From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 14:24:35 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 085B2106566C; Mon, 28 Jun 2010 14:24:35 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id A168F8FC22; Mon, 28 Jun 2010 14:24:34 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2CB8E.dip.t-dialin.net [217.226.203.142]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 3534184405D; Mon, 28 Jun 2010 16:24:31 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 7676F5961; Mon, 28 Jun 2010 16:24:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1277735067; bh=dpT6j1pR7Yn9v1G9Q6XskDE6xbZ96FQl2O/yVSLvuXU=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=D/cOTjD+N6ElH+q9kTU+7EPVs+n+7x+Bd0b791RctOhSXs2Y8au0vIuFfI/iDIBeJ YYRazTafylpsEFEP2U5eIg2ZMp+FFw7wI9q5wReMGzXLXBrEaa/RyltMA3DclYUm17 zk2LXdIExKWM0NNYfASlw+PksFORqWiQbOAwu2pkzY3DccBU4S/p+ftf0FHgJeiDh3 pVwRVst/YNKt1MTZDNM4uZASah0fnClkmOEDJRlpBRbt28pIRDmAHpcpIFX9Z+188B +soMAzEN2Nce6GX7dv3D6jQFQ+OBOj4GMNoC8arLsO725dk+f2Gc374qiK7kFUXs82 wb6TepYLVufQg== Received: (from www@localhost) by webmail.leidinger.net (8.14.4/8.13.8/Submit) id o5SEORcC083931; Mon, 28 Jun 2010 16:24:27 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.ec.europa.eu (pslux.ec.europa.eu [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Mon, 28 Jun 2010 16:24:26 +0200 Message-ID: <20100628162426.21226ds0q116ljks@webmail.leidinger.net> Date: Mon, 28 Jun 2010 16:24:26 +0200 From: Alexander Leidinger To: Jamie Gritton References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> In-Reply-To: <4C238832.2050803@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.4) X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 3534184405D.A7751 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=0.177, required 6, autolearn=disabled, ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, J_CHICKENPOX_46 0.60, J_CHICKENPOX_53 0.60, TW_ZJ 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1278339872.31379@kyucgpD8i5kX+T9dAUdWZw X-EBL-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 14:24:35 -0000 Quoting Jamie Gritton (from Thu, 24 Jun 2010 10:30:42 -0600): > On 06/24/10 06:43, Alexander Leidinger wrote: > >> On Wed, 23 Jun 2010 13:48:28 -0600 Jamie Gritton >> wrote: >> >>> The rc system is becoming increasingly unable to handle the newer jail >>> features. We've held off patching /etc/rc.d/jail for new parameters, >>> with the promise of something better. Here's my outline of what I >>> hope will be in fact better than what we have now. >> >> I'm not sure from your explanation if your new setup allows ezjail to >> mangage jails as easy as it is now. If the new jail command will have >> an option to specify a config file, and the jail command only operates >> on the jails of this config file and ignores other jails which are >> already running (e.g. on a shutdown request), your new system looks >> like it is easy to use with ezjail. > > Yes, you'll be able to specify a config file via the command line, with > a default of /etc/jail.conf. Great. > Jails that exist outside of the config file's knowledge are a tricky > point, and the problems are really only on a shutdown request. While I > haven't coded this part of things yet, I've considered that I'll need > two different kinds of blanket shutdowns: one for all the jails in the > config file, and another for all jails in the system. The latter would > be the most sensible to use during system shutdown, when it doesn't make > sense to leave any jails running. But orderly shutdown is part of the > config spec (e.g. running "/bin/sh /etc/rc.shutdown"), and it may be > best to assume that if the jails were created outside of the rc system, > they'll be removed in the same way. There are two additional sides: 1) For jails which are created by example via ezjail I agree that it is within the responsability of the ezjail to shut them down. 2) For jails which are created/started by hand from a custom config file for testing purposes, I think a "shutdown all remeaining jails even if there is not entry in the config file" would be good. The problem with this is, that you need to make assumptions how to do a shutdown, or record this info in the kernel on creation time (and use this only if no config with appropriate info is available). > So in short, I think it will be compatible with ezjail. > >> Another point which interests me is how your new way of doing things >> will handle things like allow.raw_sockets. Assume I have some kernel >> modification which adds allow.XXX, do I need to modify the parsing of >> the jail command to handle this, or will this work transparently >> without userland modifications? > > That will work transparently, as does the current jail(8) command line. > The only time you'd need to modify userland tools for a new jail > parameter is if that parameter has a data type the tools don't > understand. Most parameters operate on numbers or strings, but for > example IP addresses are passed in binary and userland needs to know how > to convert them to/from strings. That's easy enough for my purposes. :) Bye, Alexander. -- Hitchcock's Staple Principle: The stapler runs out of staples only while you are trying to staple something. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137