This allows a jail to have a VPN config associated and as a result we start
a new net namespace, completely isolating the jails networking.
We then start an openVPN client to route between the main network and the
jails' network.
The main limitation here is that we don't setup DNS, which basically means
that the VPN will route DNS calls to the other side, but since we don't
remount resolv.conf this depends on the vpn provider actually mapping the
nameserver we use. For people that use a nameserver like 192.168.100.1,
this most of the time works just fine.
Improvement is possible.
When a jail is encryted at rest using 'encfs' we detect that and ask for
a password upon starting the jail.
This sounded like a neat little idea which ended up taking nearly 4 days
to do...
EncFS needs to be running as root, as it is a FUSE system and it will
actually stop root from reading/writing files if it is running as a
user. It also is very picky about not running in a namespace, it manages
to hang indefinitely otherwise where a shutdown can't complete because
the process doesn't want to die :-)
So, it runs as root, takes the password via a pipe and we have a
watchdog proces to kill it when the jail is shut down.
The pipe was always there, but we didn't really use it so far.
This now uses the pipe to send back the PID of the 'jailer' which we
store in a 'state' file.
Added plenty of small docs.
Changed the message to be pre-fixed with a message-size in order to allow
us to get interrupted on read() and know
if we need to read more.
Also fixes the bug that the server shuts down after one process as
reported by some.
tomFlowee