRIDGE}" ] ; then
212   BRIDGE=`ifconfig bridge create mtu ${MTU}`
213fi
214if [ -n "${IFACE}" ] ; then
215   if ! is_bridge_member "${BRIDGE}" "${IFACE}" ; then
216      ifconfig ${BRIDGE} addm ${IFACE}
217   fi
218fi
219
220# create epair for vimage jail
221EPAIRA=`ifconfig epair create mtu ${MTU}`
222ifconfig ${EPAIRA} up
223
224EPAIRB=`echo ${EPAIRA}|sed -E "s/([0-9])a$/\1b/g"`
225ifconfig ${BRIDGE} addm ${EPAIRA} up
226
227# If no bridge specified, and IP4 is enabled, lets suggest one
228if [ -z "$BRIDGEIP4" -a -n "$IP4" ] ; then
229   BRIDGEIP4="`echo $IP4 | cut -d '.' -f 1-3`.254"
230fi
231
232if [ -n "${BRIDGEIP4}" ] ; then
233   if ! ipv4_configured "${BRIDGE}" ; then
234      ifconfig ${BRIDGE} inet "${BRIDGEIP4}"
235
236   elif ! ipv4_address_configured "${BRIDGE}" "${BRIDGEIP4}" ; then
237      ifconfig ${BRIDGE} inet alias "${BRIDGEIP4}"
238   fi
239fi
240if [ -n "${BRIDGEIPS4}" ] ; then
241   for _ip in ${BRIDGEIPS4}
242   do
243      if ! ipv4_address_configured "${BRIDGE}" "${_ip}" ; then
244         ifconfig ${BRIDGE} inet alias "${_ip}"
245      fi
246   done
247fi
248
249if [ -n "${BRIDGEIP6}" ] ; then
250   if ! ipv6_configured "${BRIDGE}" ; then
251      ifconfig ${BRIDGE} inet6 "${BRIDGEIP6}"
252
253   elif ! ipv6_address_configured "${BRIDGE}" "${BRIDGEIP6}" ; then
254      ifconfig ${BRIDGE} inet6 alias "${BRIDGEIP6}"
255   fi
256fi
257if [ -n "${BRIDGEIPS6}" ] ; then
258   for _ip in ${BRIDGEIPS6}
259   do
260      if ! ipv6_address_configured "${BRIDGE}" "${_ip}" ; then
261         ifconfig ${BRIDGE} inet6 alias "${_ip}"
262      fi
263   done
264fi
265
266jFlags=""
267# Grab any additional jail flags
268if [ -e "${JMETADIR}/jail-flags" ] ; then
269  jFlags=`cat ${JMETADIR}/jail-flags`
270fi
271
272# Start the jail now
273echo "jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet"
274jail -c path=${JAILDIR} host.hostname=${HOST} ${jFlags} persist vnet
275if [ $? -ne 0 ] ; then
276   echo "ERROR: Failed starting jail with above command..."
277   umountjailxfs "${JAILNAME}"
278   exit 1
279fi
280
281JID="`jls | grep ${JAILDIR}$ | tr -s " " | cut -d " " -f 2`"
282
283# Move epairb into jail
284ifconfig ${EPAIRB} vnet ${JID}
285
286# Configure the IPv4 addresses
287if [ -n "${IP4}" ] ; then
288   echo "Setting IP4 address: ${IP4}"
289   jexec ${JID} ifconfig ${EPAIRB} inet "${IP4}"
290fi
291for ip4 in ${IPS4}
292do
293   ipv4_configured ${EPAIRB} ${JID}
294   if [ "$?" = "0" ] ; then
295      if ! ipv4_address_configured "${EPAIRB}" "${ip4}" "${JID}" ; then
296         jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4}
297      fi
298   else
299      jexec ${JID} ifconfig ${EPAIRB} inet ${ip4}
300   fi
301done
302
303# Configure the IPv6 addresses
304if [ -n "${IP6}" ] ; then
305   echo "Setting IP6 address: ${IP6}"
306   jexec ${JID} ifconfig ${EPAIRB} inet6 "${IP4}"
307fi
308for ip6 in ${IPS6}
309do
310   ipv6_configured ${EPAIRB} ${JID}
311   if [ "$?" = "0" ] ; then
312      if ! ipv6_address_configured "${EPAIRB}" "${ip6}" "${JID}" ; then
313         jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6}
314      fi
315   else
316      jexec ${JID} ifconfig ${EPAIRB} inet6 ${ip6}
317   fi
318done
319
320#
321# Configure default IPv4 gateway
322#
323if [ -n "${GATEWAY4}" ] ; then
324   jexec ${JID} route add -inet default ${GATEWAY4}
325
326#
327# No defaultrouter configured for IPv4, so if bridge IP address was
328# configured, we set the default router to that IP.
329#
330elif [ -n "${BRIDGEIP4}" ] ; then
331   get_ip_and_netmask "${BRIDGEIP4}"
332   jexec ${JID} route add -inet default ${JIP}
333fi
334
335#
336# Configure default IPv6 gateway
337#
338if [ -n "${GATEWAY6}" ] ; then
339   jexec ${JID} route add -inet6 default ${GATEWAY6}
340
341#
342# No defaultrouter configured for IPv6, so if bridge IP address was
343# configured, we set the default router to that IP.
344#
345elif [ -n "${BRIDGEIP6}" ] ; then
346   get_ip_and_netmask "${BRIDGEIP6}"
347   jexec ${JID} route add -inet6 default ${JIP}
348fi
349
350#
351# Set ourself to be a jail router with NAT. Don't
352# use PF since it will panic the box when used
353# with VIMAGE.
354#
355ip_forwarding=`sysctl -n net.inet.ip.forwarding`
356if [ "${ip_forwarding}" = "0" ] ; then
357   sysctl net.inet.ip.forwarding=1
358fi
359
360ip6_forwarding=`sysctl -n net.inet6.ip6.forwarding`
361if [ "${ip6_forwarding}" = "0" ] ; then
362   sysctl net.inet6.ip6.forwarding=1
363fi
364
365firewall_enable=`egrep '^firewall_enable' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
366firewall_type=`egrep '^firewall_type' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
367
368if [ "${firewall_enable}" != "YES" -o "${firewall_type}" != "open" ] ; then
369   tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX`
370   egrep -v '^firewall_(enable|type)' /etc/rc.conf >> "${tmp_rcconf}"
371
372   cat<<__EOF__>>"${tmp_rcconf}"
373firewall_enable="YES"
374firewall_type="open"
375__EOF__
376
377   if [ -s "${tmp_rcconf}" ] ; then
378      cp /etc/rc.conf /var/tmp/rc.conf.bak
379      mv "${tmp_rcconf}" /etc/rc.conf
380      if [ "$?" != "0" ] ; then
381         mv /var/tmp/rc.conf.bak /etc/rc.conf
382      fi
383   fi
384   /etc/rc.d/ipfw forcerestart
385fi
386
387instance=`get_ipfw_nat_instance "${IFACE}"`
388if [ -z "${instance}" ] ; then
389   priority=`get_ipfw_nat_priority`
390   instance=`get_ipfw_nat_instance`
391
392   ipfw "${priority}" add nat "${instance}" all from any to any
393   ipfw nat "${instance}" config if "${IFACE}" reset
394fi
395
396if [ "$LINUXJAIL" = "YES" ] ; then
397  # If we have a custom start script
398  if [ -e "${JMETADIR}/jail-start" ] ; then
399    sCmd=`cat ${JMETADIR}/jail-start`
400    echo "Starting jail with: ${sCmd}"
401    jexec ${JID} ${sCmd} 2>&1
402  else
403    # Check for different init styles
404    if [ -e "${JAILDIR}/etc/init.d/rc" ] ; then
405      jexec ${JID} /bin/sh /etc/init.d/rc 3 2>&1
406    elif [ -e "${JAILDIR}/etc/rc" ] ; then
407      jexec ${JID} /bin/sh /etc/rc 3 2>&1
408    fi
409  fi
410else
411  # If we have a custom start script
412  if [ -e "${JMETADIR}/jail-start" ] ; then
413    sCmd=`cat ${JMETADIR}/jail-start`
414    echo "Starting jail with: ${sCmd}"
415    jexec ${JID} ${sCmd} 2>&1
416  else
417    echo "Starting jail with: /etc/rc"
418    jexec ${JID} /bin/sh /etc/rc 2>&1
419  fi
420fi
Note: See TracBrowser for help on using the repository browser.