starting jails within jails using rc

Hello,

Background information:

Each FreshPorts instance runs two jails: ingress & web.  The ingress 
jail pulls data from both git & the repos in order to populate the 
database. Until recently, the ingress jail used a chroot to isolate 
itself from the packages installed within the jail. That can taint the 
information pulled out of the repo.  Recently work has moved from using 
a chroot to using a child jail. The chroot (jail), is used to run 
various commands (e.g make -V) on a ports tree contained within the 
chroot (jail). This extracts the information which is then loaded into 
the database.

Bonus: changing all the commands from chroot to jexec was pretty easy. 
The conversion required only trivial changes.

In short, each FreshPorts ingress jail will have a child jail containing 
a copy of the ports repo.


The problem:

The parent jail cannot automatically start the child jail. The child 
jail can be started manually.

Running this command in the parent child succeeds: service jail start 
freshports

Why? I think it's because /etc/rc.d/jail contains:

# KEYWORD: nojail shutdown

This tells the rc system not to run the jail script if the host is a jail.

How can I trick it?

My two ideas so far:

* remove the keyword from the script (I've tested this; it works)
* duplicate the script, removing the keyword from the script
* mangle security.jail.jailed in the parent jail it thinks it's not in a 
jail and runs it anyway

The downsides to these:

* the first two require I keep up to date with the jail script.
* the last one will have unintended consequences I'm sure, many which I 
most likely would not like.

Do you have other ideas please?

Thank you
-- 
Dan Langille
dan@langille.org