Introduce JAILED_DATASET option to poudriere.conf

arrowd · arrowd · commit 4a5e4b94fdf7 · 2025-04-18T10:04:30.000+03:00
This option allows passing a temporary ZFS dataset into the jail along with
full control over it from within the jail.

Sponsored by:	Future Crew, LLC
diff --git a/src/etc/poudriere.conf.sample b/src/etc/poudriere.conf.sample
@@ -18,6 +18,14 @@
 # root of the poudriere zfs filesystem, by default /poudriere
 # ZROOTFS=/poudriere
 
+# ZFS dataset relative to ZROOTFS that will be passed into jail using zfs-jail(8)
+# The jail will have full control over this dataset
+# The dataset is recreated from scratch on every jail start and is destroyed
+# when jail is stopped
+# Enabling this feature will set "allow.mount=1", "allow.mount.zfs=1"
+# and "enforce_statfs=1" parameters for the jail
+#JAILED_DATASET=
+
 # the host where to download sets for the jails setup
 # You can specify here a host or an IP
 # replace _PROTO_ by http or ftp
diff --git a/src/share/poudriere/common.sh b/src/share/poudriere/common.sh
@@ -929,6 +929,7 @@ injail_tty() {
 jstart() {
 	local mpath name network
 	local MAX_MEMORY_BYTES
+	local allow_mount_args
 
 	unset MAX_MEMORY_BYTES
 	case "${MAX_MEMORY:+set}" in
@@ -945,6 +946,12 @@ jstart() {
 		;;
 	esac
 
+	case "${JAILED_DATASET}" in
+	"") ;;
+	*)
+		allow_mount_args="allow.mount=1 allow.mount.zfs=1 enforce_statfs=1"
+	esac
+
 	_my_name name
 
 	mpath=${MASTERMNT:?}${MY_JOBID:+/../${MY_JOBID}}
@@ -954,13 +961,21 @@ jstart() {
 	# Restrict to no networking (if RESTRICT_NETWORKING==yes)
 	jail -c persist name=${name:?} \
 		path=${mpath:?} \
-		host.hostname=${BUILDER_HOSTNAME-${name}} \
-		${network} ${JAIL_PARAMS}
+		host.hostname=${BUILDER_HOSTNAME-${name:?}} \
+		${network} ${allow_mount_args} ${JAIL_PARAMS}
 	# Allow networking in -n jail
-	jail -c persist name=${name}-n \
+	jail -c persist name=${name:?}-n \
 		path=${mpath:?} \
-		host.hostname=${BUILDER_HOSTNAME-${name}} \
-		${IPARGS} ${JAIL_PARAMS} ${JAIL_NET_PARAMS}
+		host.hostname=${BUILDER_HOSTNAME-${name:?}} \
+		${IPARGS} ${allow_mount_args} ${JAIL_PARAMS} ${JAIL_NET_PARAMS}
+
+	if [ "${JAILED_DATASET}" ]; then
+		local jailed_dataset_name=${ZPOOL}${ZROOTFS}${JAILED_DATASET}_${name:?}
+		zfs destroy -Rf ${jailed_dataset_name} 2>/dev/null || :
+		zfs create -o jailed=on ${jailed_dataset_name}
+		zfs jail ${name:?} ${jailed_dataset_name}
+		zfs jail ${name:?}-n ${jailed_dataset_name}
+	fi
 	return 0
 }
 
@@ -1000,6 +1015,10 @@ jstop() {
 	_my_name name
 	jail -r ${name:?} 2>/dev/null || :
 	jail -r ${name:?}-n 2>/dev/null || :
+
+	if [ "${JAILED_DATASET}" ]; then
+		zfs destroy -Rf ${ZPOOL}${ZROOTFS}${JAILED_DATASET}_${name:?} 2>/dev/null || :
+	fi
 }
 
 eargs() {
@@ -10471,6 +10490,11 @@ set) ;;
 	case ${ZROOTFS} in
 	[!/]*) err 1 "ZROOTFS should start with a /" ;;
 	esac
+	: ${JAILED_DATASET=""}
+	case ${JAILED_DATASET} in
+	"") ;;
+	[!/]*) err 1 "JAILED_DATASET should start with a /" ;;
+	esac
 	;;
 esac
 
