package cmd import ( "os" "fmt" // "log" "errors" "regexp" // "os/exec" // "reflect" "strings" // "strconv" ) // WIP. Not working now (need to address the real struct field, not a copy of it) // setJailProperty takes a string as propValue, whatever the real property type is. // It will be converted. func setJailProperty(jail *Jail, propName string, propValue string) error { // First get propName type, to convert propValue /* k, _, err := getStructFieldKind(jail, propName) if err != nil { return err } kind := k.String() */ for i, j := range gJails { if j.Name == jail.Name { val, _, err := getStructFieldValue(&gJails[i], propName) if err != nil { return errors.New(fmt.Sprintf("Field not found: %s", propName)) } /*if kind == "string" { // WIll the affectation be done in source object or a copy? val.Set(propValue) } else if kind == "int" { v, err := strconv.Atoi(propValue) if err != nil { return errors.New(fmt.Sprintf("propValue have wrong type: %s\n", err.Error())) } val.Set(v) } else { return errors.New(fmt.Sprintf("Property %s have an unsupported type in setJailProperty!\n", propName)) }*/ // panic: reflect: reflect.Value.Set using unaddressable value //val.Set(reflect.ValueOf(propValue).Elem()) // ...Because val settability is false :-( fmt.Printf("settability of val: %v\n", val.CanSet()) // This is OK, using the index to get the real jail object //gJails[i].Config.Allow_mlock = 1 // TODO : integrate this function setJailConfigUpdated(jail) } } return nil } // We cant use internalName as the value exist only when jail is running func setJailConfigUpdated(jail *Jail) error { if len(jail.ConfigPath) == 0 { return errors.New(fmt.Sprintf("No config path for jail %s", jail.Name)) } for i, j := range gJails { if jail.ConfigPath == j.ConfigPath { gJails[i].ConfigUpdated = true return nil } } return errors.New("Jail not found") } func mountProcFs(jail *Jail) error { cmd := fmt.Sprintf("mount -t procfs proc %s/proc", jail.RootPath) _, err := executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error mounting procfs on %s/proc: %s", jail.RootPath, err.Error())) } return nil } func mountLinProcFs(jail *Jail) error { ldir := fmt.Sprintf("%s/compat/linux/proc", jail.RootPath) _, err := os.Stat(ldir) if os.IsNotExist(err) { errDir := os.MkdirAll(ldir, 0755) if errDir != nil { return errors.New(fmt.Sprintf("Error creating directory %s: %s", ldir, errDir.Error())) } } cmd := fmt.Sprintf("mount -t linprocfs linproc %s", ldir) _, err = executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error mounting linprocfs on %s: %s", ldir, err.Error())) } return nil } func mountDevFs(jail *Jail) error { cmd := fmt.Sprintf("mount -t devfs dev %s/dev", jail.RootPath) _, err := executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error mounting devfs on %s/dev: %s", jail.RootPath, err.Error())) } return nil } func mountFdescFs(jail *Jail) error { // FreeBSD <= 9.3 do not support fdescfs if gHostVersion <= 9.3 { fmt.Printf(" FreeBSD <= 9.3 does not support fdescfs, disabling in config\n") jail.Config.Mount_fdescfs = 0 // Tag config so it will be synced on disk jail.ConfigUpdated = true // Should we consider this an error? return nil } cmd := fmt.Sprintf("mount -t fdescfs descfs %s/dev/fd", jail.RootPath) _, err := executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error mounting fdescfs on %s/dev/fd: %s", jail.RootPath, err.Error())) } return nil } func mountAllJailFsFromHost(jail *Jail) error { procfsFound := false linProcfsFound := false devfsFound := false fdescfsFound := false cmd := "mount -p" out, err := executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error executing mount: %s", err.Error())) } var outclean []string remSpPtrn := regexp.MustCompile(`\s+`) for _, l := range strings.Split(out, "\n") { outclean = append(outclean, remSpPtrn.ReplaceAllString(l, " ")) } // Check if these FS are already mounted for _, l := range outclean { f := strings.Split(l, " ") if len(f) > 2 { if strings.EqualFold(f[1], fmt.Sprintf("%s/proc", jail.RootPath)) { procfsFound = true } if strings.EqualFold(f[1], fmt.Sprintf("%s/compat/linux/proc", jail.RootPath)) { linProcfsFound = true } if strings.EqualFold(f[1], fmt.Sprintf("%s/dev", jail.RootPath)) { devfsFound = true } if strings.EqualFold(f[1], fmt.Sprintf("%s/dev/fd", jail.RootPath)) { fdescfsFound = true } } } // Mount wanted FS if jail.Config.Mount_procfs > 0 && procfsFound == false { err := mountProcFs(jail) if err != nil { return err } } if jail.Config.Mount_linprocfs > 0 && linProcfsFound == false { err = mountLinProcFs(jail) if err != nil { return err } } if jail.Config.Mount_devfs > 0 && devfsFound == false { err := mountDevFs(jail) if err != nil { return err } } if jail.Config.Mount_fdescfs > 0 && fdescfsFound == false { err := mountFdescFs(jail) if err != nil { return err } } // Ces montages doivent-ils etre effectués une fois le jail démarré? // FreeBSD <= 9.3 do not support fdescfs //if gHostVersion <= 9.3 && jail.Config.Allow_mount_tmpfs > 0 { if gHostVersion <= 9.3 && jail.Config.Allow_mount_tmpfs > 0 { fmt.Printf(" FreeBSD <= 9.3 does not support tmpfs, disabling in config\n") jail.Config.Allow_mount_tmpfs = 0 // Tag config so it will be synced on disk jail.ConfigUpdated = true err = setJailConfigUpdated(jail) if err != nil { fmt.Printf(fmt.Sprintf("Error updating config for jail %s: %s", jail.Name, err.Error())) return err } } if gHostVersion < 12 { if jail.Config.Allow_mlock > 0 { jail.Config.Allow_mlock = 0 jail.ConfigUpdated = true /* WIP err = setJailProperty(jail, "Config.Allow_mlock", "0") if err != nil { return err }*/ } if jail.Config.Allow_mount_fusefs > 0 { } if jail.Config.Allow_vmm > 0 { } } return nil } // TODO func prepareJailedZfsDatasets(jail *Jail) error { if jail.Config.Jail_zfs > 0 { // For jail to mount filesystem, enforce_statfs should be 1 or lower (2 is the default) // TODO : Write these changes in jail config file jail.Config.Allow_mount = 1 jail.Config.Allow_mount_zfs = 1 // TODO : Overload Json Unmarshalling to fix bad typed values, keeping iocage compatibility if jail.Config.Enforce_statfs > "1" { jail.Config.Enforce_statfs = "1" } for _, d := range strings.Split(jail.Config.Jail_zfs_dataset, " ") { // Check if dataset exist, create if necessary cmd := fmt.Sprintf("zfs get -H creation %s/%s", jail.Zpool, d) out, err := executeCommand(cmd) if err != nil { if strings.HasSuffix(out, "dataset does not exist") { cmd = fmt.Sprintf("zfs create -o compression=lz4 -o mountpoint=none %s/%s", jail.Zpool, d) _, err = executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error creating dataset %s/%s: %s", jail.Zpool, d, err.Error())) } } else { return errors.New(fmt.Sprintf("Error getting zfs dataset %s: %s", d, err.Error())) } } cmd = fmt.Sprintf("zfs set jailed=on %s/%s", jail.Zpool, d) out, err = executeCommand(cmd) if err != nil { return errors.New(fmt.Sprintf("Error executing \"zfs set jailed=on %s/%s\": %s", jail.Zpool, d, err.Error())) } // TODO : Execute "zfs jail $jailname $dataset" when jail will be up } } return nil } /* Start jail: Check jail fstab? Mount procfs Mount linprocfs Mount devfs? Mount fdescfs? If jail_zfs, then check jail_zfs_dataset exist (and create otherwise) TODO : Check NAT settings and compatibility with other jails Generate devfsruleset from configured Write config file in /var/run/jails.ioc-$NAME.conf Execute PreStart (Exec_prestart) Start jail (With ENV VARS for network conf) Start networking Mount jail_zfs_datasets inside jail Generate resolv.Conf Copy /etc/localtime into jail (?) Configure NAT Execute Exec_start into jail Execute Exec_poststart If DHCP, check with ifconfig inside jail Set RCTL Rules Use setfib for each jail command */ func StartJail(args []string) { // jail we have to start var cj *Jail for _, j := range args { fmt.Printf("> Starting jail %s\n", j) for i, rj := range gJails { if rj.Name == j { // Get jail reference, not a copy of it; So we can modify attributes cj = &gJails[i] break } } if cj == nil { fmt.Printf("Jail not found: %s\n", j) continue } if cj.Running == true { fmt.Printf("Jail %s is already running!\n", cj.Name) continue } fmt.Printf(" > Mount special filesystems:\n") err := mountAllJailFsFromHost(cj) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Mount special filesystems: OK\n") } if cj.Config.Jail_zfs > 0 { fmt.Printf(" > Prepare ZFS Datasets:\n") err := prepareJailedZfsDatasets(cj) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Prepare ZFS Datasets: OK\n") } } /* out, err := executeCommand(fmt.Sprintf("rctl jail:%s", cj.InternalName)) if err == nil && len(out) > 0 { fmt.Printf(" > Remove RCTL rules:\n") err := removeRctlRules(cj.InternalName, []string{""}) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Remove RCTL rules: OK\n") } } if len (cj.Config.Exec_prestop) > 0 { fmt.Printf(" > Execute prestop:\n") _, err := executeCommand(cj.Config.Exec_prestop) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Execute prestop: OK\n") } } if len (cj.Config.Exec_stop) > 0 { fmt.Printf(" > Execute stop:\n") _, err := executeCommandInJail(cj, cj.Config.Exec_stop) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Execute stop: OK\n") } } if cj.Config.Jail_zfs > 0 { fmt.Printf(" > Umount jailed ZFS:\n") err := umountAndUnjailZFS(cj) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Umount jailed ZFS: OK\n") } } if cj.Config.Vnet > 0 && len(cj.Config.Ip4_addr) > 0 { fmt.Printf(" > Destroy VNet interfaces:\n") err := destroyVNetInterfaces(cj) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Destroy VNet interfaces: OK\n") } } fmt.Printf(" > Remove devfsruleset %s:\n", cj.Config.Devfs_ruleset) err = deleteDevfsRuleset(cj) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Remove devfsruleset %s: OK\n", cj.Config.Devfs_ruleset) } fmt.Printf(" > Stop jail %s:\n", cj.Name) err = stopJail(cj) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) } else { fmt.Printf(" > Stop jail %s: OK\n", cj.Name) } */ } }