Commit d6bef67a authored by Carlos Neira's avatar Carlos Neira

adding linux jails

parent e94c290d
{
"cpu_cap": 100,
"image_uuid": "91ba9d4d-a54c-11e7-aac0-f1a39030aaa2",
"hostname": "lx-jail00",
"uuid": "81ba9d4d-a54c-11e7-aac0-f1a39030aaa2",
"max_physical_memory": 1024,
"quota": 100,
"brand": "lx-jail",
"alias": "test",
"nics": [
{
"interface": "net0",
"nic_tag": "admin",
"gateway": "192.168.1.1",
"netmask": "255.255.255.0",
"ip": "192.168.1.235",
"primary": true
}
]
}
#!/usr/local/bin/bash
#set -x
ARCH=$(uname -m)
URL_ARCH=${ARCH};
case "${ARCH}" in
amd64)
ARCH=x86_64;
;;
arm64)
URL_ARCH=arm64/aarch64
;;
esac
if [ -x /usr/local/bin/pbzip2 ]
then
BZIP=/usr/local/bin/pbzip2
else
BZIP=bzip2
fi
#### End user editable vars
if [ -z "$1" ]
then
ROOT=zroot/jails
else
ROOT=$1
fi
if [ -z "$2" ]
then
VSN=`uname -r`
else
VSN=$2
fi
ID=$(uuidgen)
zfs create -p ${ROOT}/$ID
>&2 echo "Prepping outside jail..."
declare -a FILES
for d in "${DIRS[@]}"
do
mkdir -p /${ROOT}/$ID/root/$d
chown root:wheel /${ROOT}/$ID/root/$d
chmod 775 /${ROOT}/$ID/root/$d
done
# Write some basic CentOS configuration files:
cp /etc/resolv.conf /${ROOT}/$ID/root/etc/resolv.conf
echo "linproc /jails/centos/proc linprocfs rw 0 0" >> /${ROOT}/$ID/fstab_centos6
>&2 echo "Prepping solitary confinement"
mkdir -p /${ROOT}/${ID}/root/jail
TARGET=/tmp/centos-${ARCH}-${VSN}.tgz
if [ ! -f ${TARGET} ]
then
fetch https://download.openvz.org/template/precreated/centos-6-x86.tar.gz -o ${TARGET}
else
echo "Image seems to already exist, not re-downloading, delete ${TARGET} to force re-download"
fi
tar -xf ${TARGET} -C /${ROOT}/${ID}/root/jail/
zfs snapshot ${ROOT}/${ID}@final
zfs send ${ROOT}/${ID}@final | ${BZIP} > ${ID}.dataset
SIZE=`ls -l ${ID}.dataset | cut -f 5 -w`
SHA=`sha1 -q ${ID}.dataset`
DATE=`date -u "+%Y-%m-%dT%H:%M:%SZ"`
cat <<EOF > $ID.json
{
"v": 2,
"uuid": "${ID}",
"name": "FreeBSD",
"version": "${VSN}",
"type": "jail-dataset",
"os": "Linux",
"files": [
{
"size": ${SIZE},
"compression": "bzip2",
"sha1": "${SHA}"
}
],
"requirements": {
"architecture": "${ARCH}",
"networks": [{"name": "net0", "description": "public"}]
},
"published_at": "${DATE}",
"public": true,
"state": "active",
"disabled": false
}
EOF
>&2 echo "Jail is ready. Snapshot if needed"
echo $ID
......@@ -63,7 +63,13 @@ impl<'a> Jail<'a> {
/// starts a jail
pub fn start(&self, config: &Config) -> Result<i32, Box<Error>> {
self.set_rctl()?;
self.mount_devfs()?;
if self.config.brand != "lx-jail" {
self.mount_devfs_lx()?;
} else {
self.mount_devfs()?;
}
let CreateArgs { args, ifs } = create_args(config, self)?;
debug!("Start jail"; "vm" => self.idx.uuid.hyphenated().to_string(), "args" => args.clone().join(" "));
let id = start_jail(&self.idx.uuid, args)?;
......@@ -199,6 +205,70 @@ impl<'a> Jail<'a> {
Ok(0)
}
fn mount_devfs_lx(&self) -> Result<i32, Box<Error>> {
let mut devfs = String::from("/");
devfs.push_str(self.idx.root.as_str());
devfs.push_str("/root/dev");
let devfs_args = vec!["-t", "devfs", "devfs", devfs.as_str()];
debug!("mounting devfs in outer jail"; "vm" => self.idx.uuid.hyphenated().to_string(), "args" =>devfs_args.clone().join(" "));
let output = Command::new(MOUNT).args(devfs_args).output().expect(
"failed to mount devfs in outer jail",
);
if !output.status.success() {
crit!("failed to mount ounter devfs"; "vm" => self.idx.uuid.hyphenated().to_string());
return Err(GenericError::bx("Could mount outer devfs"));
}
let mut devfs = String::from("/");
devfs.push_str(self.idx.root.as_str());
devfs.push_str("/root/jail/dev");
let devfs_args = vec!["-t", "devfs", "devfs", devfs.as_str()];
debug!("mounting devfs in inner jail"; "vm" => self.idx.uuid.hyphenated().to_string(), "args" =>devfs_args.clone().join(" "));
let output = Command::new(MOUNT).args(devfs_args).output().expect(
"failed to mount devfs in inner jail",
);
if !output.status.success() {
crit!("failed to mount inner devfs"; "vm" => self.idx.uuid.hyphenated().to_string());
return Err(GenericError::bx("Could not remove resource limits"));
}
let mut linprocfs = String::from("/");
linprocfs.push_str(self.idx.root.as_str());
linprocfs.push_str("/root/jail/proc");
let linprocfs_args = vec!["-t", "linprocfs", "linprocfs", linprocfs.as_str()];
debug!("mounting linprocfs in inner jail"; "vm" => self.idx.uuid.hyphenated().to_string(), "args" =>linprocfs_args.clone().join(" "));
let output = Command::new(MOUNT).args(linprocfs_args).output().expect(
"failed to mount linprocfs in inner jail",
);
if !output.status.success() {
crit!("failed to mount inner linprocfs"; "vm" => self.idx.uuid.hyphenated().to_string());
return Err(GenericError::bx("Could not remove resource limits"));
}
let mut linsysfs = String::from("/");
linsysfs.push_str(self.idx.root.as_str());
linsysfs.push_str("/root/jail/sys");
let linsysfs_args = vec!["-t", "linsysfs", "linsysfs", linsysfs.as_str()];
debug!("mounting linsysfs in inner jail"; "vm" => self.idx.uuid.hyphenated().to_string(), "args" =>linsysfs_args.clone().join(" "));
let output = Command::new(MOUNT).args(linsysfs_args).output().expect(
"failed to mount linsysfs in inner jail",
);
if !output.status.success() {
crit!("failed to mount inner linsysfs"; "vm" => self.idx.uuid.hyphenated().to_string());
return Err(GenericError::bx("Could not remove resource limits"));
}
Ok(0)
}
fn remove_rctl(&self) -> Result<i32, Box<Error>> {
let mut prefix = String::from("jail:");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment