scip/jaildk
1
0
Fork 0
mirror of https://codeberg.org/scip/jaildk.git synced 2025-12-18 13:11:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactored:

Browse Source 
- internal functions do not have the jaildk_ prefix anymore, this
  is now reserved for interactive commands only.
- added variable precedence using 'local' keyword to avoid variable
  conflicts etc.
- supress 'typoe' output
. use here-doc for vnet usage
This commit is contained in:
Thomas von Dein
2021-07-05 14:26:10 +02:00
parent 2d1e3ceef9
commit 3a3dce8903
1 changed files with 182 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
jaildk
View File

@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
version=1.21 version=1.22
usage_jaildk() { usage_jaildk() {
beg=`tput -T ${TERM:-cons25} md` beg=`tput -T ${TERM:-cons25} md`
@@ -96,8 +96,9 @@ die() {
} }
load-jail-config() { load-jail-config() {
jail=$1 local jail=$1
if test -d $j/etc/$jail; then if test -d $j/etc/$jail; then
# everything inside gets global
. $j/etc/$jail/jail.conf . $j/etc/$jail/jail.conf
else else
die "Jail $jail is not configured!" die "Jail $jail is not configured!"
@@ -105,6 +106,8 @@ load-jail-config() {
} }
die_if_not_exist() { die_if_not_exist() {
local jail which jailversion
jail=$1 jail=$1
which=$2 which=$2
jailversion=$3 jailversion=$3
@@ -134,10 +137,10 @@ parse_jail_conf() {
# Output may be empty, so check before using. Multiple variables # Output may be empty, so check before using. Multiple variables
# of the same type (like multiple ip addresses) will be returned # of the same type (like multiple ip addresses) will be returned
# comma separated. # comma separated.
jail=$1
search=$2 local jail=$1
JAIL='' local search=$2
list='' local JAIL list
# fetch 20 lines after "^$jail {", ignore comments # fetch 20 lines after "^$jail {", ignore comments
egrep -A20 "^$jail" jail.conf | egrep -v "^ *#" | \ egrep -A20 "^$jail" jail.conf | egrep -v "^ *#" | \
@@ -185,6 +188,8 @@ Mount <jail> to $j/build read-writable for maintenance. Options:
} }
jaildk_build() { jaildk_build() {
local jail mode BASE VERSION base version
jail=$1 jail=$1
mode=$2 mode=$2
shift shift
@@ -242,37 +247,40 @@ jaildk_build() {
esac esac
} }
jaildk_pf_ruleset() { pf_ruleset() {
# internal helper to [un]install a pf ruleset # internal helper to [un]install a pf ruleset
_conf=$1 local conf mode anchor jail
_mode=$2 conf=$1
_anchor=$3 mode=$2
_jail=$4 anchor=$3
jail=$4
case $_mode in case $mode in
start) start)
bold "Installing PF rules for jail $_jail:" bold "Installing PF rules for jail $jail:"
pfctl -a /jail/$_anchor -f $_conf -v pfctl -a /jail/$anchor -f $conf -v
;; ;;
status) status)
bold "PF NAT rules for jail $_jail:" bold "PF NAT rules for jail $jail:"
pfctl -a /jail/$_anchor -s nat -v pfctl -a /jail/$anchor -s nat -v
echo echo
bold "PF rules for jail $_jail:" bold "PF rules for jail $jail:"
pfctl -a /jail/$_anchor -s rules -v pfctl -a /jail/$anchor -s rules -v
;; ;;
stop) stop)
bold "Removing PF rules for jail $_jail:" bold "Removing PF rules for jail $jail:"
pfctl -a /jail/$_anchor -v -F all pfctl -a /jail/$anchor -v -F all
;; ;;
restart) restart)
jaildk_pf_ruleset $_conf stop $_anchor $_jail pf_ruleset $conf stop $anchor $jail
jaildk_pf_ruleset $_conf start $_anchor $_jail pf_ruleset $conf start $anchor $jail
;; ;;
esac esac
} }
jaildk_pf_map() { pf_map() {
local extif proto eip eport mport ip v6
extif=$1 extif=$1
proto=$2 proto=$2
eip=$3 eip=$3
@@ -284,7 +292,9 @@ jaildk_pf_map() {
echo "rdr pass on $extif $v6 proto ${proto} from any to ${eip} port ${eport} -> ${ip} port ${mport}" echo "rdr pass on $extif $v6 proto ${proto} from any to ${eip} port ${eport} -> ${ip} port ${mport}"
} }
jaildk_pf_rule() { pf_rule() {
local extif proto eip eport v6
extif=$1 extif=$1
proto=$2 proto=$2
eip=$3 eip=$3
@@ -294,7 +304,9 @@ jaildk_pf_rule() {
echo "pass in quick on $extif $v6 proto ${proto} from any to ${eip} port ${eport}" echo "pass in quick on $extif $v6 proto ${proto} from any to ${eip} port ${eport}"
} }
jaildk_pf_nat() { pf_nat() {
local extif srcip dstip v6
extif=$1 extif=$1
srcip=$2 srcip=$2
dstip=$3 dstip=$3
@@ -303,7 +315,9 @@ jaildk_pf_nat() {
echo "nat on $extif $v6 from $srcip to any -> $dstip" echo "nat on $extif $v6 from $srcip to any -> $dstip"
} }
jaildk_rc_pf() { rc_pf() {
local jail mode conf ruleset extif ipv4 anchor _proto _eport _mport _eports _eip
jail=$1 jail=$1
mode=$2 mode=$2
conf=$j/etc/$jail/pf.conf conf=$j/etc/$jail/pf.conf
@@ -325,9 +339,9 @@ jaildk_rc_pf() {
# we need to make sure the ip address doesn't contain a mask which # we need to make sure the ip address doesn't contain a mask which
# is not required for these rules # is not required for these rules
ip=$(dirname $ip) ipv4=$(dirname $ip)
if test -n "$ip" -a -n "$maps"; then if test -n "$ipv4" -a -n "$maps"; then
# nat and rdr come first # nat and rdr come first
# SAMPLE ruleset # SAMPLE ruleset
@@ -363,21 +377,21 @@ jaildk_rc_pf() {
_mport=${_eport} _mport=${_eport}
fi fi
echo "# from map $map" >> $ruleset echo "# from map $map" >> $ruleset
jaildk_pf_map $extif ${_proto} ${_eip} ${_eport} ${_mport} ${ip} >> $ruleset pf_map $extif ${_proto} ${_eip} ${_eport} ${_mport} ${ip} >> $ruleset
fi fi
for port in ${_eports}; do for port in ${_eports}; do
jaildk_pf_map $extif ${_proto} ${_eip} ${port} ${port} ${ip} >> $ruleset pf_map $extif ${_proto} ${_eip} ${port} ${port} ${ip} >> $ruleset
done done
done done
fi fi
# masq_ip="123.12.12.33" # masq_ip="123.12.12.33"
if test -n "$ip" -a -n "${masq_ip}"; then if test -n "$ipv4" -a -n "${masq_ip}"; then
jaildk_pf_nat $extif $ip ${masq_ip} >> $ruleset pf_nat $extif $ipv4 ${masq_ip} >> $ruleset
fi fi
if test -n "$ip" -a -n "$rules"; then if test -n "$ipv4" -a -n "$rules"; then
# rules="open web" # rules="open web"
# only required for ipv6, ipv4 is already opened with exposed ports # only required for ipv6, ipv4 is already opened with exposed ports
# rule_open="any" # rule_open="any"
@@ -385,12 +399,12 @@ jaildk_rc_pf() {
# rule_web_port="80,443" # rule_web_port="80,443"
for rule in $rules; do for rule in $rules; do
eval _proto=\${rule_${rule}_proto:-tcp} eval _proto=\${rule_${rule}_proto:-tcp}
eval _port=\${rule_${rule}_port} eval _eport=\${rule_${rule}_port}
if test -n "${_port}"; then if test -n "${_port}"; then
if test -n "${ip6}"; then if test -n "${ip6}"; then
echo "# from map $map" >> $ruleset echo "# from map $map" >> $ruleset
jaildk_pf_rule $extif ${_proto} ${ip6} ${_port} inet6 >> $ruleset pf_rule $extif ${_proto} ${ip6} ${_eport} inet6 >> $ruleset
fi fi
else else
echo "Warning: incomplete rule: $rule!" echo "Warning: incomplete rule: $rule!"
@@ -403,16 +417,18 @@ jaildk_rc_pf() {
if test -s $ruleset; then if test -s $ruleset; then
anchor="${jail}-jaildk" anchor="${jail}-jaildk"
jaildk_pf_ruleset $ruleset $mode $anchor $jail pf_ruleset $ruleset $mode $anchor $jail
fi fi
if test -s $conf; then if test -s $conf; then
anchor="${jail}-custom" anchor="${jail}-custom"
jaildk_pf_ruleset $conf $mode $anchor $jail pf_ruleset $conf $mode $anchor $jail
fi fi
} }
jaildk_rc_mtree() { rc_mtree() {
local jail mode base version rw conf
jail=$1 jail=$1
mode=$2 mode=$2
base=$3 base=$3
@@ -420,19 +436,27 @@ jaildk_rc_mtree() {
rw=$5 rw=$5
rcscript=mtree rcscript=mtree
if [ $mode = "start" ]; then conf=$j/etc/$jail/$rcscript.conf
if test -s $conf; then
case mode in
start|restart)
if test -n "$rw"; then if test -n "$rw"; then
run=$j/build/$jail/ run=$j/build/$jail/
else else
run=$j/run/$jail/ run=$j/run/$jail/
fi fi
ex mtree -p $run -Ue -f $j/etc/$jail/mtree.conf | grep -v "extra:" ex mtree -p $run -Ue -f $j/etc/$jail/mtree.conf | grep -v "extra:"
;;
esac
fi fi
} }
jaildk_rc_rcoff() { rc_rcoff() {
# avoid starting services inside the build chroot # avoid starting services inside the build chroot
# + jaildk_rc_rcoff db start 12.1-RELEASE-p10 20201026 # + rc_rcoff db start 12.1-RELEASE-p10 20201026
local jail mode base VERSION BASE rw
jail=$1 jail=$1
mode=$2 mode=$2
BASE=$3 BASE=$3
@@ -468,7 +492,9 @@ jaildk_rc_rcoff() {
fi fi
} }
jaildk_rc_ports() { rc_ports() {
local jail mode BASE VERSION rw
jail=$1 jail=$1
mode=$2 mode=$2
BASE=$3 BASE=$3
@@ -508,7 +534,10 @@ jaildk_rc_ports() {
fi fi
} }
jaildk_rc_mount() { rc_mount() {
local jail mode BASE VERSION rw conf run base version \
src dest fs opts size perm source
jail=$1 jail=$1
mode=$2 mode=$2
BASE=$3 BASE=$3
@@ -639,6 +668,8 @@ Available rc.d-scripts: $RCSCRIPTS_START"
} }
jaildk_install() { jaildk_install() {
local jail mode rcd rw base version rcscripts type
jail=$1 jail=$1
mode=$2 mode=$2
shift shift
@@ -693,7 +724,7 @@ jaildk_install() {
esac esac
fi fi
else else
rcscripts="jaildk_rc_${rcd}" rcscripts="rc_${rcd}"
if ! type "$rcscripts" > /dev/null 2>&1; then if ! type "$rcscripts" > /dev/null 2>&1; then
die "rc function $rcd doesn't exist!" die "rc function $rcd doesn't exist!"
fi fi
@@ -727,6 +758,8 @@ Uninstall <jail>. Options:
jaildk_uninstall() { jaildk_uninstall() {
# wrapper around _install # wrapper around _install
local jail mode base version all rw
jail=$1 jail=$1
shift shift
rw='' rw=''
@@ -788,6 +821,8 @@ Build a base directory from bsd install media. Options:
} }
jaildk_base() { jaildk_base() {
local jail mode base force removelist basedir clean file rw
base="" base=""
force="" force=""
rw="" rw=""
@@ -937,6 +972,8 @@ var/tmp"
} }
clone() { clone() {
local srcdir dstdir
srcdir=$1 srcdir=$1
dstdir=$2 dstdir=$2
@@ -970,11 +1007,7 @@ Hints:
} }
jaildk_clone() { jaildk_clone() {
src='' local src new srcversion newversion update cloneto clonefrom fs srcmount dstmount opts size perm
new=''
srcversion=''
newversion=''
update=''
while getopts "s:d:o:n:" arg; do while getopts "s:d:o:n:" arg; do
case $arg in case $arg in
@@ -1088,7 +1121,8 @@ jaildk_clone() {
echo echo
else else
. $j/etc/$src/jail.conf . $j/etc/$src/jail.conf
jail=$new # FIXME: possibly not needed! see comment in jaildk_create()
# jail=$new
bold "To mount the build chroot of the new jail, execute:" bold "To mount the build chroot of the new jail, execute:"
echo "jaildk build $new start -b $base -v $newversion" echo "jaildk build $new start -b $base -v $newversion"
fi fi
@@ -1100,6 +1134,7 @@ Create a new jail from template."
} }
jaildk_create() { jaildk_create() {
local jail newjail src srcversion newversion jailhostname
jail=$1 jail=$1
# $jail gets overwritten in jaildk_clone or some subcall to .template :-( ... # $jail gets overwritten in jaildk_clone or some subcall to .template :-( ...
newjail=$jail newjail=$jail
@@ -1127,7 +1162,7 @@ jaildk_create() {
} }
remove() { remove() {
dir=$1 local dir=$1
if test -d $dir; then if test -d $dir; then
ex rm -rf $dir ex rm -rf $dir
@@ -1142,6 +1177,7 @@ Remove <jail> from disk."
} }
jaildk_remove() { jaildk_remove() {
local jail version
jail=$1 jail=$1
shift shift
version='' version=''
@@ -1212,8 +1248,10 @@ Show status of <jail>. Without <jail>, show status of all jails."
jaildk_jail() { jaildk_jail() {
jail=$2 local jail mode jid ip path runs build base _eip ip4addr osrelease path build
# FIXME: reversed argument order for historical reasons, maybe change this?
mode=$1 mode=$1
jail=$2
if test -z "$jail" -a $mode = "status"; then if test -z "$jail" -a $mode = "status"; then
bold "Running jails:" bold "Running jails:"
@@ -1289,6 +1327,7 @@ jaildk_jail() {
} }
get_rc_scripts() { get_rc_scripts() {
local jail jaipath files rcvar
jail="$1" jail="$1"
jailpath=`get_jail_path $jail` jailpath=`get_jail_path $jail`
@@ -1309,6 +1348,8 @@ Execute an rc.d script inside <jail> with parameter <mode>. Options:
} }
jaildk_rc() { jaildk_rc() {
local jail mode rcd jailpath ok script jid
jail=$1 jail=$1
mode=$2 mode=$2
shift shift
@@ -1364,12 +1405,12 @@ jaildk_rc() {
} }
get_jail_path() { get_jail_path() {
jail="$1" local jail="$1"
echo "$(jls |grep -E "^ +[0-9]+ +[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ *${jail} +" | awk '{print $4}' | xargs basename)" echo "$(jls |grep -E "^ +[0-9]+ +[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ *${jail} +" | awk '{print $4}' | xargs basename)"
} }
get_jid() { get_jid() {
jail="$1" local jail="$1"
echo "$(jls | grep -E "^ +[0-9]+ +[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ *${jail} +" | awk '{print $1}' | xargs basename)" echo "$(jls | grep -E "^ +[0-9]+ +[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ *${jail} +" | awk '{print $1}' | xargs basename)"
} }
@@ -1383,6 +1424,8 @@ Mounted build chroot's:"
} }
jaildk_blogin() { jaildk_blogin() {
local jail chroot file shell term home path
jail=$1 jail=$1
if test -z "$jail"; then if test -z "$jail"; then
@@ -1427,6 +1470,8 @@ Available jails:"
} }
jaildk_login() { jaildk_login() {
local jail user chroot file shell term home path me
jail=$1 jail=$1
user=$2 user=$2
me=`id -u` me=`id -u`
@@ -1481,12 +1526,11 @@ Stop, uninstall, install and start <jail>. If <base> and/or
} }
jaildk_reinstall() { jaildk_reinstall() {
local jail NEWBASE NEWVERSION ts change base version
jail=$1 jail=$1
shift shift
NEWBASE=''
NEWVERSION=''
while getopts "b:v:" arg; do while getopts "b:v:" arg; do
case $arg in case $arg in
b) NEWBASE=${OPTARG};; b) NEWBASE=${OPTARG};;
@@ -1545,6 +1589,8 @@ jaildk_reinstall() {
jaildk_setup() { jaildk_setup() {
local j version subdir
j=$1 j=$1
if test -z "$j"; then if test -z "$j"; then
@@ -1664,7 +1710,7 @@ Fetch current portscollection, use <version> or todays timestamp as new version"
} }
jaildk_fetchports() { jaildk_fetchports() {
version=`date +%Y%m%d` local version=`date +%Y%m%d`
while getopts "v:" arg; do while getopts "v:" arg; do
case $arg in case $arg in
@@ -1679,15 +1725,15 @@ jaildk_fetchports() {
case $yesno in case $yesno in
y|Y|yes|YES) y|Y|yes|YES)
ex rm -rf $j/ports/$version ex rm -rf $j/ports/$version
jaildk_fetch_ports fetch_ports
;; ;;
esac esac
else else
jaildk_fetch_ports fetch_ports
fi fi
} }
jaildk_fetch_ports() { fetch_ports() {
ex mkdir -p $j/ports/tmp ex mkdir -p $j/ports/tmp
ex fetch -o $j/ports/tmp/ports.tar.gz http://ftp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz ex fetch -o $j/ports/tmp/ports.tar.gz http://ftp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz
ex tar xzfC $j/ports/tmp/ports.tar.gz $j/ports/tmp ex tar xzfC $j/ports/tmp/ports.tar.gz $j/ports/tmp
@@ -1705,15 +1751,21 @@ Options:
} }
freeze_dir() { freeze_dir() {
local dstdir src srcdir layer layerfile
dstdir=$1 dstdir=$1
src=$2 src=$2
srcdir=$(echo $src | cut -d/ -f1) srcdir=$(echo $src | cut -d/ -f1)
layer=$(echo $src | sed "s|$srcdir/||") layer=$(echo $src | sed "s|$srcdir/||")
layerfile=$(echo $layer | sed 's|/|-|g') layerfile=$(echo $layer | sed 's|/|-|g')
ex tar -C $j/$srcdir -cpf $dstdir/$srcdir-$layerfile.tar $layer ex tar -C $j/$srcdir -cpf $dstdir/$srcdir-$layerfile.tar $layer
} }
jaildk_freeze() { jaildk_freeze() {
local jail VERSION ADDBASE ADDAPPL version host freeze tmp mountconf \
src dest fs opts size perm files
jail=$1 jail=$1
shift shift
@@ -1768,7 +1820,7 @@ jaildk_freeze() {
# create sub tarballs from every layer # create sub tarballs from every layer
grep -v "#" $mountconf | while read LINE; do grep -v "#" $mountconf | while read LINE; do
# this is a copy of the code in jaildk_rc_mount() # this is a copy of the code in rc_mount()
# FIXME: put this into a function somehow # FIXME: put this into a function somehow
set -- $(eval echo \""$LINE"\") set -- $(eval echo \""$LINE"\")
@@ -1820,6 +1872,8 @@ jaildk_freeze() {
} }
thaw_tarball() { thaw_tarball() {
local srcdir tarball layer
srcdir=$1 srcdir=$1
tarball=$2 tarball=$2
@@ -1839,6 +1893,8 @@ usage_thaw() {
} }
jaildk_thaw() { jaildk_thaw() {
local image j version jail tmp files bak
image=$1 image=$1
if test -n "$J"; then if test -n "$J"; then
@@ -1916,6 +1972,8 @@ and you need to omit the 'ipfw add' of the command."
} }
jaildk_ipfw() { jaildk_ipfw() {
local jail mode
jail=$1 jail=$1
mode=$2 mode=$2
@@ -1928,11 +1986,11 @@ jaildk_ipfw() {
bold "Managing IPFW Rules..." bold "Managing IPFW Rules..."
case $mode in case $mode in
start) start)
jaildk_ipfw_delete $jail "y" ipfw_delete $jail "y"
jaildk_ipfw_add $jail ipfw_add $jail
;; ;;
stop) stop)
jaildk_ipfw_delete $jail ipfw_delete $jail
;; ;;
esac esac
bold "... done" bold "... done"
@@ -1940,19 +1998,30 @@ jaildk_ipfw() {
fi fi
} }
jaildk_ipfw_add() { ipfw_add() {
local jail ipv4 ipv6 rule
jail=$1 jail=$1
# support jail variables as well # support jail variables as well
load-jail-config $jail load-jail-config $jail
if test -z $ip; then
# Getting current jails IP.. # Getting current jails IP..
ip=`jls -n -j $jail ip4.addr | cut -d= -f2` ipv4=`jls -n -j $jail ip4.addr | cut -d= -f2`
if test -z "$ip"; then else
ipv4=$ip
fi
if test -z "$ipv4"; then
die "Jail $jail doesn't have an ipv4 address!" die "Jail $jail doesn't have an ipv4 address!"
fi fi
if test -z $ip6; then
ip6=`jls -n -j $jail ip6.addr | cut -d= -f2` # optional, no checks ip6=`jls -n -j $jail ip6.addr | cut -d= -f2` # optional, no checks
else
ipv6=$ip6
fi
# Adding rules # Adding rules
egrep "^[a-z]" $j/etc/$jail/ipfw.conf | while read LINE; do egrep "^[a-z]" $j/etc/$jail/ipfw.conf | while read LINE; do
@@ -1962,42 +2031,44 @@ jaildk_ipfw_add() {
done done
} }
jaildk_ipfw_delete() { ipfw_delete() {
local jail noout
jail=$1 jail=$1
noout=$2 noout=$2
# Deleting rules
ipfw show | grep -E "// $jail\$" | while read rule; do [ -z "$2" ] && bold "Deleting rule $rule"; sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done ipfw show | grep -E "// $jail\$" | while read rule; do [ -z "$2" ] && bold "Deleting rule $rule"; sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done
} }
usage_vnet() { usage_vnet() {
echo "$0 vnet <jail> <mode> -b <bridge>" echo "$0 vnet <jail> <mode> -b <bridge>
echo "Configure VIMAGE (vnet) networking for a jail. Usually called from" Configure VIMAGE (vnet) networking for a jail. Usually called from
echo "jail.conf. You need to configure the bridge manually in advance." jail.conf. You need to configure the bridge manually in advance.
echo
echo "You need the following in your /etc/rc.conf:"
echo " cloned_interfaces=\"bridge0\""
echo " ipv6_ifconfig_bridge0=\"2a01:...::1/80\""
echo " ifconfig_bridge0=\"name jailsw0 up 172.20.20.1/24\""
echo " ipv6_gateway_enable=\"YES\""
echo
echo "And something like this in your jail.conf:"
echo " billa {"
echo " vnet;"
echo " exec.created = \"/jail/bin/jaildk vnet $name start -b jailsw0\";"
echo " exec.prestop = \"/jail/bin/jaildk vnet $name stop -b vm-jailnet\";"
echo " }"
echo
echo "Finally, the jail.conf for a vnet jail needs to contain these parameters:"
echo " ip=172.20.20.10/24"
echo " gw=172.20.20.1"
echo
echo "and if using v6 v6 address in bridge subet, gw6 is default gw => bridge interface"
echo " ip6=2a01:.....ff"
echo " gw6=2a01:.....1"
echo "You'll also need PF nat rules in order to be able to reach the outside" You need the following in your /etc/rc.conf:
echo "from the jail or vice versa." cloned_interfaces=\"bridge0\"
ipv6_ifconfig_bridge0=\"2a01:...::1/80\"
ifconfig_bridge0=\"name jailsw0 up 172.20.20.1/24\"
ipv6_gateway_enable=\"YES\"
And something like this in your jail.conf:
billa {
vnet;
exec.created = \"/jail/bin/jaildk vnet $name start -b jailsw0\";
exec.prestop = \"/jail/bin/jaildk vnet $name stop -b vm-jailnet\";
}
Finally, the jail.conf for a vnet jail needs to contain these parameters:
ip=172.20.20.10/24
gw=172.20.20.1
and if using v6 v6 address in bridge subet, gw6 is default gw => bridge interface
ip6=2a01:.....ff
gw6=2a01:.....1
You'll also need PF nat rules in order to be able to reach the outside
from the jail or vice versa."
exit exit
} }
@@ -2006,6 +2077,7 @@ jaildk_vnet() {
# #
# This is no rc.d subcommand, but a standalone command, because it must # This is no rc.d subcommand, but a standalone command, because it must
# be executed by jail(8) via exec.created hook. # be executed by jail(8) via exec.created hook.
local jail mode BRIDGE vnethost vnetjail epairA epairB
jail=$1 jail=$1
mode=$2 mode=$2
shift shift
@@ -2100,6 +2172,7 @@ Create, build and install a new jail with name <jail>. Options:
jaildk_bootstrap() { jaildk_bootstrap() {
# combines base, create and build functions into a oneshot command # combines base, create and build functions into a oneshot command
# to create a new jail # to create a new jail
local jail BASE VERSION APPL PORTS IP loadbase RUN subdir port
jail=$1 jail=$1
shift shift
@@ -2217,10 +2290,10 @@ mustberoot() {
JAILDIR=/jail JAILDIR=/jail
# install modules # install modules
RCSCRIPTS_START="jaildk_rc_mount jaildk_rc_ports jaildk_rc_mtree jaildk_rc_pf" RCSCRIPTS_START="rc_mount rc_ports rc_mtree rc_pf"
RCSCRIPTS_STOP="jaildk_rc_pf jaildk_rc_mount jaildk_rc_ports" RCSCRIPTS_STOP="rc_pf rc_mount rc_ports"
RW_RCSCRIPTS_START="jaildk_rc_mount jaildk_rc_ports jaildk_rc_mtree" RW_RCSCRIPTS_START="rc_mount rc_ports rc_mtree"
RW_RCSCRIPTS_STOP="jaildk_rc_mount jaildk_rc_ports" RW_RCSCRIPTS_STOP="rc_mount rc_ports"
# globals # globals
j=$JAILDIR j=$JAILDIR
@@ -2250,7 +2323,7 @@ case $runner in
;; ;;
*) *)
# every other management command, if it exists # every other management command, if it exists
if type "jaildk_$runner" 2> /dev/null; then if type "jaildk_$runner" 2>&1 > /dev/null; then
mustberoot mustberoot
jaildk_$runner $* jaildk_$runner $*
else else