How early can jails be started?

Warren Block wblock at wonkity.com
Thu Aug 14 23:13:36 UTC 2014 

On Wed, 13 Aug 2014, Warren Block wrote:

> It works... mostly.  This file is /etc/rc.d/earlyjail:
>
>  #!/bin/sh
>  # PROVIDE: earlyjail
>  # REQUIRE: netwait
>  # KEYWORD:
>  # BEFORE:  mountcritremote
>  /usr/local/etc/rc.d/ezjail start dns1
>
> When /etc/rc.d/jail runs much later in the startup, it tries to start that 
> jail again, and gets an error because of it.  Seeing the error, it deletes 
> /var/run/jail_dns1.id.  ezjail uses those jail_*.id files to detect which 
> jails are running, and is sure that dns1 is not running. jls does show things 
> correctly.  I'm not sure if there is a workaround short of modifying 
> /etc/rc.d/jail.

A small patch to /etc/rc.d/jail checks whether a jail is already running 
and leaves the /var/run/jail_jailname.id file in place.  With this, 
ezjail works fine with the early-started jail.

There might be security or other implications that should be considered. 
Only superficially tested so far.

It's conceivable that someone might want to start all jails early, but I 
have not modified that branch of the code.

--- /usr/src/etc/rc.d/jail	2014-07-03 19:10:00.000000000 -0600
+++ /etc/rc.d/jail	2014-08-14 16:59:23.000000000 -0600
@@ -488,6 +488,12 @@
  			eval rc_flags=\${jail_${_j}_flags:-$jail_flags}
  			eval command=\${jail_${_j}_program:-$jail_program}
  			command_args="-i -f $_conf -c $_j"
+
+			if jls name | grep -x -q "$_j" ;then
+				echo " $_j already started"
+				continue
+			fi
+
  			_tmp=`mktemp -t jail` || exit 3
  			if $command $rc_flags $command_args \
  			    >> $_tmp 2>&1 </dev/null; then
-------------- next part --------------
--- /usr/src/etc/rc.d/jail	2014-07-03 19:10:00.000000000 -0600
+++ /etc/rc.d/jail	2014-08-14 16:59:23.000000000 -0600
@@ -488,6 +488,12 @@
 			eval rc_flags=\${jail_${_j}_flags:-$jail_flags}
 			eval command=\${jail_${_j}_program:-$jail_program}
 			command_args="-i -f $_conf -c $_j"
+
+			if jls name | grep -x -q "$_j" ;then
+				echo " $_j already started"
+				continue
+			fi
+
 			_tmp=`mktemp -t jail` || exit 3
 			if $command $rc_flags $command_args \
 			    >> $_tmp 2>&1 </dev/null; then

More information about the freebsd-jail mailing list