Date: Wed, 14 Dec 2016 13:33:14 -0500 From: "Isaac (.ike) Levy" <ike@blackskyresearch.net> To: galtsev@kicp.uchicago.edu Cc: Allan Jude <allanjude@freebsd.org>, freebsd-jail@freebsd.org Subject: Re: multiple interfaces for jail.conf(1) and jail_set(2) Message-ID: <ADC537A8-5E39-4467-A541-F71FA98111CA@blackskyresearch.net> In-Reply-To: <27934.128.135.52.6.1481728934.squirrel@cosmo.uchicago.edu> References: <0ED7F403-F14E-4A72-8E54-AF74AAE15061@blackskyresearch.net> <11488.128.135.52.6.1481666606.squirrel@cosmo.uchicago.edu> <BF1B3D9C-D3D3-4F57-9B10-417C176E8423@blackskyresearch.net> <02b85a36-007b-605d-7ab0-c9e56495d86e@freebsd.org> <27934.128.135.52.6.1481728934.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
>> In ezjail I can just do this: >>=20 >=20 > Of course, it is great to learn that some tools can do this or that. > However, this only is helpful to those who are just choosing what to = use > for the future. Once your choice is made, you (at least I) kind of = avoid > jumping over to doing something using different tools, especially what = is > already done some specific way on your production machine. >=20 > I guess, what I'm trying to say is: don't be surprised if OP finds = your > effort to help him ultimately useless. >=20 > Incidentally, I for one set up jails "by the book", not by using some = tool > which does it all for me behind the scenes. So, reference to any tools = are > kind of set me off (hence this my reply ;-) >=20 > Just my $0.02. >=20 > Valeri Sorry to drag this out further, but Valeri is spot on here. Sorry to indulge and repeat in my own words- after using jail(8) heavily = since 1999, and even helping run one of the earliest jail based ISP=E2=80=99= s, I am a bit taken back to see such a propensity toward suggesting 3rd = party tooling on this list- particularly as it does not answer my = original question. Has everyone been using so many 3rd party tools for jailing for so long = that we=E2=80=99ve forgotten how jail(8) works, to the point that my = original question can=E2=80=99t even be recognized? A question not = worth answering, but certainly worth pondering! I=E2=80=99m not arguing = against the use of nice 3rd party tools, but I do want to make it very = clear that they are not required for heavy or even light jailing. The strength of jail(8) and jail(2), even before important features like = multiple IP=E2=80=99s and per-jail securelevels etc, was always that = it=E2=80=99s just another small piece of the the UNIX ecosystem- jail(8) = was strong because the *entire* base system made it strong. For example: before multiple jail IP=E2=80=99s, we=E2=80=99d often = simply NAT addresses on the jailing host itself, a bit of scripting = ifconfig(8) made it simple for our environment. Before base provided = per-jail devfs rulesets, (and even before devfs), we=E2=80=99d simply = make and delete packs of =E2=80=98/dev=E2=80=99 tarballs for various = jails- removing the devices which were inappropriate for our applied = need. I could go on forever, but nearly everything one could need in a = jailed system can always be set up using other base tools- and the UNIX = philosophy. Even today, jail(8) is still trivially scriptable for starting/stopping = and managing many jails. For my use, just using the base system is = preferable over 3rd party tooling because I know exactly what I want to = do, and with common UNIX knowledge I can manage hundreds and thousands = of jails across multiple hardware hosts, with nothing but the base = system. 3rd party tools can be wonderful, but over the 17+ years I=E2=80=99= ve been using FreeBSD jail(8), many 3rd party tools have come and gone, = and changed a great deal- but the base UNIX system has not fundamentally = changed. I mean, even many jail related scripts I wrote in 1999 are = still completely functional and relevant. Best, .ike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ADC537A8-5E39-4467-A541-F71FA98111CA>