From owner-freebsd-jail@FreeBSD.ORG Tue May 13 12:56:51 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 92CCD12D for ; Tue, 13 May 2014 12:56:51 +0000 (UTC) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5A1A22394 for ; Tue, 13 May 2014 12:56:51 +0000 (UTC) Received: by mail-oa0-f48.google.com with SMTP id i4so315477oah.35 for ; Tue, 13 May 2014 05:56:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fc38v73vIErLxxfs8FfimZT7FtuvRf1gVgbn+uWmvlM=; b=M2pG7oKnyDZeg7b+yiNYjljQ0ZPd1H8kihqQngtyzIPfJ3ENrvelw4mqpm+wJYJqvy IYAYtNsLgjMj7L5CX6FGlOshKlBELDB43PtN8DQQtMebeC5GJEqjOFrLTCxihImxAEMF jY8EFxevQMYveWyrrSLRSTjds40N759lfVDEdQi/ktwe+zRI03wWV+j95/5r4sq4kjam aIye1BOfC5RhT0TUpYNtvSkMhhKVKgJgGMOh/ELrQwIICB2sWoauBR4dQaJ9LetXJvxM mK+QOZgOQCk5BR5ecE3NlKu14GKOWV9GGhq7Uc3YGYDud/xRMtuSb61SL4hDSXtXbrHA Pt8Q== MIME-Version: 1.0 X-Received: by 10.182.29.225 with SMTP id n1mr41854974obh.2.1399985810665; Tue, 13 May 2014 05:56:50 -0700 (PDT) Received: by 10.76.170.39 with HTTP; Tue, 13 May 2014 05:56:50 -0700 (PDT) In-Reply-To: <537212B7.8080909@a1poweruser.com> References: <640993be45d72e4dac19181ae6644d27@dachev.info> <53720C0F.9010707@a1poweruser.com> <537212B7.8080909@a1poweruser.com> Date: Tue, 13 May 2014 14:56:50 +0200 Message-ID: Subject: Re: new jail framework with vnet, zfs and jail.conf support From: Andreas Nilsson To: Fbsd8 , Mailinglists FreeBSD Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 12:56:51 -0000 On Tue, May 13, 2014 at 2:40 PM, Fbsd8 wrote: > Andreas Nilsson wrote: > >> >> >> >> On Tue, May 13, 2014 at 2:11 PM, Fbsd8 > fbsd8@a1poweruser.com>> wrote: >> >> >> freebsd_jail@dachev.info wrote: >> >> Hi, >> >> I'm currently in process of development of new tool for easy >> jail administration with zfs and vimage/vnet(bridge epair >> interface) support >> The idea is to have a single application (python script) without >> any other confg files and customization >> This tool is written on Python, also work only with vnet, zfs >> and FreeBSD 10 (probably will work on FreeBSD 9.1 but i never >> test it) >> JADM work only with native /etc/jail.conf >> When is started for first time jadm generate new /etc/jail.conf >> in special format developed by me. >> jail.conf file can be used and without JADM. >> >> for more information please contact me or visit: >> https://github.com/__NikolayDachev/jadm >> >> >> >> JADM is in development status more of functions work normal >> (with bugs but work :)). >> >> Unfortunately i don't have a lot of time for it so i need test >> users. >> At the moment last function for JADM is to support skeleton jail >> model (similar to ezjail with base jail and etc.) >> This function is still in progress meanwhile, if someone have a >> time to test all other functions and to report any issue, bug or >> ideas >> >> >> >> >> I think you have made some poor basic design choices. >> >> 1. Requiring python as a dependent. Thats a lot of overhead just for >> a script. Not a show stopper, but a csh script would have been better. >> >> Why is csh better than sh? >> >> 2. Using the highly experimental "vimage" as the cornerstone of the >> over all design. Vimage has many long standing PRs, does not work >> with any of the firewalls, has NO maintainer, requires a custom >> kernel to enable. >> This is a major show stopper. Can not risk a production jail >> environment on highly experimental software. Even if vimage gets a >> maintainer, all the firewalls need to be updated to play nice in an >> vimage environment, and there are existing PRs to that effect which >> the firewall maintainers are reluctant to address because of >> vimage's status as highly experimental. What your trying to do may >> never bare fruit due to things totally out of your control. >> >> What do you mean by "not work with any of the firewalls"? >> > > When enabled with a kernel that has vimage they hang the system on boot, > page fault, or in the case of ipfw, Nat page faults. Just check the > outstanding pr list for the gory details. And that is a gross overstatement. I run vimage-kernel and ipfw on a number of machines. Not one kernel panic. > > >> And for people who require separate networking, vimage is the answer. I >> say it is a shame vimage is not in generic yet. >> >> > I agree with you. But its out of our control. If I remember correctly, the > vimage author completed his dissertation which was based on his writing > vimage, graduated college and moved on with his life. > > That would be very sad. Maybe the foundation could sponsor him and/or someone else to have another go at it. It's not like pf and ipfilter are the most well-maintained things either. I however long for the day when FreeBSD catches up with illumos in terms of light-weight virtualization with separate networking (seeing as jails were the model for zones). But maybe netmap+vale-switches with vimage could be made to play better together. But I guess we each want different things. Best regards Andreas