sysctl: Teach sysctl to attach and run itself in a jail
ClosedPublic
Actions

Authored by zlei on Thu, Jan 23, 8:37 AM.

Details

Reviewers

jamie
markj
dfr

Group Reviewers

Jails

Commits

rG08aa7128dea4: sysctl: Teach sysctl to attach and run itself in a jail

Summary

This allows the parent jail to retrieve or set kernel state when child
does not have sysctl installed (e.g. OCI containers or slim jails ).

This is especially useful when manipulating jail prison or vnet sysctls.
For example, sysctl -j foo -Ja or sysctl -j foo net.fibs=2.

MFC after: 1 week
Relnotes: yes

Test Plan

# jail -c -n foo host.hostname=foo.example.org vnet persist
# sysctl -j foo -J kern.hostname
kern.hostname: foo.example.org
# sysctl -j foo net.fibs=2
net.fibs: 1 -> 2
# echo "net.fibs=3" > /tmp/sysctl.conf
# sysctl -j foo -f /tmp/sysctl.conf
net.fibs: 2 -> 3

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

zlei created this revision.Thu, Jan 23, 8:37 AM

Herald added a subscriber: imp. · View Herald TranscriptThu, Jan 23, 8:37 AM

zlei requested review of this revision.Thu, Jan 23, 8:37 AM

Looks good to me. It would also be nice to have something similar for ip6addrctl to make it easier to have different address selection policies in vnet jails (e.g. host is dual stack and prefers IPv6 but jail only has IPv4 and should prefer IPv4 replies to DNS lookups).

This revision is now accepted and ready to land.Thu, Jan 23, 2:03 PM

markj added inline comments.Thu, Jan 23, 2:15 PM

sbin/sysctl/sysctl.c
252	When -j is used, I guess `conffile` is interpreted relative to the jail root. Is that what we want? I'm not sure what the right default is. The patch gives the same behaviour as `jexec foo sysctl ...`, but then what's the point of having -j?

zlei added inline comments.Thu, Jan 23, 2:43 PM

sbin/sysctl/sysctl.c
252	When -j is used, I guess `conffile` is interpreted relative to the jail root. Is that what we want? Good question. I'm not sure what the right default is. The patch gives the same behaviour as `jexec foo sysctl ...`, but then what's the point of having -j? Given the man doc says: -f filename Specify a file which contains a pair of name and value in each line. sysctl reads and processes the specified file first and then processes the name and value pairs in the command line argument. I think we should processes the file first, and then attach to the desired jail. This would ease the configuration of jails, say share `sysctl.conf` between jails. How about this, let the order of `-j jail` and `-f filename` matters, i.e., `sysctl -j foo -f sysctl.conf` attach to jail first, but `sysctl -f sysctl.conf -j foo` process the file first ? That is somewhat complex and a little confusing, so should be documented highlight and explicitly.

markj added inline comments.Thu, Jan 23, 2:51 PM

sbin/sysctl/sysctl.c
252	How about this, let the order of -j jail and -f filename matters IMO this is too subtle and unusual for a unix command-line utility. Options should be order-independent. I suspect we should process the file, then attach to the jail.

Attach to jail after opening the config file.

This revision now requires review to proceed.Wed, Jan 29, 11:42 AM

zlei marked 2 inline comments as done.Wed, Jan 29, 11:44 AM

Update the man page, add note about how the -f filename will be processed when -j jail option is provided.

zlei added inline comments.Thu, Jan 30, 1:07 PM

sbin/sysctl/sysctl.8
107	I guess `read -> opened` is more clear.

@markj Does the latest revision look good to you ?

markj accepted this revision.Thu, Jan 30, 3:20 PM

markj added inline comments.

sbin/sysctl/sysctl.c
603	IMO it would be cleaner to refactor this function first: have the caller open the file and pass in the file handle. Then the caller can do: if (conffile) f = fopen(...) attach_jail(); if (conffile) parsefile(f); so we don't need multiple attach_jail() calls. This version is okay though, I don't insist on changing anything.