From nobody Sun Aug 15 16:56:33 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 41DA41768341 for ; Sun, 15 Aug 2021 16:56:42 +0000 (UTC) (envelope-from dan@langille.org) Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gnk3G0gjTz3m3l; Sun, 15 Aug 2021 16:56:42 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 7C3A83200657; Sun, 15 Aug 2021 12:56:35 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sun, 15 Aug 2021 12:56:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= subject:to:cc:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm2; bh=e 1o3+XbCAjjuZRYnsEFIa/nwQugWdhaeAElBkIOB8g4=; b=c+DrHyZedC/5NWamj CNq5vHIP70tMP6OxvgXSYOabGyBwiv3f4wbjyaB/BjC9zAEjDX7yjkPnVz2Pf+JP 9y1EuyOa48+vQzlpoxb3Z+NKlux0mNefSwSIVLsaOzFBdE38GZWOnXjoRaXKP2ys NS6dP13BFKeAkO5vj+S4vq/STqpUpgKtUClTxszHtquw6/PpOsyO+j9rMNLVkNLg 8G3Ly0MRKj+QLKU8onnQ38480Qdxo8pv7ugHXKe1xk+T642/VsbH28SJtLfIFMNP dg/KtOFl6H/KpH5DgcCvmBC1Cy80gb0AqEB2AHCJVi5yRxmnpcZi17Y+9MB48hkA su7zw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=e1o3+XbCAjjuZRYnsEFIa/nwQugWdhaeAElBkIOB8 g4=; b=GF+GAxEsNVikCwuhruciW/VoEHstPCur4ynry5UugemhEie8ClrXNx1Ql EepFJSuLjy+knrsmIzrYpa6G7NPcEfHzAYduQDh1idhokgyq7ztZhCC8f/Fqosd8 zx3/Pf37khB9wOoDhyKnfC3MAi5oHpahaxI8i7nrkkdnBLhijoE8hX1GbAf5/Mg7 bwnpDj99hdHxzczZGKDO5q2GghsRucczRg4xhZ6TmIujPc+TD++gXeddJN9maP56 LXbaFM15d456J4gy8mDXVWXgmSrkenA0W/QShYa6wESyYZwLM1uOGelxOHVoLTNA NeSaOCNHnmVUoe+XP5MXmtaQTzI5Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrkeelgddutdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtke ertddtfeejnecuhfhrohhmpeffrghnucfnrghnghhilhhlvgcuoegurghnsehlrghnghhi lhhlvgdrohhrgheqnecuggftrfgrthhtvghrnhepvedttdelffetfefgjeefvedthffgie egudekleetfeehudejjeekleduvdevffegnecuffhomhgrihhnpehgihhthhhusgdrtgho mhdplhgrnhhgihhllhgvrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepuggrnheslhgrnhhgihhllhgvrdhorhhg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 15 Aug 2021 12:56:34 -0400 (EDT) Subject: Re: starting jails within jails using rc To: James Gritton Cc: freebsd-hackers@freebsd.org References: <60ecf265-b308-738d-ec2f-64e76b625a38@langille.org> From: Dan Langille Message-ID: <2fde54a8-1f19-28e0-46b2-74b5ef2c2e65@langille.org> Date: Sun, 15 Aug 2021 12:56:33 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.48 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4Gnk3G0gjTz3m3l X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N James Gritton wrote on 8/15/21 12:29 PM: > On 2021-08-14 12:59, Dan Langille wrote: >> The problem: >> >> The parent jail cannot automatically start the child jail. The child >> jail can be started manually. >> >> Running this command in the parent child succeeds: service jail start >> freshports >> >> Why? I think it's because /etc/rc.d/jail contains: >> >> # KEYWORD: nojail shutdown >> >> This tells the rc system not to run the jail script if the host is a >> jail. >> >> How can I trick it? >> >> My two ideas so far: >> >> * remove the keyword from the script (I've tested this; it works) >> * duplicate the script, removing the keyword from the script >> * mangle security.jail.jailed in the parent jail it thinks it's not in >> a jail and runs it anyway >> >> The downsides to these: >> >> * the first two require I keep up to date with the jail script. >> * the last one will have unintended consequences I'm sure, many which >> I most likely would not like. > > Since jails with jails is a supported (though not defaulted) feature, > I see no reason why simply removing the "nojail" keyword from the > script shouldn't be the default.  The only cost is typical jail > startup having to run the script to no effect, but the rc system is > already built of dozens of such seldom-used scripts. Wow. I had not considered a patch until now. Submitted. https://github.com/freebsd/freebsd-src/pull/525 -- Dan Langille - dan@langille.org https://langille.org/