Re: jail.conf question (vnet.interface)

In reply to: Milan Obuch : "Re: jail.conf question (vnet.interface)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: James Gritton <jamie_at_freebsd.org>
Date: Mon, 07 Jun 2021 17:34:30 UTC

On 2021-06-07 00:04, Milan Obuch wrote:
>> > I need more interfaces moved this way. It is no problem issue
>> > manually
>> >
>> > ifconfig re3 vnet jail0
>> >
>> > but trying to write
>> >
>> > jail0
>> >  {vnet;
>> >   vnet.interface = re2;
>> >   vnet.interface = re3;
>> >  }
>> >
>> > in jail.conf means only re3 is moved and can be configured with
>> > standard rc.conf config file. First instance (re2) is kind of
>> > overwritten and forgotten.
>> >
>> > Is it possible to move more interfaces this way at all? I'd like to
>> > avoid any hacks if possible, and any workaround for this is ugly...
>> >
>> 
>> It's not possible to add more than one interface that way.  It would
>> make sense for vnet.interface to be an array, so you could say have a
>> comma-separated list or say "vnet.interface += re3".
>> 
> 
> Where is this functionality implemented (at least for ip4.addr list)?
> Which file? Is it a script of some kind?

For ip4.addr, there are two considerations.  Adding the address to the
interface is done by jail(8), by running ifconfig before creating the
jail, and removing the address is likewise by ifconfig after removing
the jail.  But also, the set of multiple addresses is passed through
jail_set(2) when the jail is created.

vnet.interface is handled entirely within jail(8), again running
ifconfig but this time after the jail is created.  There's no
corresponding call to move the interfaces back, as that's automatic
on jail destruction.

>> Currently, anything more than one interface would need to be an
>> ifconfig command added to "exec.created".
>> 
> 
> Thanks for notice. Just to be sure, for interested ones - such a 
> command
> is executed before anything else, namely /etc/rc from jail. I have some
> special scenarion where I am not using /etc/rc in jail, just
> exec.created.

exec.created is the first thing run after jail_set(2) is called.  In
fact, the only difference between exec.created and exec.start is the
fact that the single vnet.interface is moved between them.  The order
of operations in jail creation is:

exec.prepare
ifconfig for adding IP addresses to interfaces
mount filesystems
exec.prestart
create the jail
exec.created
transfer vnet.interface
exec.start and/or command (run in jail environment)
exec.poststart

That provides a chance to run custom commands at just about any stage
of jail creation.

- Jamie