sysctl: Teach sysctl to attach and run itself in a jail
AcceptedPublic
Actions

Authored by zlei on Thu, Jan 23, 8:37 AM.

Details

Reviewers

jamie
markj
dfr

Group Reviewers

Jails

Summary

This allows the parent jail to retrieve or set kernel state when child
does not have sysctl installed (e.g. OCI containers or slim jails ).

This is especially useful when manipulating jail prison or vnet sysctls.
For example, sysctl -j foo -Ja or sysctl -j foo net.fibs=2.

MFC after: 1 week
Relnotes: yes

Test Plan

# jail -c -n foo host.hostname=foo.example.org vnet persist
# sysctl -j foo -J kern.hostname
kern.hostname: foo.example.org
# sysctl -j foo net.fibs=2
net.fibs: 1 -> 2

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

zlei created this revision.Thu, Jan 23, 8:37 AM

Herald added a subscriber: imp. · View Herald TranscriptThu, Jan 23, 8:37 AM

zlei requested review of this revision.Thu, Jan 23, 8:37 AM

Looks good to me. It would also be nice to have something similar for ip6addrctl to make it easier to have different address selection policies in vnet jails (e.g. host is dual stack and prefers IPv6 but jail only has IPv4 and should prefer IPv4 replies to DNS lookups).

This revision is now accepted and ready to land.Thu, Jan 23, 2:03 PM

markj added inline comments.Thu, Jan 23, 2:15 PM

sbin/sysctl/sysctl.c
252	When -j is used, I guess `conffile` is interpreted relative to the jail root. Is that what we want? I'm not sure what the right default is. The patch gives the same behaviour as `jexec foo sysctl ...`, but then what's the point of having -j?

zlei added inline comments.Thu, Jan 23, 2:43 PM

sbin/sysctl/sysctl.c
252	When -j is used, I guess `conffile` is interpreted relative to the jail root. Is that what we want? Good question. I'm not sure what the right default is. The patch gives the same behaviour as `jexec foo sysctl ...`, but then what's the point of having -j? Given the man doc says: -f filename Specify a file which contains a pair of name and value in each line. sysctl reads and processes the specified file first and then processes the name and value pairs in the command line argument. I think we should processes the file first, and then attach to the desired jail. This would ease the configuration of jails, say share `sysctl.conf` between jails. How about this, let the order of `-j jail` and `-f filename` matters, i.e., `sysctl -j foo -f sysctl.conf` attach to jail first, but `sysctl -f sysctl.conf -j foo` process the file first ? That is somewhat complex and a little confusing, so should be documented highlight and explicitly.

markj added inline comments.Thu, Jan 23, 2:51 PM

sbin/sysctl/sysctl.c
252	How about this, let the order of -j jail and -f filename matters IMO this is too subtle and unusual for a unix command-line utility. Options should be order-independent. I suspect we should process the file, then attach to the jail.