From nobody Sat Aug 14 19:59:54 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 546981755D0C for ; Sat, 14 Aug 2021 19:59:57 +0000 (UTC) (envelope-from dan@langille.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GnB983pQGz4j7G for ; Sat, 14 Aug 2021 19:59:56 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 6DD575C00B3 for ; Sat, 14 Aug 2021 15:59:56 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sat, 14 Aug 2021 15:59:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= to:from:subject:message-id:date:mime-version:content-type :content-transfer-encoding; s=fm2; bh=h4d9B/uMCV6LSgPAUlYYrIid99 Pt70V7cqDMNF7n5/A=; b=EB9bPb4Fe9NiS1IgpC5p+uvJaRfkA+K4UlkOYdf5ar j+u8aXMTtn+fgCm982h/+Ov3vZ9P0dJjabLamwyz274zLewe0pBI+zz7KG2of3dY 6CRRdxMjejgT4ug1SByEbeG7gM/QRhzaE2b3As8lPuHb3XlIY1wRhIAHfWKjxrAh AwISj5KjFXbunSKPZVCsVshDVtJUw+TDRVDS1LK2wkj8RQUmY7cBpStnEP8qyX2R GeOgLmITyfOcp+iA/EbjcSnlV2UWMSLZpgGVOYyIvnCzLlTgWoRGmLjjJZh5K4EH zWJBKZOVHOjO/mijeZXEdkWw2vbCGFhsb8/VaOu5clEw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=h4d9B/ uMCV6LSgPAUlYYrIid99Pt70V7cqDMNF7n5/A=; b=hDKxBXeDopu0X3kMu/Kl5U HvDdzVq54woVe4iGlnPNh8YRKGvgzpk/lJwr+2Xuxs2QI2aBi+YxSN0gawycTa8D zHarWgs3k4i7EgmTVUViDEWd4fXYIp7dvyy7D1SbeO2vd2xNQ0IHh+ai+Ee7DHBm w2zg+LjmwrfIF4qFimRLaDs0wNBphWqGcKXscX/+IAB46MCopuVeWHZ5nzHvC8x8 u7yixkhvxS7zmfeNPOyMPUyrw8GZ0shhMpLTOzMogUbuEXt5gsO73tXsmN52RUQE 1Y9ZJPiqHUvo10FtHF5TjvbP1lfdxnxImKMxO3HXzP83k0FIFx7SmlMZWH5FI3hg == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrkeejgddugeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefvhffukffffgggtgfgsehtkeertd dtfeejnecuhfhrohhmpeffrghnucfnrghnghhilhhlvgcuoegurghnsehlrghnghhilhhl vgdrohhrgheqnecuggftrfgrthhtvghrnhepgfevteffvdegleduvdejgeffhfevfffghe fhffeivdehjeeikeehfeejudffjedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomhepuggrnheslhgrnhhgihhllhgvrdhorhhg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sat, 14 Aug 2021 15:59:55 -0400 (EDT) To: freebsd-hackers@freebsd.org From: Dan Langille Subject: starting jails within jails using rc Message-ID: <60ecf265-b308-738d-ec2f-64e76b625a38@langille.org> Date: Sat, 14 Aug 2021 15:59:54 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.48 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4GnB983pQGz4j7G X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm2 header.b=EB9bPb4F; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=hDKxBXeD; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.26 as permitted sender) smtp.mailfrom=dan@langille.org X-Spamd-Result: default: False [-5.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3]; FREEFALL_USER(0.00)[dan]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.26:from]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; RCVD_COUNT_THREE(0.00)[4]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.0.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from] X-ThisMailContainsUnwantedMimeParts: N Hello, Background information: Each FreshPorts instance runs two jails: ingress & web.  The ingress jail pulls data from both git & the repos in order to populate the database. Until recently, the ingress jail used a chroot to isolate itself from the packages installed within the jail. That can taint the information pulled out of the repo.  Recently work has moved from using a chroot to using a child jail. The chroot (jail), is used to run various commands (e.g make -V) on a ports tree contained within the chroot (jail). This extracts the information which is then loaded into the database. Bonus: changing all the commands from chroot to jexec was pretty easy. The conversion required only trivial changes. In short, each FreshPorts ingress jail will have a child jail containing a copy of the ports repo. The problem: The parent jail cannot automatically start the child jail. The child jail can be started manually. Running this command in the parent child succeeds: service jail start freshports Why? I think it's because /etc/rc.d/jail contains: # KEYWORD: nojail shutdown This tells the rc system not to run the jail script if the host is a jail. How can I trick it? My two ideas so far: * remove the keyword from the script (I've tested this; it works) * duplicate the script, removing the keyword from the script * mangle security.jail.jailed in the parent jail it thinks it's not in a jail and runs it anyway The downsides to these: * the first two require I keep up to date with the jail script. * the last one will have unintended consequences I'm sure, many which I most likely would not like. Do you have other ideas please? Thank you -- Dan Langille dan@langille.org