Page MenuHomeFreeBSD

Avoid a clash between uses of /etc/jail.conf.d
ClosedPublic

Authored by jamie on Sep 24 2023, 12:46 AM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 3 2024, 2:51 PM
Unknown Object (File)
Sep 30 2024, 9:36 AM
Unknown Object (File)
Sep 24 2024, 7:53 PM
Unknown Object (File)
Sep 21 2024, 2:36 AM
Unknown Object (File)
Sep 20 2024, 1:22 PM
Unknown Object (File)
Sep 18 2024, 6:47 PM
Unknown Object (File)
Sep 17 2024, 8:18 PM
Unknown Object (File)
Sep 17 2024, 3:07 PM

Details

Summary

Since the 13.1 release, /etc/rc.d/jail has looked for a per-jail config file in /etc/jail.conf.d. Before RELENG 14, the ".include" directive was added to jail(8), with a a sample line in the jail.conf(5) man page that includes "/etc/jail.conf.d/*.conf".

These two use cases don't work together. When the jail.conf.d files are included from a master jail.conf, the files in jail.conf.d are likely to hold only partial configurations, and shouldn't be directly loaded by rc.d/jail. But there are existing configurations that depend on the current rc.d behavior. While it would be simple to advise users not to include from /etc/jail.conf.d, it would be the obvious choice even if not mentioned in jail.conf.5

The workaround is for rc.d/jail to continue to load the individual files, but only when /etc/jail.conf doesn't include from that directory (via a simple grep test), This allows the new use for this directory, while not breaking the previous use.

Test Plan

Create per-jail configuration files in /etc/rc.d/jail.conf.d that are meant to be the entire configuration for a single jail. These should load with "service jail start jailname" when /etc/jail.conf doesn't exist, or exists without including from that directory. In this case, nothing in /etc/jail.conf should be loaded for those jails.

Second, create a master /etc/jail.conf that includes "/etc/jail.conf.d/*" to pull in some jail-specific configuration, while keeping the global configuration in /etc/jail.conf. This time, the files in /etc/jail.conf.d should *not* work on their own. Again, "service jail start jailname" should properly start the jail, showing the files weren't improperly included directly, but via /etc/jail.conf instead.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable