Re: service jails and precmd make ntpd (and nfsd) sad

Reply: Lexi Winter : "Re: service jails and precmd make ntpd (and nfsd) sad"
In reply to: Lexi Winter : "service jails and precmd make ntpd (and nfsd) sad"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Alexander Leidinger <Alexander_at_Leidinger.net>
Date: Fri, 21 Mar 2025 13:47:53 UTC

Am 2025-03-21 10:18, schrieb Lexi Winter:
> hello,
> 
> while investigating how to support ntpd in a service jail[0], i ran 
> into
> a problem with rc(8) which i think is more architectural in nature.
> 
> the problem: several rc.d scripts, including ntpd and nfsd, assume that
> you can set $command_args in ${svc}_start_precmd and this change will 
> be
> reflected in ${svc}_start when the service is started.  for non-svcj
> services, this assumption is correct.  for svcj services, it is not,
> because ${svc}_start_precmd is run outside the jail, then ${svc}_start 
> is
> run inside the jail in a separate shell process.

Regarding the service jails your observation is correct.

IIRC there where some more cases of this before I introduced service 
jails. In those cases I changed the setting of command args from inside 
the precmd to outside the precmd. In those cases where I did it, this 
was possible as it was not depending on some value which was computed 
inside precmd.

> this cannot be fixed by simply running ${svc}_start_precmd in the svcj,
> because ntpd's rc script needs to load a kernel module in its precmd.
> 
> i think the correct fix here is to split precmd into two things, one of
> which is run outside the jail (to load kernel modules, etc.) and one of
> which is run before ${svc}_start (or other actions) in the same shell
> that the action will run in.
> 
> i would propose 'setup' as the thing which is run outside the jail, and
> 'precmd' as the thing which is run inside the jail.

Modifying the service jails to run the precmd (or whatever) inside 
instead of of outside requires more than an one line change. Be careful 
if you want to go that way.

> am i on the right track here, or have i missed something?

There is another option. Load the kernel module outside of the ntpd 
service rc script. Either as a documented requirement when enabling 
service jails (and an error message from the rc script in the svcj case 
if the module is not loaded), or by adding another rc script which also 
listens on ntpd_enable and the ntpd rc scripts depends on. This module 
loading script can be forced to svcj off as it runs in a different 
execution context than the current ntdp rc script. Personally I prefer 
the separation of duties here instead of adding complexity inside the rc 
scripts (KISS... rc.subr and related are already convoluted).

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF