Thanks for the suggestion of trying to use 'ifconfig interface vnet jail'
in the scripts themselves.
I'll get my scripts up once I've got them running again confidently
and can get proper licensing on them.
TL;DR
* Is there a clean way to "catch" failures in jail(8) creation after
exec.prestart completes, such as vnet.interface failing?
* Is there a good way to execute commands in the host environment once
jail(8) brings up the jail, but before exec.start runs?
The rest:
I've been thinking about that for a while, especially as there isn't a
way to "catch" an execution error in jail(8) itself, such as the vnet
transition failing. (Yes, I'll open an issue on that once I'm convinced
I can't do it with the current jail functionality.)
To be able to call 'ifconfig interface vnet jail' the jail needs to
exist already:
# ifconfig ngeth3 vnet t2
ifconfig: jail "t2" not found
Further, the network needs to be up and running when services are
started. ntpd, anything that binds to a specific interface (rather
than *), anything that needs DNS (such as nginx providing proxy
services), ...
jail(8) tells me I have the following hooks available
exec.prestart -- jail isn't created yet
exec.start -- runs *in* the jail; typically starts execution
exec.poststart -- runs in the host, after exec.start completes
There isn't a "jail up, but not executing yet" hook in the host
environment that I am aware of.
There is a somewhat ugly approach along the lines of:
exec.prestart -- do the setup on the host side
exec.start -- '/bin/true' or 'return 0'-- don't do anything
exec.poststart -- 'ifconfig interface vnet jail'-like things
'jexec jail sh /etc/rc > ${exec.consolelog}'
Is there a better approach that someone out there knows of?
Thanks!
Jeff
On 2/15/17 2:30 AM, Ernie Luzar wrote:
> Jeff Kletsky wrote:
>> TL;DR
>>
>> Is there a patch available to allow substitution of "array" parameters
>> into the strings used for exec.prestart, exec.poststop, and the like?
>>
>> [...]
> An alternate method to coding the jail.conf vnet.interface parameter
is to use the "ifconfig vnet" command to enable it and "ifconfig -vnet"
command to disable it in your netgraph script that starts and stops the
vnet jail. Doing so would eliminate your current desire for array
processing in the jail.conf definition all together.
>
> I use the bridge/epair method my self because its so much easier to
understand. If you don't mind sharing, I sure would like to see your
netgraph script for vnet jail control once you get it working
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
