408 lines
11 KiB
Go
408 lines
11 KiB
Go
package cmd
|
|
|
|
import (
|
|
"os"
|
|
"fmt"
|
|
"errors"
|
|
"regexp"
|
|
"strings"
|
|
)
|
|
|
|
// FIXME : Do not work?!
|
|
// We cant use internalName as the value exist only when jail is running
|
|
func setJailConfigUpdated(jail *Jail) error {
|
|
if len(jail.ConfigPath) == 0 {
|
|
return errors.New(fmt.Sprintf("No config path for jail %s", jail.Name))
|
|
}
|
|
|
|
for i, j := range gJails {
|
|
if jail.Name == j.Name {
|
|
fmt.Printf("Tag %s as configUpdated\n", jail.Name)
|
|
gJails[i].ConfigUpdated = true
|
|
return nil
|
|
}
|
|
}
|
|
|
|
return errors.New("Jail not found")
|
|
}
|
|
|
|
func mountProcFs(jail *Jail) error {
|
|
cmd := fmt.Sprintf("mount -t procfs proc %s/proc", jail.RootPath)
|
|
_, err := executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error mounting procfs on %s/proc: %s", jail.RootPath, err.Error()))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func mountLinProcFs(jail *Jail) error {
|
|
ldir := fmt.Sprintf("%s/compat/linux/proc", jail.RootPath)
|
|
_, err := os.Stat(ldir)
|
|
if os.IsNotExist(err) {
|
|
errDir := os.MkdirAll(ldir, 0755)
|
|
if errDir != nil {
|
|
return errors.New(fmt.Sprintf("Error creating directory %s: %s", ldir, errDir.Error()))
|
|
}
|
|
}
|
|
cmd := fmt.Sprintf("mount -t linprocfs linproc %s", ldir)
|
|
_, err = executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error mounting linprocfs on %s: %s", ldir, err.Error()))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func mountDevFs(jail *Jail) error {
|
|
cmd := fmt.Sprintf("mount -t devfs dev %s/dev", jail.RootPath)
|
|
_, err := executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error mounting devfs on %s/dev: %s", jail.RootPath, err.Error()))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func mountFdescFs(jail *Jail) error {
|
|
// FreeBSD <= 9.3 do not support fdescfs
|
|
if gHostVersion <= 9.3 {
|
|
fmt.Printf(" FreeBSD <= 9.3 does not support fdescfs, disabling in config\n")
|
|
jail.Config.Mount_fdescfs = 0
|
|
// Tag config so it will be synced on disk
|
|
jail.ConfigUpdated = true
|
|
|
|
// Should we consider this an error?
|
|
return nil
|
|
}
|
|
|
|
cmd := fmt.Sprintf("mount -t fdescfs descfs %s/dev/fd", jail.RootPath)
|
|
_, err := executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error mounting fdescfs on %s/dev/fd: %s", jail.RootPath, err.Error()))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func mountAllJailFsFromHost(jail *Jail) error {
|
|
procfsFound := false
|
|
linProcfsFound := false
|
|
devfsFound := false
|
|
fdescfsFound := false
|
|
|
|
cmd := "mount -p"
|
|
out, err := executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error executing mount: %s", err.Error()))
|
|
}
|
|
|
|
var outclean []string
|
|
remSpPtrn := regexp.MustCompile(`\s+`)
|
|
for _, l := range strings.Split(out, "\n") {
|
|
outclean = append(outclean, remSpPtrn.ReplaceAllString(l, " "))
|
|
}
|
|
|
|
// Check if these FS are already mounted
|
|
for _, l := range outclean {
|
|
f := strings.Split(l, " ")
|
|
if len(f) > 2 {
|
|
|
|
if strings.EqualFold(f[1], fmt.Sprintf("%s/proc", jail.RootPath)) {
|
|
procfsFound = true
|
|
}
|
|
if strings.EqualFold(f[1], fmt.Sprintf("%s/compat/linux/proc", jail.RootPath)) {
|
|
linProcfsFound = true
|
|
}
|
|
if strings.EqualFold(f[1], fmt.Sprintf("%s/dev", jail.RootPath)) {
|
|
devfsFound = true
|
|
}
|
|
if strings.EqualFold(f[1], fmt.Sprintf("%s/dev/fd", jail.RootPath)) {
|
|
fdescfsFound = true
|
|
}
|
|
}
|
|
}
|
|
|
|
// Mount wanted FS
|
|
if jail.Config.Mount_procfs > 0 && procfsFound == false {
|
|
err := mountProcFs(jail)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if jail.Config.Mount_linprocfs > 0 && linProcfsFound == false {
|
|
err = mountLinProcFs(jail)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if jail.Config.Mount_devfs > 0 && devfsFound == false {
|
|
err := mountDevFs(jail)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if jail.Config.Mount_fdescfs > 0 && fdescfsFound == false {
|
|
err := mountFdescFs(jail)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
|
|
// Ces montages doivent-ils etre effectués une fois le jail démarré?
|
|
|
|
// FreeBSD <= 9.3 do not support fdescfs
|
|
//if gHostVersion <= 9.3 && jail.Config.Allow_mount_tmpfs > 0 {
|
|
if gHostVersion <= 9.3 && jail.Config.Allow_mount_tmpfs > 0 {
|
|
fmt.Printf(" FreeBSD <= 9.3 does not support tmpfs, disabling in config\n")
|
|
jail.Config.Allow_mount_tmpfs = 0
|
|
// Tag config so it will be synced on disk
|
|
jail.ConfigUpdated = true
|
|
err = setJailConfigUpdated(jail)
|
|
if err != nil {
|
|
fmt.Printf(fmt.Sprintf("Error updating config for jail %s: %s", jail.Name, err.Error()))
|
|
return err
|
|
}
|
|
}
|
|
|
|
if gHostVersion < 12 {
|
|
if jail.Config.Allow_mlock > 0 {
|
|
jail.Config.Allow_mlock = 0
|
|
jail.ConfigUpdated = true
|
|
/* WIP
|
|
err = setJailProperty(jail, "Config.Allow_mlock", "0")
|
|
if err != nil {
|
|
return err
|
|
}*/
|
|
}
|
|
if jail.Config.Allow_mount_fusefs > 0 {
|
|
}
|
|
if jail.Config.Allow_vmm > 0 {
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
|
|
// TODO
|
|
func prepareJailedZfsDatasets(jail *Jail) error {
|
|
if jail.Config.Jail_zfs > 0 {
|
|
// For jail to mount filesystem, enforce_statfs should be 1 or lower (2 is the default)
|
|
// TODO : Write these changes in jail config file
|
|
jail.Config.Allow_mount = 1
|
|
jail.Config.Allow_mount_zfs = 1
|
|
// TODO : Overload Json Unmarshalling to fix bad typed values, keeping iocage compatibility
|
|
if jail.Config.Enforce_statfs > "1" {
|
|
jail.Config.Enforce_statfs = "1"
|
|
}
|
|
for _, d := range strings.Split(jail.Config.Jail_zfs_dataset, " ") {
|
|
// Check if dataset exist, create if necessary
|
|
cmd := fmt.Sprintf("zfs get -H creation %s/%s", jail.Zpool, d)
|
|
out, err := executeCommand(cmd)
|
|
if err != nil {
|
|
if strings.HasSuffix(out, "dataset does not exist") {
|
|
cmd = fmt.Sprintf("zfs create -o compression=lz4 -o mountpoint=none %s/%s", jail.Zpool, d)
|
|
_, err = executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error creating dataset %s/%s: %s", jail.Zpool, d, err.Error()))
|
|
}
|
|
} else {
|
|
return errors.New(fmt.Sprintf("Error getting zfs dataset %s: %s", d, err.Error()))
|
|
}
|
|
}
|
|
|
|
cmd = fmt.Sprintf("zfs set jailed=on %s/%s", jail.Zpool, d)
|
|
out, err = executeCommand(cmd)
|
|
if err != nil {
|
|
return errors.New(fmt.Sprintf("Error executing \"zfs set jailed=on %s/%s\": %s", jail.Zpool, d, err.Error()))
|
|
}
|
|
// TODO : Execute "zfs jail $jailname $dataset" when jail will be up
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
Start jail:
|
|
Check jail fstab?
|
|
Mount procfs
|
|
Mount linprocfs
|
|
Mount devfs?
|
|
Mount fdescfs?
|
|
If jail_zfs, then check jail_zfs_dataset exist (and create otherwise)
|
|
TODO : Check NAT settings and compatibility with other jails
|
|
Generate devfsruleset from configured
|
|
Write config file in /var/run/jails.ioc-$NAME.conf
|
|
Execute PreStart (Exec_prestart)
|
|
Start jail (With ENV VARS for network conf)
|
|
Start networking
|
|
Mount jail_zfs_datasets inside jail
|
|
Generate resolv.Conf
|
|
Copy /etc/localtime into jail (?)
|
|
Configure NAT
|
|
Execute Exec_start into jail
|
|
Execute Exec_poststart
|
|
If DHCP, check with ifconfig inside jail
|
|
Set RCTL Rules
|
|
|
|
Use setfib for each jail command
|
|
*/
|
|
func StartJail(args []string) {
|
|
// jail we have to start
|
|
var cj *Jail
|
|
|
|
for _, j := range args {
|
|
fmt.Printf("> Starting jail %s\n", j)
|
|
|
|
for i, rj := range gJails {
|
|
if rj.Name == j {
|
|
// Get jail reference, not a copy of it; So we can modify attributes
|
|
cj = &gJails[i]
|
|
break
|
|
}
|
|
}
|
|
if cj == nil {
|
|
fmt.Printf("Jail not found: %s\n", j)
|
|
continue
|
|
}
|
|
|
|
if cj.Running == true {
|
|
fmt.Printf("Jail %s is already running!\n", cj.Name)
|
|
continue
|
|
}
|
|
|
|
if len(cj.hostid) > 0 && cj.Hostid_strict_check == true {
|
|
hostid, err := ioutil.ReadFile("/etc/hostid")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
hostid = []byte(strings.Replace(string(hostid), "\n", "", -1))
|
|
if strings.EqualFold(hostid, cj.hostid) == false {
|
|
fmt.Printf("hostid is not matching and hostid_strict_check is on. Not starting jail.\n")
|
|
return
|
|
}
|
|
}
|
|
|
|
var props_missing []string
|
|
// DHCP can also be set with "DHCP" value in ip4_addr
|
|
if cj.Dhcp == true || strings.EqualFold(cj.Ip4_addr, "DHCP") == true {
|
|
if cj.Bpf == 0 {
|
|
props_missing = append(props_missing, fmt.Sprintf("%s: dhcp requires bpf", cj.Name))
|
|
}
|
|
if cj.Vnet == 0 {
|
|
props_missing = append(props_missing, fmt.Sprintf("%s: dhcp requires vnet", cj.Name))
|
|
}
|
|
}
|
|
// TODO : Check that this nat_forwards exemple is OK :
|
|
// tcp(80:8080),tcp(3300-3310:33060-33070)
|
|
// If OK, it should map jail port 80 to 8080 on the host
|
|
// and range 3300-3310 on jail to 33060-33070 on the host
|
|
if cj.Nat > 0 && strings.EqualFold(cj.Nat_forwards, "none") == false {
|
|
// If NAT && port forwarding is enabled, check that port does not conflict
|
|
// with another running jail
|
|
for _, j := range gJails {
|
|
if j.Running == false {
|
|
continue
|
|
}
|
|
// TODO : check!
|
|
}
|
|
}
|
|
|
|
fmt.Printf(" > Mount special filesystems:\n")
|
|
err := mountAllJailFsFromHost(cj)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Mount special filesystems: OK\n")
|
|
}
|
|
|
|
if cj.Config.Jail_zfs > 0 {
|
|
fmt.Printf(" > Prepare ZFS Datasets:\n")
|
|
err := prepareJailedZfsDatasets(cj)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Prepare ZFS Datasets: OK\n")
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
out, err := executeCommand(fmt.Sprintf("rctl jail:%s", cj.InternalName))
|
|
if err == nil && len(out) > 0 {
|
|
fmt.Printf(" > Remove RCTL rules:\n")
|
|
err := removeRctlRules(cj.InternalName, []string{""})
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Remove RCTL rules: OK\n")
|
|
}
|
|
}
|
|
|
|
if len (cj.Config.Exec_prestop) > 0 {
|
|
fmt.Printf(" > Execute prestop:\n")
|
|
_, err := executeCommand(cj.Config.Exec_prestop)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Execute prestop: OK\n")
|
|
}
|
|
}
|
|
|
|
if len (cj.Config.Exec_stop) > 0 {
|
|
fmt.Printf(" > Execute stop:\n")
|
|
_, err := executeCommandInJail(cj, cj.Config.Exec_stop)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Execute stop: OK\n")
|
|
}
|
|
}
|
|
|
|
if cj.Config.Jail_zfs > 0 {
|
|
fmt.Printf(" > Umount jailed ZFS:\n")
|
|
err := umountAndUnjailZFS(cj)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Umount jailed ZFS: OK\n")
|
|
}
|
|
}
|
|
|
|
if cj.Config.Vnet > 0 && len(cj.Config.Ip4_addr) > 0 {
|
|
fmt.Printf(" > Destroy VNet interfaces:\n")
|
|
err := destroyVNetInterfaces(cj)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Destroy VNet interfaces: OK\n")
|
|
}
|
|
}
|
|
|
|
fmt.Printf(" > Remove devfsruleset %s:\n", cj.Config.Devfs_ruleset)
|
|
err = deleteDevfsRuleset(cj)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Remove devfsruleset %s: OK\n", cj.Config.Devfs_ruleset)
|
|
}
|
|
|
|
fmt.Printf(" > Stop jail %s:\n", cj.Name)
|
|
err = stopJail(cj)
|
|
if err != nil {
|
|
fmt.Printf("ERROR: %s\n", err.Error())
|
|
} else {
|
|
fmt.Printf(" > Stop jail %s: OK\n", cj.Name)
|
|
}
|
|
*/
|
|
|
|
}
|
|
}
|
|
|