#!/bin/sh
#
# Jail management utility.
set -eu -o pipefail
. /usr/local/etc/jailctl.conf
cmd::main(){
local usage="COMMAND [ARGS]...
FreeBSD jail management utility.
Commands:
create Create a new jail
create-snapshot Take a snapshot of a jail
create-template Create a template from a jail
destroy-snapshot Delete a jail snapshot
destroy-template Delete a template
destroy Delete a jail and its dataset
download-release Download and create a FreeBSD release template
edit Edit a jail's configuration
exec Run a command within the jail
list-snapshots List jail snapshots
list-templates List available templates
list List configured jails
reprovision Wipe and reprovision an OS dataset from template
restart Restart a jail
rollback Rollback a jail to a given snapshot
shell Run a shell within the jail
show Show jail configuration
start Start a jail
status Show running jail status
stop Stop a jail
update-release Update a FreeBSD release template"
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -ge 1 ] || cmd::usage 'no comand specified'
local cmd=$1; shift
case $cmd in
create) cmd::create "$@" ;;
create-snapshot|snapshot|snap) cmd::create_snapshot "$@" ;;
create-template) cmd::create_template "$@" ;;
destroy-snapshot|rms) cmd::destroy_snapshot "$@" ;;
destroy-template|rmt) cmd::destroy_template "$@" ;;
destroy|rm) cmd::destroy "$@" ;;
download-release) cmd::download_release "$@" ;;
edit) cmd::edit "$@" ;;
exec) cmd::exec "$@" ;;
list-snapshots|lss) cmd::list_snapshots "$@" ;;
list-templates|lst) cmd::list_templates "$@" ;;
list|ls) cmd::list "$@" ;;
reprovision) cmd::reprovision "$@" ;;
restart) cmd::restart "$@" ;;
rollback) cmd::rollback "$@" ;;
shell|sh) cmd::shell "$@" ;;
show) cmd::show "$@" ;;
start) cmd::start "$@" ;;
status) cmd::status "$@" ;;
stop) cmd::stop "$@" ;;
update-release) cmd::update_release "$@" ;;
# The following commands are internal to jailctl. Don't run them manually.
_create-epair) cmd::_create_epair "$@" ;;
_destroy-epair) cmd::_destroy_epair "$@" ;;
*) cmd::usage "unknown command: ${cmd}" ;;
esac
}
################################################################################
# Standard helper functions.
################################################################################
die(){
printf '%s: %s\n' jailctl "$*" 1>&2
exit 1
}
warn(){
printf '%s\n' "$*" 1>&2
}
################################################################################
# CLI-related functions.
################################################################################
cmd::help(){
printf 'Usage: %s %s\n' jailctl "$usage"
[ -n "${help:-}" ] && printf '%s\n' "$help"
exit 0
}
cmd::usage(){
[ $# -gt 0 ] && printf '%s: %s\n' "jailctl" "$1" 1>&2
printf 'Usage: %s %s\n' jailctl "${usage}" 1>&2
exit 2
}
cmd::getopt_help(){
local opt
while getopts :h opt; do
case $opt in
h) cmd::help ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
}
cmd::create(){
local usage='create [-a IP] [-b] [-c CPUSET] [-d DOMAIN] [-g GATEWAY] [-k SSHKEY]
[-m MEMLIMIT] [-n NETMASK] [-q QUOTA] [-Q OS_QUOTA] [-r NAMESERVER]
[-s SEARCHDOMAIN] [-v VLANID] NAME TEMPLATE'
local help="Create a new jail.
Options:
-a IP IPv4 address
-b Enable BPF device (allows DHCP, tcpdump, etc)
-c CPUSET CPU list for cpuset(1)
-d DOMAIN Host domain name
-g GATEWAY Default IPv4 gateway
-k SSHKEY Path to SSH pubkey for root's authorized_keys
-m MEMLIMIT Virtual memory limit
-n NETMASK IPv4 netmask
-q QUOTA Quota for delegated dataset
-Q OS_QUOTA Quota for root filesystem
-r NAMESERVER DNS resolver
-s SEARCHDOMAIN DNS search domain
-v VLANID VLAN ID number"
local \
bpf_enabled=false \
cpuset \
data_quota \
data_quota=$DEFAULT_DATA_QUOTA \
devfs_ruleset=$DEFAULT_DEVFS_RULESET \
domain=$DEFAULT_DOMAIN \
gateway \
jail_opts \
ip \
memlimit \
nameservers \
netmask=$DEFAULT_NETMASK \
os_quota=$DEFAULT_OS_QUOTA \
searchdomains \
snapshot \
sshkey \
vlan=$DEFAULT_VLAN \
opt
while getopts :a:bc:d:e:g:hk:m:n:q:Q:r:s:v: opt; do
case $opt in
a) ip=$OPTARG ;;
b) bpf_enabled=true ;;
c) cpuset=$OPTARG ;;
d) domain=$OPTARG ;;
e) jail_opts="${jail_opts:-}"$'\n'" ${OPTARG};" ;;
g) gateway=$OPTARG ;;
h) cmd::help ;;
k) sshkey=$OPTARG ;;
m) memlimit=$OPTARG ;;
n) netmask=$OPTARG ;;
q) data_quota=$OPTARG ;;
Q) os_quota=$OPTARG ;;
r) nameservers="${nameservers:-} ${OPTARG}" ;;
s) searchdomains="${searchdomains:-} ${OPTARG}" ;;
v) vlan=$OPTARG ;;
:) cmd::usage "missing option value: -${OPTARG}" ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
if [ -n "${ip:-}" ]; then
: ${gateway:="${ip%.*}.1"}
fi
[ $# -lt 1 ] && cmd::usage 'NAME not specified'
[ $# -lt 2 ] && cmd::usage 'TEMPLATE not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
local name=$1 template=$2
jail::exists "$name" && die "jail name already in use: ${name}"
template::exists "$template" || die "no such template: ${template}"
interface::exists "bridge${vlan}" || interface::add_vlan "$vlan"
if [ -n "${sshkey:-}" ]; then
[ -f "$sshkey" ] || die "ssh key ${sshkey}: file not found"
fi
zfs::ensure_snapshot snapshot "${JAIL_DATASET}/templates/${template}"
# Clone template into new 'os' dataset.
zfs create -v "${JAIL_DATASET}/${name}"
zfs clone \
$ZFS_OPTS \
-o quota="$os_quota" \
"$snapshot" "${JAIL_DATASET}/${name}/os"
# Create delegated 'data' dataset.
zfs create -v \
$ZFS_OPTS \
-o mountpoint=none \
-o quota="$data_quota" \
"${JAIL_DATASET}/${name}/data"
# Copy timezone configuration from host.
cp -v /etc/localtime "${JAIL_HOME}/${name}/os/etc/localtime"
# Generate /etc/resolv.conf in the jail (word-splitting intentional).
if [ -n "${nameservers:-} "]; then
printf 'nameserver %s\n' $nameservers >> "${JAIL_HOME}/${name}/os/etc/resolv.conf"
printf 'search %s\n' "${searchdomains:-$domain}" >> "${JAIL_HOME}/${name}/os/etc/resolv.conf"
fi
# Get the jail's virtual interface name.
local epair_name
epair_name=$(interface::epair::derive_name "$name")
# Set /etc/rc.conf values within the jail.
sysrc -v -f "${JAIL_HOME}/${name}/os/etc/rc.conf" \
"hostname=${name}.${domain}" \
"ifconfig_ej_${epair_name}_name=jail0" \
'ipv6_activate_all_interfaces=NO' \
'syslogd_flags=-ss' \
'sendmail_enable=NONE' \
'dumpdev=NO' \
'pf_enable=YES'
echo "$DEFAULT_PF_CONF" > "${JAIL_HOME}/${name}/os/etc/pf.conf"
if [ -n "${ip:-}" ]; then
# If $ip set, configure /etc/rc.conf for static IP.
sysrc -v -f "${JAIL_HOME}/${name}/os/etc/rc.conf" \
"ifconfig_jail0=inet ${ip} netmask ${netmask}" \
"defaultrouter=${gateway}"
else
# Othersie, configure /etc/rc.conf for DHCP.
sysrc -v -f "${JAIL_HOME}/${name}/os/etc/rc.conf" "ifconfig_jail0=SYNCDHCP"
devfs_ruleset=$BPF_ENABLED_DEVFS_RULESET
fi
if [ -n "${sshkey:-}" ]; then
# If $sshkey set, enable sshd and root login.
echo "PermitRootLogin prohibit-password" | tee -a "${JAIL_HOME}/${name}/os/etc/ssh/sshd_config"
sysrc -v -f "${JAIL_HOME}/${name}/os/etc/rc.conf" 'sshd_enable=YES'
# Copy the ssh key into root's authorized_keys within the jail.
install -v -d -m 0700 "${JAIL_HOME}/${name}/os/root/.ssh"
install -v -m 0600 "$sshkey" "${JAIL_HOME}/${name}/os/root/.ssh/authorized_keys"
fi
# If BPF requested, use our custom bpf ruleset.
[ "${bpf_enabled}" = true ] && devfs_ruleset=$BPF_ENABLED_DEVFS_RULESET
# Generate jail config file.
local jailcfg="${JAIL_HOME}/${name}/jail.conf"
cat <<EOF > "$jailcfg"
${name} {
path = "${JAIL_HOME}/\$name/os";
host.hostname = "\$name.${domain}";
exec.prestart = "jailctl _create-epair \$name vlan${vlan} bridge${vlan}";
exec.created = "zfs set jailed=on ${JAIL_DATASET}/\$name/data";
exec.created += "zfs jail \$name ${JAIL_DATASET}/\$name/data";
exec.start = "zfs mount -a";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.stop += "zfs list -Ho name,jailed,mounted | awk '\$2 == \\"on\\" && \$3 == \\"yes\\" {print \$1}' | xargs -rtn1 zfs unmount";
exec.poststop = "jailctl _destroy-epair \$name";
exec.poststop += "rctl -r jail:\$name:";
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
mount.devfs;
devfs_ruleset = "${devfs_ruleset}";
mount = "tmpfs \$path/tmp tmpfs rw,size=1G 0 0";
allow.mount = true;
allow.mount.zfs = true;
enforce_statfs = 1;
vnet;
vnet.interface = "ej_${epair_name}";
${jail_opts:-}
EOF
ln -sv "$jailcfg" "/etc/jail.conf.d/${name}.conf"
# Configure resource limits.
[ -n "${cpuset:-}" ] && \
echo " exec.created += \"cpuset -j \$name -cl ${cpuset}\";" >> "$jailcfg"
[ -n "${memlimit:-}" ] && \
echo " exec.prestart += \"rctl -a jail:\$name:memoryuse:deny=${memlimit}\";" >> "$jailcfg"
# End jail config file.
echo '}' >> "$jailcfg"
# Update host's /etc/rc.conf to start the jail on boot.
sysrc -v jail_list+="$name"
# Start the jail.
jail::start "$name"
}
cmd::create_snapshot(){
local usage='create-snapshot [-d] [-o] JAIL [SNAPNAME]'
local help='Create a jail snapshot.
Options:
-d Only snapshot the data dataset
-o Only snapshot the OS dataset'
local opt both=true os_only=false data_only=false snapname
while getopts :dho opt; do
case $opt in
d) data_only=true; both=false ;;
h) cmd::help ;;
o) os_only=true; both=false ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
jail=$1 snapname=${2:-}
jail::exists "$jail" || die "no such jail: ${jail}"
[ -n "$snapname" ] || snapname=$(date +%Y-%m-%dT%H:%M:%S)
# Snapshot the OS dataset.
if [ "$both" = true ] || [ "$os_only" = true ]; then
zfs snapshot "${JAIL_DATASET}/${jail}/os@${snapname}"
fi
# Snapshot the data dataset.
if [ "$both" = true ] || [ "$data_only" = true ]; then
zfs snapshot "${JAIL_DATASET}/${jail}/data@${snapname}"
fi
}
cmd::create_template(){
local usage='create-template NAME JAIL'
local help='Create a template from a jail.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'NAME not specified'
[ $# -lt 2 ] && cmd::usage 'JAIL not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
local name=$1 jail=$2
jail::exists "$jail" || die "no such jail: ${jail}"
template::exists "$name" && die "template already exists: $name"
jail::running "$jail" && die "refusing to create template while jail is running: ${jail}"
local snapname
snapname=$(date +%Y-%m-%dT%H:%M:%S)
zfs snapshot "${JAIL_DATASET}/${jail}/os@${snapname}"
zfs send "${JAIL_DATASET}/${jail}/os@${snapname}" | zfs receive -v "${JAIL_DATASET}/templates/${name}"
zfs destroy "${JAIL_DATASET}/${jail}/os@${snapname}"
}
cmd::destroy_snapshot(){
local usage='destroy-snapshot [-y] JAIL SNAPSHOT'
local help="Delete a jail snapshot
Options:
-y Don't prompt for confirmation"
local noconfirm=false answer opt
while getopts :hy opt; do
case $opt in
h) cmd::help ;;
y) noconfirm=true ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -lt 2 ] && cmd::usage 'SNAPSHOT not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
local jail=$1 snapshot=$2
jail::exists "$jail" || die "no such jail: ${jail}"
local datasets=''
if [ "${snapshot#*@}" != "$snapshot" ]; then
# If the snapshot name contains '@', then we have something like 'os@snapname'.
zfs::dataset_exists "${JAIL_DATASET}/${jail}/${snapshot}" && \
datasets="${JAIL_DATASET}/${jail}/${snapshot}"
else
# Otherwise, check if either os or data dataset contains a matching snapshot.
zfs::dataset_exists "${JAIL_DATASET}/${jail}/os@${snapshot}" && \
datasets="${JAIL_DATASET}/${jail}/os@${snapshot}"
zfs::dataset_exists "${JAIL_DATASET}/${jail}/data@${snapshot}" && \
datasets="${datasets} ${JAIL_DATASET}/${jail}/data@${snapshot}"
fi
[ -n "$datasets" ] || die "no such snapshot for jail ${jail}: ${snapshot}"
if [ "$noconfirm" != true ]; then
read -rp "Really destroy ${jail} snapshot ${snapshot}? (y/N) " answer
case $answer in
[yY]|[yY][eE][sS]) : ;;
*) die 'operation cancelled' ;;
esac
fi
local dataset
for dataset in $datasets; do
zfs destroy -v "$dataset"
done
}
cmd::destroy_template(){
local usage='destroy-template [-y] TEMPLATE'
local help="Delete a jail template.
Options:
-y Don't prompt for confirmation
Notes:
A template cannot be deleted while its clones still exist."
local noconfirm=false answer opt
while getopts :hy opt; do
case $opt in
h) cmd::help ;;
y) noconfirm=true ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'TEMPLATE not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
template::exists "$jail" || die "no such template: ${jail}"
if [ "$noconfirm" != true ]; then
read -rp "Really destroy template ${jail}? (y/N) " answer
case $answer in
[yY]|[yY][eE][sS]) : ;;
*) die 'operation cancelled' ;;
esac
fi
zfs destroy -v -r "${JAIL_DATASET}/templates/${jail}"
}
cmd::destroy(){
local usage='destroy [-y] JAIL'
local help="Delete a jail and its dataset.
Options:
-y Don't prompt for confirmation"
local noconfirm=false answer opt
while getopts :hy opt; do
case $opt in
h) cmd::help ;;
y) noconfirm=true ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
if [ "$noconfirm" != true ]; then
read -rp "Really destroy jail ${jail}? (y/N) " answer
case $answer in
[yY]|[yY][eE][sS]) : ;;
*) die 'operation cancelled' ;;
esac
fi
jail::running "$jail" && jail::stop "$jail"
# Delete jail config file.
rm "/etc/jail.conf.d/${jail}.conf" "${JAIL_HOME}/${jail}/jail.conf"
# Remove the jail from the autostart list.
sysrc -v jail_list-="$jail" ||:
# Destroy the jail's dataset.
zfs destroy -v -f -r "${JAIL_DATASET}/${jail}"
}
cmd::download_release() {
local usage='download-release RELEASE'
local help='Download and create a FreeBSD release template.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'RELEASE not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local release=$1
local template
template::release2name template "$release"
template::exists "$template" && die "template already exists: ${template}"
template::download_release "$release"
}
cmd::edit(){
local usage='edit JAIL'
local help='Edit jail configuration.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
"$EDITOR" "${JAIL_HOME}/${jail}/jail.conf"
}
cmd::exec(){
local usage='exec JAIL COMMAND...'
local help='Run a command within the jail.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -lt 2 ] && cmd::usage 'COMMAND not specified'
jail=$1; shift
jail::exists "$jail" || die "no such jail: ${jail}"
jail::exec "$jail" "$@"
}
cmd::list(){
local usage='list [-t]'
local help='List configured jails.
Options:
-t Use terse output (jail names only)'
local file name status opt terse=false
while getopts :th opt; do
case $opt in
t) terse=true ;;
h) cmd::help ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -eq 0 ] || cmd::usage 'too many arguments'
{ [ $terse = true ] || echo 'JAIL STATUS'
for file in "$JAIL_HOME"/*/jail.conf; do
[ -e "$file" ] || continue
name=$(basename "$(dirname "$file")")
if [ $terse = true ]; then
printf '%s\n' "$name"
else
if jail::running "$name"; then
status=running
else
status=stopped
fi
printf '%s %s\n' "$name" "$status"
fi
done
} | column -t
}
cmd::list_templates(){
local usage='list-templates'
local help='list template datasets.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -eq 0 ] || cmd::usage 'too many arguments'
ls -1 "${JAIL_HOME}/templates"
}
cmd::list_snapshots(){
local usage='list-snapshots JAIL'
local help='List jail snapshots
Options:
-d List snapshots from data dataset only
-o List snapshots from OS dataset only
-t Use terse output'
local opt terse=false dataset=''
while getopts :dhot opt; do
case $opt in
d) dataset=/data ;;
h) cmd::help ;;
o) dataset=/os ;;
t) terse=true ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
if [ "$terse" = true ]; then
zfs list -r -t snapshot -H -o name -s creation "${JAIL_DATASET}/${jail}${dataset}" 2>/dev/null \
| sed 's/^.*\///' \
| sort -k1,1 -t@ -s
else
{ echo 'DATASET SNAPSHOT USED REFER'
zfs list -r -t snapshot -H -o name,used,refer -s creation "${JAIL_DATASET}/${jail}${dataset}" 2>/dev/null
} | sed 's/^.*\///' \
| sort -k1,1 -t@ -s \
| tr '@' ' ' \
| column -t
fi
}
cmd::rollback(){
local usage='rollback JAIL SNAPSHOT'
local help='Rollback a jail to a given snapshot.
Options:
-d Rollback the data dataset only
-f Attempt rollback even if the jail is running
-o Rollback the OS dataset only'
local opt force=false both=true os_only=false data_only=false
while getopts :dfho opt; do
case $opt in
d) data_only=true; both=false ;;
f) force=true ;;
h) cmd::help ;;
o) os_only=true; both=false ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -lt 2 ] && cmd::usage 'SNAPSHOT not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
local jail=$1 snapshot=$2
jail::exists "$jail" || die "no such jail: ${jail}"
# Ensure OS snapshot exists, if requested.
if [ "$both" = true ] || [ "$os_only" = true ]; then
zfs::dataset_exists "${JAIL_DATASET}/${jail}/os@${snapshot}" \
|| die "no such snapshot for ${jail}/os: ${snapshot}"
fi
# Ensure data snapshot exists, if requested.
if [ "$both" = true ] || [ "$data_only" = true ]; then
zfs::dataset_exists "${JAIL_DATASET}/${jail}/data@${snapshot}" \
|| die "no such snapshot for ${jail}/data: ${snapshot}"
fi
# Don't rollback while jail is running.
if jail::running "$jail" && [ "$force" != true ]; then
die "jail ${jail} is running, refusing to rollback (-f to override)"
fi
# Rollback the OS snapshot, if requested.
if [ "$both" = true ] || [ "$os_only" = true ]; then
zfs rollback -r "${JAIL_DATASET}/${jail}/os@${snapshot}"
fi
# Rollback the data snapshot, if requested.
if [ "$both" = true ] || [ "$data_only" = true ]; then
zfs rollback -r "${JAIL_DATASET}/${jail}/data@${snapshot}"
fi
}
cmd::start(){
local usage='start JAIL'
local help='Start a jail.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
jail::running "$jail" && die "jail already running: ${jail}"
jail::start "$jail"
}
cmd::stop(){
local usage='stop JAIL'
local help='Stop a jail.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
jail::running "$jail" || die "jail not running: ${jail}"
jail::stop "$jail"
}
cmd::reprovision(){
local usage='reprovision JAIL TEMPLATE'
local help="Wipe and reprovision a jail's OS dataset from a template."
local opt noconfirm=false running=false
while getopts :hy opt; do
case $opt in
h) cmd::help ;;
y) noconfirm=true ;;
?) cmd::usage "unknown option: -${OPTARG}" ;;
esac
done
shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -lt 2 ] && cmd::usage 'TEMPLATE not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
local jail=$1 template=$2
jail::exists "$jail" || die "no such jail: ${jail}"
template::exists "$template" || die "no such template: ${template}"
if [ "$noconfirm" != true ]; then
read -rp "Really reprovision ${jail}? (y/N) " answer
case $answer in
[yY]|[yY][eE][sS]) : ;;
*) die 'operation cancelled' ;;
esac
fi
# If the jail is running, stop it.
if jail::running "$jail"; then
running=true
jail::stop "$jail"
fi
local snapshot old_quota old_ifconfig old_defaultrouter old_hostname old_resolvconf
# Get the latest snapshot for the template (if not specified).
zfs::ensure_snapshot snapshot "${JAIL_DATASET}/templates/${template}"
# Stash old configuration data.
old_quota=$(zfs get -Hp -o value quota "${JAIL_DATASET}/${jail}/os")
old_hostname=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn hostname)
old_ifconfig=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn ifconfig_jail0)
old_defaultrouter=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn defaultrouter) ||:
old_pfenable=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn pf_enable) ||:
old_sshkey=$(cat "${JAIL_HOME}/${jail}/os/root/.ssh/authorized_keys") ||:
old_resolvconf=$(cat "${JAIL_HOME}/${jail}/os/etc/resolv.conf") ||:
# Reprovision OS dataset from template.
zfs destroy -v -f -r "${JAIL_DATASET}/${jail}/os"
zfs clone \
$ZFS_OPTS \
-o quota="$old_quota" \
"$snapshot" "${JAIL_DATASET}/${jail}/os"
# Copy timezone configuration from host.
cp -v /etc/localtime "${JAIL_HOME}/${jail}/os/etc/localtime"
# Restore stashed configuration data.
sysrc -v -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" \
"hostname=${old_hostname}" \
"ifconfig_ej_$(interface::epair::derive_name "$jail")_name=jail0" \
"ifconfig_jail0=${old_ifconfig}" \
'ipv6_activate_all_interfaces=NO' \
'syslogd_flags=-ss' \
'sendmail_enable=NONE' \
'dumpdev=NO' \
"pf_enable=YES"
[ -n "$old_defaultrouter" ] && sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" "defaultrouter=${old_defaultrouter}"
[ -n "$old_resolvconf" ] && printf '%s\n' "$old_resolvconf" | tee "${JAIL_HOME}/${jail}/os/etc/resolv.conf"
echo "$DEFAULT_PF_CONF" > "${JAIL_HOME}/${jail}/os/etc/pf.conf"
if [ -n "$old_sshkey" ]; then
echo "PermitRootLogin prohibit-password" | tee -a "${JAIL_HOME}/${jail}/os/etc/ssh/sshd_config"
sysrc -v -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" 'sshd_enable=YES'
install -v -d -m 0700 "${JAIL_HOME}/${jail}/os/root/.ssh"
install -v -m 0600 /dev/null "${JAIL_HOME}/${jail}/os/root/.ssh/authorized_keys"
printf '%s\n' "$old_sshkey" | tee "${JAIL_HOME}/${jail}/os/root/.ssh/authorized_keys"
fi
# If the jail was running, restart it.
if [ "$running" = true ]; then
jail::start "$jail"
fi
}
cmd::restart(){
local usage='restart JAIL'
local help='Restart a jail.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'no jail specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
jail::running "$jail" || die "jail not running: ${jail}"
jail::restart "$jail"
}
cmd::shell(){
local usage='shell JAIL'
local help='Run a shell within the jail.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
jail::running "$jail" || die "jail not running: ${jail}"
jail::exec "$jail" /bin/csh
}
cmd::show(){
local usage='show JAIL'
local help='Show jail configuration.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
printf -- '------------------------- JAIL CONFIGURATION -------------------------\n'
cat "${JAIL_HOME}/${jail}/jail.conf"
printf -- '\n---------------------------- ZFS DATASET -----------------------------\n'
zfs list -o name,quota,used,avail,mountpoint -S name \
"${JAIL_DATASET}/${jail}/os" \
"${JAIL_DATASET}/${jail}/data"
}
cmd::status(){
local usage='status JAIL'
local help='Show running jail status.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
jail::exists "$jail" || die "no such jail: ${jail}"
jail::running "$jail" || die "jail not running: ${jail}"
printf -- '---------------------------- JAIL STATUS -----------------------------\n'
jls -j "$jail" -h jid name path osrelease host.hostname 2>/dev/null | column -t
printf -- '\n---------------------------- ZFS DATASET -----------------------------\n'
zfs list -o name,quota,used,avail,mountpoint -S name \
"${JAIL_DATASET}/${jail}/os" \
"${JAIL_DATASET}/${jail}/data" \
| sed "s|^${JAIL_DATASET}/${jail}/||" \
| column -t
printf -- '\n--------------------------- RESOURCE USAGE ---------------------------\n'
rctl -h -u "jail:${jail}:" \
| grep -E '^(maxproc|memoryuse|openfiles|pcpu|memoryuse|swapuse|readbps|writebps|readiops|writeiops)=' \
| rs -c= -C' ' -T \
| column -t
printf -- '\n----------------------------- PROCESSES ------------------------------\n'
ps -auxdr -J "$jail"
}
cmd::update_release(){
local usage='update-release TEMPLATE'
local help='Update a FreeBSD release template.'
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'TEMPLATE not specified'
[ $# -gt 1 ] && cmd::usage 'too many arguments'
local jail=$1
template::exists "$jail" || die "no such template: ${jail}"
template::update_release "$jail"
}
cmd::_create_epair(){
local usage='_create-epair JAIL INTERFACE BRIDGE'
local help="Create an epair for a VNET jail.
DO NOT RUN THIS COMMAND MANUALLY. It is invoked by each jail's exec.prestart."
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -lt 2 ] && cmd::usage 'INTERFACE not specified'
[ $# -lt 3 ] && cmd::usage 'BRIDGE not specified'
[ $# -gt 3 ] && cmd::usage 'too many arguments'
local jail=$1 interface=$2 bridge=$3 \
new_epair epair_name epair_bridge_mac epair_jail_mac
interface::exists "$interface" || die "no such interface: ${interface}"
interface::exists "$bridge" || die "no such bridge: ${bridge}"
epair_name=$(interface::epair::derive_name "$jail")
interface::epair::derive_mac "$interface" "$jail" epair_bridge_mac epair_jail_mac
new_epair=$(ifconfig epair create)
ifconfig "$bridge" addm "$new_epair"
ifconfig "$new_epair" name "eb_${epair_name}" descr "jail/${jail}"
ifconfig "eb_${epair_name}" up
ifconfig "eb_${epair_name}" ether "$epair_bridge_mac"
ifconfig "${new_epair%a}b" name "ej_${epair_name}"
ifconfig "ej_${epair_name}" up
ifconfig "ej_${epair_name}" ether "$epair_jail_mac"
}
cmd::_destroy_epair(){
local usage='_destroy-epair JAIL'
local help="Destroy an epair for a VNET jail.
DO NOT RUN THIS COMMAND MANUALLY. It is invoked by each jail's exec.poststop."
cmd::getopt_help "$@"; shift $((OPTIND - 1))
[ $# -lt 1 ] && cmd::usage 'JAIL not specified'
[ $# -gt 2 ] && cmd::usage 'too many arguments'
local jail=$1 epair_name
epair_name=$(interface::epair::derive_name "$jail")
ifconfig "eb_${epair_name}" destroy
}
################################################################################
# "Library" functions.
################################################################################
interface::add_vlan(){
local id=$1
ifconfig "vlan${id}" create
ifconfig "vlan${id}" vlan "$id" vlandev "$TRUNK_INTERFACE" up
ifconfig "bridge${id}" create
ifconfig "bridge${id}" addm "vlan${id}" up
sysrc -v \
"cloned_interfaces+=vlan${id} bridge${id}" \
"ifconfig_vlan${id}=vlan ${id} vlandev ${TRUNK_INTERFACE} up" \
"ifconfig_bridge${id}=addm vlan${id} up"
}
interface::exists(){
ifconfig "$1" > /dev/null 2>&1
}
interface::epair::derive_mac(){
# Derive unique mac addresses for an epair interface, based on the physical
# interface address + jail name.
local iface=$1 name=$2 upvar_a=$3 upvar_b=$4
local hwaddr checksum epair_mac_a epair_mac_b
# Similar to /usr/share/examples/jails/jib
hwaddr=$(ifconfig "$iface" ether | awk '/ether/,$0=$2')
# ??:??:??:II:II:II
epair_mac_a=${hwaddr#??:??:??} # => :II:II:II
# => :SS:SS:II:II:II
epair_mac_a=":$(printf '%s' "$name" | md5 | sed 's/^\(..\)\(..\).*/\1:\2/')${epair_mac_a}"
# => NP:SS:SS:II:II:II
case $hwaddr in
?2:*) epair_mac_a="0a${epair_mac_a}" epair_mac_b="0e${epair_mac_a}" ;;
?[Ee]:*) epair_mac_a="02${epair_mac_a}" epair_mac_b="06${epair_mac_a}" ;;
*) epair_mac_a="02${epair_mac_a}" epair_mac_b="0e${epair_mac_a}" ;;
esac
# Sanity check for duplicate MAC
for mac in $epair_mac_a $epair_mac_b; do
ifconfig | grep -qE "(ether|hwaddr) ${mac}" && die "MAC collision when configuring epair interface!"
done
setvar "$upvar_a" "$epair_mac_a"
setvar "$upvar_b" "$epair_mac_b"
}
interface::epair::derive_name(){
# Generate an epair(4) interface suffix, based on the jail name.
#
# The maximum length of a network interface name on FreeBSD is 15 characters.
# We use a prefix of 'eb_' for the bridge side of the interface, and 'ej_'
# for the jail side. This leaves 12 characters for a unique suffix for each
# jail.
#
# If the sanitized jail name is less than 12 characters, we'll simply use it
# for the suffix. Otherwise, we'll use the last 12 characters of the jail
# name's SHA-1 hash.
local name=$1 sanitized
sanitized=$(printf '%s' "$name" | tr -dC '[:alnum:]_')
if [ "${#sanitized}" -le 12 ]; then
printf '%s' "$sanitized"
else
printf '%s' "$name" | sha1 | tail -c 12
fi
}
jail::exec() {
local jail=$1; shift
jexec -l "$jail" "$@"
}
jail::exists(){
test -f "${JAIL_HOME}/${1}/jail.conf"
}
jail::restart(){
jail -v -f "${JAIL_HOME}/${1}/jail.conf" -rc "$1"
}
jail::running(){
jls -j "$1" > /dev/null 2>&1
}
jail::start(){
jail -v -f "${JAIL_HOME}/${1}/jail.conf" -c "$1"
}
jail::stop(){
jail -v -f "${JAIL_HOME}/${1}/jail.conf" -r "$1"
}
template::exists(){
zfs list -H "${JAIL_DATASET}/templates/${1}" > /dev/null 2>&1
}
template::download_release(){
# Download a given FreeBSD release and create a template jail.
local release=$1 arch base_tarball template
arch=$(uname -p)
base_tarball="https://download.freebsd.org/releases/${arch}/${release}/base.txz"
template::release2name template "$release"
zfs create -v -p $ZFS_OPTS "${JAIL_DATASET}/templates/${template}"
if ! fetch "$base_tarball" -o - | tar xzf - -C "${JAIL_HOME}/templates/${template}"; then
zfs destroy -v "${JAIL_DATASET}/templates/${template}"
die "failed to extract base tarball for ${release}"
fi
template::update_release "$template"
}
template::release2name(){
# Convert a FreeBSD release version to a template name.
# e.g. for "13.2-RELEASE", return "freebsd13".
setvar "$1" "freebsd${2%.*}"
}
template::update_release(){
# Run freebsd-update within a the given template and take a fresh snapshot.
local template=$1 snapshot
PAGER=/bin/cat freebsd-update -b "${JAIL_HOME}/templates/${template}" --not-running-from-cron fetch install
snapshot=$("${JAIL_HOME}/templates/${template}/bin/freebsd-version")
template::exists "${template}@${snapshot}" || zfs snapshot "${JAIL_DATASET}/templates/${template}@${snapshot}"
}
zfs::ensure_snapshot(){
# If the given zfs dataset is a snapshot, return as-is.
# Otherwise, get the latest snapshot from the given dataset and return that.
local upvar=$1 dataset=$2 latest
if [ "${dataset#*@}" = "$dataset" ]; then
latest=$(zfs list -t snapshot -o name -s creation -H "$dataset" | tail -1)
setvar "$upvar" "$latest"
else
zfs list -t snapshot -H "$dataset" > /dev/null 2>&1 || die "no such snapshot: ${dataset}"
setvar "$upvar" "$dataset"
fi
}
zfs::dataset_exists(){
zfs list "$1" > /dev/null 2>&1
}
cmd::main "$@"