Add jail awareness to linprocfs and linsysfs
ClosedPublic
Actions

Authored by lifanov_mail.lifanov.com on Jun 17 2015, 1:28 AM.

Details

Reviewers

• rodrigc
jamie
araujo
vangyzen
• ian

Group Reviewers

manpages

Summary

This adds mount.linsysfs, mount.linprocfs, allow.mount.linsysfs, and
allow.mount.linprocfs to jail framework. By setting these values
in jail.conf (or as a sysctl), it is possible to have these filesystems
mountable within a jail.

This allows to nest a Linux jail inside of a native FreeBSD jail.
It is useful to do in order to run (and hack on) a jail management framework
that supports Linux jail while jailed itself.

The motivation is to make development and testing of Docker support in
FreeBSD easier and safer, but it is good for other things as well.

Test Plan

Run jails as usual. This should work.
Run jails with enforce_statfs=1, allow.mount.linsysfs, allow.mount.linprocfs.
This will allow to launch child jails that can mount linsysfs and linprocfs.
Run jails with Linux userland with mount.linsysfs and mount.linprocfs.
This should Just Work and Do The Right Thing.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Event Timeline

lifanov_mail.lifanov.com updated this revision to Diff 6255.Jun 17 2015, 1:28 AM

lifanov_mail.lifanov.com retitled this revision from to Add jail awareness to linprocfs and linsysfs.

lifanov_mail.lifanov.com updated this object.

lifanov_mail.lifanov.com edited the test plan for this revision. (Show Details)

lifanov_mail.lifanov.com added subscribers: koobs, • rodrigc.

Herald added a reviewer: manpages. · View Herald TranscriptJun 17 2015, 1:28 AM

Herald added a subscriber: imp. · View Herald Transcript

lifanov_mail.lifanov.com added a reviewer: araujo.Jun 17 2015, 2:03 AM

I added @jamie and @vangyzen as they were the last two guys that made changes on jail and linprocfs.

I'd prefer it do a little less: first, the old shell-based parameters for /etc/rc.d/jail are for backward compatibility, and anyone who's going to be using new parameters should also be using the "new" config file. Also, the mount.linprocfs/linsysfs parameters don't need to exist. They exist mostly to cover things that were already in the old rc.d system, and can as easily be covered by the more general "mount" parameter.

That reduces this patch to just adding the allow.mount.linprocfs/linsysfs parameters to the kernel. There's a small bug in how that was done - their order in kern_jail.c's pr_allow_names and pr_allow_nonames should match the bit ordering of their flags in jail.h.

Address feedback from jamie:

o Remove mount.* changes, which are not even needed to do what
I want to do, but I added for completion's sake.

o Fix kern_jail.c param ordering to match jail.h

All the rest, looks good to me.

sys/sys/jail.h
236	Please, here use TAB as made in the other definitions, shall try to keep the same style.
usr.sbin/jail/jail.8
28	Here, I think you shall BUMP the date again, when this patch get closes to be committed.
576	I do believe here you won't mention about procfs but you might want to mention about the linsysfs. Anyhow, I think would be good change this part of the content and avoid do the copy and past from the linprocfs section.