On 2017-02-17 10:58, Jeff Kletsky wrote:
... I've been thinking about that for a while, especially as there isn't a way to "catch" an execution error in jail(8) itself, such as the vnet transition failing. (Yes, I'll open an issue on that once I'm convinced I can't do it with the current jail functionality.)To be able to call 'ifconfig interface vnet jail' the jail needs to exist already: # ifconfig ngeth3 vnet t2 ifconfig: jail "t2" not found Further, the network needs to be up and running when services are started. ntpd, anything that binds to a specific interface (rather than *), anything that needs DNS (such as nginx providing proxy services), ... jail(8) tells me I have the following hooks available exec.prestart -- jail isn't created yet exec.start -- runs *in* the jail; typically starts execution exec.poststart -- runs in the host, after exec.start completes There isn't a "jail up, but not executing yet" hook in the host environment that I am aware of. There is a somewhat ugly approach along the lines of: exec.prestart -- do the setup on the host side exec.start -- '/bin/true' or 'return 0'-- don't do anything exec.poststart -- 'ifconfig interface vnet jail'-like things 'jexec jail sh /etc/rc > ${exec.consolelog}' Is there a better approach that someone out there knows of?
There's nothing better at this point - the ugly solution you mention is the current best way. The exec.* options come from analogs of the rc-script days, which precede vnet. The specific "ifconfig interface vnet jail" thing was handled by the vnet.interface parameter, but it would be good to have a more general set of exec scripts to run in the create side post-create but pre-start.
But I'm not sure such a thing will appear. Aside from the cumbersome naming of something between prestart and start, I can see this blowing up: there could well be a situation where you want something run in the host, something in the jail, something else in the host, something else in the jail. I considered vnet.interface to be the common case, but there will always be more specific work where the best solution is to just run a script on the host side.
- Jamie _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
