diff --git a/src/etc/poudriere.conf.sample b/src/etc/poudriere.conf.sample index 7484df235b..038617627f 100644 --- a/src/etc/poudriere.conf.sample +++ b/src/etc/poudriere.conf.sample @@ -18,6 +18,14 @@ # root of the poudriere zfs filesystem, by default /poudriere # ZROOTFS=/poudriere +# ZFS dataset relative to ZROOTFS that will be passed into jail using zfs-jail(8) +# The jail will have full control over this dataset +# The dataset is recreated from scratch on every jail start and is destroyed +# when jail is stopped +# Enabling this feature will set "allow.mount=1", "allow.mount.zfs=1" +# and "enforce_statfs=1" parameters for the jail +#JAILED_DATASET= + # the host where to download sets for the jails setup # You can specify here a host or an IP # replace _PROTO_ by http or ftp diff --git a/src/share/poudriere/common.sh b/src/share/poudriere/common.sh index 06d85a2f14..40f011b1be 100755 --- a/src/share/poudriere/common.sh +++ b/src/share/poudriere/common.sh @@ -967,6 +967,7 @@ injail_tty() { jstart() { local mpath name network network="${LOCALIPARGS:?}" + local allow_mount_args case "${RESTRICT_NETWORKING-}" in "yes") ;; @@ -975,6 +976,12 @@ jstart() { ;; esac + case "${JAILED_DATASET}" in + "") ;; + *) + allow_mount_args="allow.mount=1 allow.mount.zfs=1 enforce_statfs=1" + esac + _my_name name mpath="${MASTERMNT:?}${MY_JOBID:+/../${MY_JOBID}}" @@ -985,12 +992,20 @@ jstart() { jail -c persist "name=${name:?}" \ "path=${mpath:?}" \ "host.hostname=${BUILDER_HOSTNAME-${name}}" \ - ${network} ${JAIL_PARAMS-} + ${network} ${allow_mount_args} ${JAIL_PARAMS-} # Allow networking in -n jail - jail -c persist "name=${name}-n" \ + jail -c persist "name=${name:?}-n" \ "path=${mpath:?}" \ "host.hostname=${BUILDER_HOSTNAME-${name}}" \ - ${IPARGS:?} ${JAIL_PARAMS-} ${JAIL_NET_PARAMS-} + ${IPARGS:?} ${allow_mount_args} ${JAIL_PARAMS-} ${JAIL_NET_PARAMS-} + + if [ "${JAILED_DATASET}" ]; then + local jailed_dataset_name=${ZPOOL}${ZROOTFS}${JAILED_DATASET}_${name:?} + zfs destroy -Rf ${jailed_dataset_name} 2>/dev/null || : + zfs create -o jailed=on ${jailed_dataset_name} + zfs jail ${name:?} ${jailed_dataset_name} + zfs jail ${name:?}-n ${jailed_dataset_name} + fi return 0 } @@ -1035,6 +1050,10 @@ jstop() { _my_name name jail -r "${name:?}" 2>/dev/null || : jail -r "${name:?}-n" 2>/dev/null || : + + if [ "${JAILED_DATASET}" ]; then + zfs destroy -Rf ${ZPOOL}${ZROOTFS}${JAILED_DATASET}_${name:?} 2>/dev/null || : + fi } eargs() { @@ -10373,6 +10392,11 @@ set) ;; case ${ZROOTFS} in [!/]*) err 1 "ZROOTFS should start with a /" ;; esac + : ${JAILED_DATASET=""} + case ${JAILED_DATASET} in + "") ;; + [!/]*) err 1 "JAILED_DATASET should start with a /" ;; + esac ;; esac