From owner-freebsd-arch Sat Apr 28 13:38:40 2001 Delivered-To: freebsd-arch@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 44E8F37B424; Sat, 28 Apr 2001 13:38:36 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f3SKcPU29884; Sat, 28 Apr 2001 22:38:25 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Robert Watson Cc: freebsd-arch@FreeBSD.ORG Subject: Re: jailNG In-Reply-To: Your message of "Mon, 23 Apr 2001 14:29:22 EDT." Date: Sat, 28 Apr 2001 22:38:25 +0200 Message-ID: <29882.988490305@critter> From: Poul-Henning Kamp Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm not uninterested in jails, but I have no time (and no contracts to give me time) for it at present. In general I think jail is in much more capable hands with you anyway :-) Poul-Henning In message , Robe rt Watson writes: > >This weekend I was spending some time tweaking the jail(8) code to improve >it's SMPng-happiness as well as manageability. Unfortunately, I ended up >rewriting it in the process :-). I changed the model somewhat so that >jails are now persistently configred, joined, et al, and broke out the >chroot() from the creation/joining process, as with increased namespaces >(such as System V IPC) creating a nice clean failure was increasingly >difficult. Aspects of individual jails may now be managed using sysctl's, >which appears to work reasonably well. Clearly there's a lot of work left >to do, but I'd appreciate comments if people are interested: > > http://www.watson.org/~robert/jailng/ > >Simple example: > >dev# ./jailctl >usage: > jailctl create [jailname] > jailctl destroy [jailname] > jailctl join [jailname] [-c chrootpath] [path] [cmd] [args...] >dev# ./jailctl create test >dev# sysctl -a | grep jail >jail.instance.test.sysvipc_permitted: 0 >jail.instance.test.set_hostname_permitted: 1 >jail.instance.test.socket_ipv4_permitted: 1 >jail.instance.test.socket_unix_permitted: 1 >jail.instance.test.socket_route_permitted: 1 >jail.instance.test.socket_other_permitted: 0 >jail.instance.test.ipv4addr: 0 >dev# ./jailctl join test -c /tmp /bin/sh ># ps ax > PID TT STAT TIME COMMAND > 907 d0 DWJ 0:00.02 /bin/sh > 908 d0 RW+J 0:00.00 ps ax ># exit >dev# ./jailctl destroy test >dev# > >I also have a jailinit(8) in the works which would allow improved >startup/shutdown in the style of init(8) (sans the whole sigchild thing). >Another feature I'd like to add is a jail signal call that allows a signal >to be delivered to all processes inside a jail from outside, allowing an >easier forceable shutdown. > >Robert N M Watson FreeBSD Core Team, TrustedBSD Project >robert@fledge.watson.org NAI Labs, Safeport Network Services > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-arch" in the body of the message > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message