Page MenuHomeFreeBSD

Teach ifconfig to attach and run itself in a jail.
ClosedPublic

Authored by nyan_myuji.xyz on May 22 2023, 7:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 25, 3:44 AM
Unknown Object (File)
Sun, Dec 22, 8:27 PM
Unknown Object (File)
Mon, Dec 16, 5:44 PM
Unknown Object (File)
Thu, Dec 12, 3:40 AM
Unknown Object (File)
Sat, Dec 7, 10:41 PM
Unknown Object (File)
Tue, Dec 3, 6:28 AM
Unknown Object (File)
Sat, Nov 30, 2:45 PM
Unknown Object (File)
Sat, Nov 30, 9:37 AM
Subscribers

Details

Summary

Add -j <jail> flag to ifconfig to allow ifconfig to attach and run inside a
jail. This allow parent to configure network interfaces of its children
even if ifconfig is not available in child's tree (e.g. Linux Jails)

Event: Kitchener-Waterloo Hackathon 202305

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sbin/ifconfig/ifconfig.c
468

The following sounds more idiomatic to me:

jid = jail_getid(optarg);
if (jid == -1)

Perror("1");

if (jail_attach(jid) != 0)

Perror("2");
sbin/ifconfig/ifconfig.c
468

Great! I prefer that too just worry about breaking style.

LGTM. You may want to add a manual page changes as well.

This revision is now accepted and ready to land.May 22 2023, 8:13 PM

yes let's add the man page in here too

sbin/ifconfig/ifconfig.c
473

Do we want

#else
    Perror("not built with jail support")

or leave j out of options when not #ifdef JAIL?

  • modify man page to refactor the new -j flag
This revision now requires review to proceed.May 22 2023, 10:23 PM
sbin/ifconfig/ifconfig.8
31

Bump the date. :-)

sbin/ifconfig/ifconfig.c
473

Maybe perror() is easier since going the other way, we also need to have usage() #ifdef'd

If would be perfect if you want to add a simple test under tests/

  • print error and exit if -j specified but ifconfig isn't built with jail support
  • bump manpage date

BTW, I'm not sure if doing jail_attach() in args_parse() is a common or good practice.

Move jail_attach away from args_parse

This revision is now accepted and ready to land.May 23 2023, 2:35 AM
melifaro added a subscriber: melifaro.
melifaro added inline comments.
sbin/ifconfig/ifconfig.c
443

Nit: this is not needed, args is zeroed by default.

  • remove explicit initialization
This revision now requires review to proceed.May 23 2023, 7:43 PM
This revision is now accepted and ready to land.May 23 2023, 7:45 PM

It would be nice to have something similar for route. Setting up network state for containers with external connectivity also needs some way of setting a default route. For podman, I ended up nesting the container jail inside another jail where I can safely run ifconfig and route without requiring their presence inside the container (or trusting the container's binaries if they are present).

Would there be any objection to me merging this change and the related change in D40377 to stable/13? It would make setting up container networking for containerd and nerdctl much simpler. For podman, it could also make networking more efficient - we currently use two jails per container with one solely used to own the container vnet while also allowing access to host networking tools.

In D40213#943667, @dfr wrote:

Would there be any objection to me merging this change and the related change in D40377 to stable/13? It would make setting up container networking for containerd and nerdctl much simpler. For podman, it could also make networking more efficient - we currently use two jails per container with one solely used to own the container vnet while also allowing access to host networking tools.

No objection, the only note is that ifconfig(8) code is different in stable/13, so likely it would require some changes.