Page MenuHomeFreeBSD
Differential D42675

jail(8): make '-cm' run 'command=' in modify case as well
AbandonedPublic
Actions

Authored by igor.ostapenko_pm.me on Nov 19 2023, 1:15 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Apr 27, 2:29 AM
Unknown Object (File)
Sat, Apr 27, 12:41 AM
Unknown Object (File)
Sun, Apr 7, 12:28 PM
Unknown Object (File)
Dec 29 2023, 12:26 PM
Unknown Object (File)
Dec 26 2023, 12:48 PM
Unknown Object (File)
Dec 21 2023, 2:55 AM
Unknown Object (File)
Nov 20 2023, 4:32 AM
Subscribers
imp
jamie

Details

Reviewers
None
Group Reviewers
Jails
Summary

It allows to get command= be applied in case the given jail exists and -cm means modification instead of creation. It also handles a case when nopersist command= is used, i.e. the command runs first and nopersist takes place after, what removes the jail after the command, not before.

I think it could be found useful in some scripting and other simple cases when it needs no additional if/else logic, e.g. it could be a sequence of invocations with the same set of jail params, but different commands, and when we know that this is the last command and a jail should be revoked we could simply add nopersist to the params:

  • jail -cm <the-same-params-with-persist> command=one
  • jail -cm <the-same-params-with-persist> command=two
  • jail -cm <the-same-params-with-persist> nopersist command=last

Initially this patch was created while I was working on the cheapest variant of kyua jail support, but it ended up with another, more explicit, approach.

As long as some time was invested I would like to share this prototype, in case it's found interesting. But I completely understand that it can be a definite "no-no" due to established behavior and philosophy.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

igor.ostapenko_pm.me created this revision.Nov 19 2023, 1:15 PM
Herald added a subscriber: imp. · View Herald TranscriptNov 19 2023, 1:15 PM
igor.ostapenko_pm.me requested review of this revision.Nov 19 2023, 1:15 PM
jamie added a subscriber: jamie.Nov 20 2023, 5:41 PM

The command parameters (including "command" itself) are well established as being run during jail setup and teardown. I would expect a lot of existing configuration to have problems with the command being run when the jail has already started up. While it makes sense on the command line, I don't want to break the connection between file configuration and command line configuration (more than it's already broken).

This could be fixed with perhaps an option to direct scripts to be run on modification. Or perhaps yet another exec.foo parameter, since it's kind of arbitrary which scripts are run in the modify case (in particular, I noticed that exec.poststart isn't in the list).

igor.ostapenko_pm.me abandoned this revision.Nov 20 2023, 9:30 PM

Fair enough. Thank you. It was an expected outcome, it confirms my doubts. And I personally do not have production needs or something else to continue work on this and discuss possible alternatives or workarounds like exec.foo.

Thanks for your time and attention.

igor.ostapenko_pm.me mentioned this in D42350: kyua: add jail execution environment.Jan 9 2024, 9:20 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
jail/
19 lines
38 lines
1 line

Diff 130314

View Options

usr.sbin/jail/config.c

Loading...
View Options

usr.sbin/jail/jail.c

Loading...
View Options

usr.sbin/jail/jailp.h

Loading...