Page MenuHomeFreeBSD

Add support for jail.d
Needs ReviewPublic

Authored by antranigv_freebsd.am on Apr 25 2020, 10:30 AM.

Details

Reviewers
jamie
kevans
Group Reviewers
manpages
rc
Summary

Using /etc/jail.{jailname}.conf is nice, however it makes /etc/ very messy if you have many jails, this patch will help to have jail configurations in /etc/jail.d

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 32382
Build 29863: arc lint + arc unit

Event Timeline

It would be good to mention this in some man pages as well.

Use .Pa macro for file system path.

libexec/rc/rc.d/jail
129

It occurs to me looking at this that we won't pick up any jails with either /etc/jail.<foo>.conf or /etc/jail.d/<foo>.conf for the various _ALL actions. I'm not sure that that's ideal, but I'm not sure that's something that needs to be resolved here.

share/man/man5/rc.conf.5
3847–3854

This note should be revised a little bit -- /etc/jail.conf is still the canonical and only $jail_conf, these other ones will just get used as configuration if the jail is specifically named as an argument to the jail rc script.

usr.sbin/jail/jail.8
147 ↗(On Diff #71321)

This change should be reverted, since this is talking specifically about the -f argument, which remains unchanged. /etc/jail.<name>.conf and /etc/jail.d/<name>.conf are implementation details of the rc script, which will change what it passes to -f.

The new directory should also likely get added/tagged in mtree (^/etc/mtree/BSD.root.dist), so that we create it empty and add it to the 'utiltiies' package.

Correct the documentation

As mentioned by kevans, jail.8 should not be changed, while in rc.conf it should be mentioned that the non /etc/jail.conf Jails will start only when listed in jail_list.

Hmm, I think it looks better this way?

Regarding the issue with _ALL actions, maybe it's better if I address that with another patch?

libexec/rc/rc.d/jail
121

I don't think the \/ is intended here.

Fixed an unintended slash in rc script

I would love for there to be some way to include global config in jail.conf and per-jail config in jail.d/${jail}.conf. This is a good start in that direction.
Getting libucl to work properly with the current jail.conf format would be a nice way to handle that. I have opened an issue here for one of the limitations I see preventing this: https://github.com/vstakhov/libucl/issues/227

Apart from the little man page nit I'm satisfied with this for now, but let's get it approved/committed by someone with more sway in the area.

share/man/man5/rc.conf.5
3847

Maybe spell out "jailname"

Don't forget to update .Dd for manual pages. :-)

Also I think it would be nice to add some words in jail(8).

share/man/man5/rc.conf.5
27

Don't forget to update the date here. :-)

antranigv_freebsd.am marked an inline comment as done.

Update the date in the man page.

share/man/man5/rc.conf.5
3847

Hmm, looks like the whole man page uses "jname" instead of "jailname".

Can you check the manpage with textproc/igor and "mandoc -Tlint" to see if they find anything?
Thank you!

Update the man page according to textproc/igor

igor was complaining that

rc.conf.5:3848:trailing whitespace:.Pa /etc/jail. Ns Ao Ar jname Ac Ns Va .conf[ ]

which has been fixed

however, still not able to understand mandoc's STYLE message :(

mandoc: share/man/man5/rc.conf.5:3848:14: STYLE: no blank before trailing delimiter: Pa /etc/jail.

however, still not able to understand mandoc's STYLE message :(

mandoc: share/man/man5/rc.conf.5:3848:14: STYLE: no blank before trailing delimiter: Pa /etc/jail.

It means that there must be a space after "jail":

.Pa /etc/jail .

Sorry for if this sounds link nitpicking. While checking /etc recently, I found that we have two naming of .d directory and its related .conf file in /etc:

pam.d - pam.conf
syslog.d - syslog.conf

and

newsyslog.conf.d - newsyslog.conf
rc.conf.d - rc.conf

And there are also ones not in these two cases:

cron.d - crontab
rc.d - which is where we put scripts but not config files.

This makes me think that what we should name this directory, jail.d or jail.conf.d? And for the above, it would be nice to get them aligned.

shorter is better, +1 for jail.d

In D24570#607987, @pi wrote:

shorter is better, +1 for jail.d

The problem with shorter in this case is that it's too vague, raising the possibility of confusion if some extended jail manager were to land in base. jail.conf.d is still relatively short, but more importantly cannot conflict with anything else because other applications already could not use jail.conf.

While I understand @pi 's point, I think jail.conf.d is better. I'm also planning to submit my base-based written in shell jail orchestration tool, using jail.d would be better for integrations (e.g. hooks, scripts, etc).

When decided, I will change the patch as needed.

I would love for there to be some way to include global config in jail.conf and per-jail config in jail.d/${jail}.conf. This is a good start in that direction.
Getting libucl to work properly with the current jail.conf format would be a nice way to handle that. I have opened an issue here for one of the limitations I see preventing this: https://github.com/vstakhov/libucl/issues/227

i'd rather we have a pre-processor that issues warnings and urges people to upgrade their configs to pure UCL than to add explicit anything to the library

Hi,

ezjail has jail-config files in /usr/local/etc/ezjail/. Would it make sense to be able to override the path (BTW: /etc/jail.conf.d would be my preference), in the sense of having it as a variable in /etc/defaults/rc.conf (would this help in the netboot case)?
Would it make sense to make this a list,, so that I could do e.g. jail_conf_dir="/etc/jail.conf.d /usr/local/etc/jail.conf.d"?

Bye,
Alexander.