Date: Wed, 23 Jun 2010 13:48:28 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: jail@FreeBSD.org Cc: "Bjoern A. Zeeb" <bz@FreeBSD.org>, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Thoughts on jail.config Message-ID: <4C22650C.40309@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
The rc system is becoming increasingly unable to handle the newer jail
features. We've held off patching /etc/rc.d/jail for new parameters,
with the promise of something better. Here's my outline of what I hope
will be in fact better than what we have now.
I'm working on extending jail(8) to use a configuration file that would
have everything currently in a $jail_XXX variable in rc.conf.
/etc/rc.d/jail would ideally be reduced to a single "jail -c" call for
startup and "jail -r" for shutdown, though I'm not sure if thing will go
quite that far.
I'm using the state of the art in config files, the C-style already used
by apmd and devd in /etc, as well as many non-core programs. Each section
would be a jail name, and within the sections would be the jail parameters,
or pseudo-parameters known by the program.
foo {
host.hostname = "foo.bar";
path = "/usr/jail/foo";
ip4.addr = "11.22.33.44";
}
The "name" parameter is implicit. Adding an actual name explicitly in
the definition may work if you want it different for some reason, though
I haven't yet worked out how well that would work.
You can also have default parameters, defined at the top level or in a
pseudo-jail called "*". The reason for that is you can also have
defaults that apply only to some jails, as a hierarchical feature. So
you could have a section "foo.*" that would have parameters for any jail
under "foo".
Parameters can include other parameters as shell-style variables. This
use useful for defining defaults based on the jail name. A common use I
expect is:
path = "/usr/jail/$name";
This would allow you to set up default parameters as templates. This
variable substitution also works the other way. Consider the global
variable:
$prefix = "10.1.1";
foo {
ip4.addr = "$prefix.3"
}
Note difference to the previous example. The variable is defined as
"$prefix = ...", not as "prefix = ...". That means it won't be included
as a jail parameter (since there is no parameter called "prefix").
When this setup, you should be able to fully specify a jail with most of
the work done on the global end, and the per-jail parameters needing
only the parts that actually vary between jails.
In addition to the known jail parameters, there are pseudo-parameters
that don't get passed to jail_set(2), but have some use in setting up
the jail on the userland side. The current jail(8) already has the
"command" pseudo-parameter, that specifies something to run (typically
"sh /etc/rc") after the jail is created.
I have done very little work with these pseudo-parameters so far, and
they're still mostly up in the air. From recent conversation on the
jail list, I've added "depend", which can specify that a jail is not to
start until another jail has been set up.
The other pseudo-parameters come from what /etc/rc.d/jail currently
does. Many of these have to do with commands run at different stages in
the setup. Here's the current shell settings I have able to pull from
that file:
Commands:
exec_prestart: run outside jail before create
exec_start: single command run inside jail upon creation
same as "command" parameter
exec_afterstart: run inside jail after create, each in its own "jexec"
exec_poststart: run outside jail after create (after exec_afterstart)
exec_prestop: run outside jail before destroy
exec_stop: run inside jail before destroy
exec_poststop: run outside jail after destroy
Other:
interface: interface to create/destroy all jail's IPs on
fib: setfib ID
devfs_enable: mount a /dev
devfs_ruleset: /dev ruleset
fdescfs_enable: mount a /dev/fs
procfs_enable: mount a /proc
mount_enable: mount arbitrary filesystems
fstab: filesystems to mount
consolelog: where to redirect start/stop command output
Some of these parameters could use some cleaning up, and are only the
way they are because of the constraints of the sh-based rc system.
Notably "fib" may be better worked into the kernel as a true jail
parameter. I wouldn't expect a one-for-one transfer of all these
parameters from /etc/rc.d/jail into jail(8), but I'd want to provide
their functionality in whatever way works best.
This is where I start to need input. What works best? I was rather
surprised at the proliferation of exec_* specifiers in the rc system
(including the recent request for yet another), and I'm not sure what
the real needs are for such things. The various filesystem parameters
could probably be (mostly) merged into a single per-jail fstab, or
perhaps a "mount" pseudo-parameter. Doubtless this config file format
will grow with time, but I'd like it to get as clean a start as
possible.
Right now I don't have code I can share. I've made the code to read the
config files, but not to do anything with them yet. But as I firm up
just what configuration options will exist, something runnable should
soon follow.
I'm interested in hearing the needs of jail users, to make sure I do the
right thing.
- Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C22650C.40309>