Page MenuHomeFreeBSD

init: Add jail(8) support
Needs ReviewPublic

Authored by hrs on Aug 26 2024, 5:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 5, 4:42 PM
Unknown Object (File)
Thu, Dec 5, 2:03 AM
Unknown Object (File)
Sat, Nov 30, 5:54 AM
Unknown Object (File)
Nov 18 2024, 3:13 AM
Unknown Object (File)
Oct 1 2024, 11:56 AM
Unknown Object (File)
Sep 13 2024, 10:36 AM
Unknown Object (File)
Sep 13 2024, 5:59 AM
Unknown Object (File)
Sep 10 2024, 11:11 AM

Details

Reviewers
None
Group Reviewers
Jails
Summary

This change allows init(8) to run in a jail enviroment to emulate a bootstrap
of another full-blown userland environment. While most of the tasks
handled by init(8) are useless inside a jail, invoking /sbin/init as the
initial process is more natural for Unix-like OS and watching terminal
ports is still useful.

For example, you can get a login prompt to a jail using
"cu -l /dev/nmdm0A" if you have the following configuration:

/etc/jail.conf on the host environment:

exec.start = "/sbin/init";

/etc/ttys inside a jail:

nmdm0B "/usr/libexec/getty 3wire" xterm on secure

Note that your jail environment must have devfs mounted and
unhide /dev/nmdm* path.

init(8) with this patch runs inside a jail in the following way:

  • It calls fork() and the child process handles the state machine transition.
  • After the child process finishes to run the rc(8) script, it will send a notification to the parent, and then the parent process terminates. The jail(8) utility typically blocks until this notification arrives. This reproduces the behavior of running the rc(8) script and then entering the multi-user mode on the host environment.
  • The child process will read /etc/ttys and handle terminal ports in the infinite loop after the parent terminates.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 59181
Build 56068: arc lint + arc unit

Event Timeline

hrs requested review of this revision.Aug 26 2024, 5:46 PM

How much of the init code is actually used for all this? I wonder if this could be a dedicated jinit binary which has no inside knowledge about the various signals and pid == 1 etc.?

Otherwise I am reminded about the stack open at https://reviews.freebsd.org/D15865 which gives full process virtualisation for jails as well (with its own init); there were some mgmt concerns and it probably needs heavy updating...