Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Sep 2012 11:33:06 +0200
From:      Martin Matuska <mm@FreeBSD.org>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-jail@freebsd.org, pjd@freebsd.org, jamie@freebsd.org
Subject:   Re: Fixed Jail ID for ZFS -> need proper mgmt?
Message-ID:  <5045CAD2.9030507@FreeBSD.org>
In-Reply-To: <alpine.BSF.2.00.1209040846530.76284@ai.fobar.qr>
References:  <alpine.BSF.2.00.1209040846530.76284@ai.fobar.qr>

next in thread | previous in thread | raw e-mail | index | archive | help

On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote:
> Hi,
>
> I had been talking to someone about jail management and it turns out
> people are using jail jid=42 to always have a fixed jail ID.  The
> reason as I understood is that ZFS datasets are associated by jail id
> for delegation? [I admit having no clue about the ZFS side]
>
ZFS can be delegated to a jail's id using the "zfs jail" subcommand.

> If this is true I feel it's a very bad idea as it makes restarting
> jails a lot harder in case they remain DYING for say a not fully
> closed TCP session.
>
> My memories are: jid are still unique and cannot be re-used, even if
> in DYING, names can be re-used and thus are not neccessarily unique.
> Jamie, can you confirm this?
>
> Seems we need to sort out one to two problems:
>
> 1) can we make sure that the jail management framework can address a
>    ZFS dataset for delegation somehow and automatically do that as
>    part of the startup?
>
IMO the best way would be adding ZFS features to jail startup. I have
already proposed such a script, see the sysutils/jailrc port.
To have delegated ZFS datasets manageable in a jail, we need the following:
a) /dev/zfs must be available in the jail
b) zfs jail jailid dataset has to be called (this makes the dataset
visible in a jail) - this has to be done every time the jail is created
c) the dataset needs the jailed property set to "on" (this makes the
dataset manageable) - this is a permanent property, I am not sure if
this should be managed from the startup script

> 2) in the case of (1) it should be possible to address jails by name
>    as ZFS would be handled automatically and we would not need another
>    unique identifier I guess?
>    Otherwise I'd prefer for people to be able to delegate ZFS datasets
>    to jail names (as well), as long as they are uniquely identifyable
>    (i.e. there are no 17 jails running with a name of "filesever").
>
The binding of a ZFS dataset to a jail has to be exact. So we end up
with id's.
But we could add something like "zfs datasets" to the jail's
configuration file. The jail command would then simply exec "zfs jail
jailid dataset" for each of the datasets on jail creation right before
initiating rc startup and "zfs unjail jailid dataset" for each of the
datasets after jail's rc shutdown but before the jail is destroyed.

> Do we have documentation for the ZFS features in the man pages or
> elsewhere btw?   If not we should add it.
>
zfs(8), section "Jails" and subcommands "jail", "unjail"

> Does this make sense?
>
> /bz
>
Cheers,
mm

-- 
Martin Matuska
FreeBSD committer
http://blog.vx.sk




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5045CAD2.9030507>