From owner-freebsd-jail@freebsd.org Thu Jul 7 10:06:43 2016 Return-Path: <owner-freebsd-jail@freebsd.org> Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EEC8B75193 for <freebsd-jail@mailman.ysv.freebsd.org>; Thu, 7 Jul 2016 10:06:43 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF4231AD3 for <freebsd-jail@freebsd.org>; Thu, 7 Jul 2016 10:06:42 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 361322848C; Thu, 7 Jul 2016 12:06:34 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 30B3B28412; Thu, 7 Jul 2016 12:06:33 +0200 (CEST) Message-ID: <577E29A8.5000504@quip.cz> Date: Thu, 07 Jul 2016 12:06:32 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: Grzegorz Junka <list1@gjunka.com>, freebsd-jail@freebsd.org Subject: Re: Effective rule sets in a jail? References: <2aeb6798-11ee-27c0-610a-d745aa322f97@gjunka.com> <CANJ8om5R-BT=heC+giMTXFH8YQXhuPQZjQ_S-P1bQ1XBGS16uQ@mail.gmail.com> <577E0A78.1040600@quip.cz> <2c9d10fd-35ba-5470-026d-a1483e47fcf2@gjunka.com> <577E1AFB.90100@quip.cz> <6ccead58-a38a-80a4-b5b8-a509c4271b8f@gjunka.com> In-Reply-To: <6ccead58-a38a-80a4-b5b8-a509c4271b8f@gjunka.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/> List-Post: <mailto:freebsd-jail@freebsd.org> List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 07 Jul 2016 10:06:43 -0000 Grzegorz Junka wrote on 07/07/2016 11:42: > OK, I am just an user, not very familiar with the terminology. For me > (as a programmer) inheriting means overriding, so merging the more > specific to the less specific declarations. > > Does it mean that the "inheriting" works in nested declarations but > doesn't take into account the default value? In other words, the default > is just default unless it re-defined in a jail declaration. If that's > the case then wouldn't be more clear to name the "outside" default > declaration as default, e.g. "default_devfs_ruleset"? Then it would be > more difficult to confuse the default with the one that can be inherited. I think it is simple in current form. (And I am not sys developer, I was web application programmer before I became sysadmin) I started with jails long time before jail2 with jail.conf. Current jail.conf is soooo simpler in comparision with rc.conf style variables. Naming each default variable with different name will be harder to code, harder to write in jail.conf, harder to document in manpages. Almost all programming languages works the same in this context - later variable definition wins. So you can easily define all variables needed to run jails and then set just those specific to one jail - IPs and hostname: ## Typical static defaults: ## Use the rc scripts to start and stop jails. Mount jail's /dev. exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; mount.devfs; devfs_ruleset = 4; enforce_statfs = 1; #allow.set_hostname = false; #allow.mount; allow.set_hostname = 0; allow.sysvipc = 0; allow.raw_sockets = 0; ## Dynamic wildcard parameter: path = "/vol1/jail/$name"; exec.consolelog = "/var/log/jail/$name.console"; mount.fstab = "/etc/fstab.$name"; ## Jail myjail0 myjail0 { host.hostname = "myjail0.example.conf"; ip4.addr = 10.20.30.40; } ## Jail myjail1 myjail1 { host.hostname = "myjail1.example.conf"; ip4.addr = 10.20.30.41; } devfs_ruleset is the same as the other variables - you can't (and I hope nobody expect) to merge global default value of e.g. exec.system_user or allow.sysvipc with variables defined in specific jail context. Those variables can have only one value (bool, or string, or number; not an array). It is the same for devfs_rules. Can't have more than one numeric value, can't combine two together. I think you will be familiar with this very soon. Miroslav Lachman