From owner-freebsd-jail@freebsd.org  Thu Jul  7 10:06:43 2016
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EEC8B75193
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Thu,  7 Jul 2016 10:06:43 +0000 (UTC)
 (envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id AF4231AD3
 for <freebsd-jail@freebsd.org>; Thu,  7 Jul 2016 10:06:42 +0000 (UTC)
 (envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 361322848C;
 Thu,  7 Jul 2016 12:06:34 +0200 (CEST)
Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz
 [86.49.16.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id 30B3B28412;
 Thu,  7 Jul 2016 12:06:33 +0200 (CEST)
Message-ID: <577E29A8.5000504@quip.cz>
Date: Thu, 07 Jul 2016 12:06:32 +0200
From: Miroslav Lachman <000.fbsd@quip.cz>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32
MIME-Version: 1.0
To: Grzegorz Junka <list1@gjunka.com>, freebsd-jail@freebsd.org
Subject: Re: Effective rule sets in a jail?
References: <2aeb6798-11ee-27c0-610a-d745aa322f97@gjunka.com>
 <CANJ8om5R-BT=heC+giMTXFH8YQXhuPQZjQ_S-P1bQ1XBGS16uQ@mail.gmail.com>
 <577E0A78.1040600@quip.cz> <2c9d10fd-35ba-5470-026d-a1483e47fcf2@gjunka.com>
 <577E1AFB.90100@quip.cz> <6ccead58-a38a-80a4-b5b8-a509c4271b8f@gjunka.com>
In-Reply-To: <6ccead58-a38a-80a4-b5b8-a509c4271b8f@gjunka.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 10:06:43 -0000

Grzegorz Junka wrote on 07/07/2016 11:42:

> OK, I am just an user, not very familiar with the terminology. For me
> (as a programmer) inheriting means overriding, so merging the more
> specific to the less specific declarations.
>
> Does it mean that the "inheriting" works in nested declarations but
> doesn't take into account the default value? In other words, the default
> is just default unless it re-defined in a jail declaration. If that's
> the case then wouldn't be more clear to name the "outside" default
> declaration as default, e.g. "default_devfs_ruleset"? Then it would be
> more difficult to confuse the default with the one that can be inherited.

I think it is simple in current form. (And I am not sys developer, I was 
web application programmer before I became sysadmin)
I started with jails long time before jail2 with jail.conf. Current 
jail.conf is soooo simpler in comparision with rc.conf style variables.

Naming each default variable with different name will be harder to code, 
harder to write in jail.conf, harder to document in manpages.

Almost all programming languages works the same in this context - later 
variable definition wins.

So you can easily define all variables needed to run jails and then set 
just those specific to one jail - IPs and hostname:

## Typical static defaults:
## Use the rc scripts to start and stop jails.  Mount jail's /dev.
exec.start = "/bin/sh /etc/rc";
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean;
exec.system_user   = "root";
exec.jail_user     = "root";
mount.devfs;
devfs_ruleset      = 4;
enforce_statfs     = 1;
#allow.set_hostname = false;
#allow.mount;
allow.set_hostname = 0;
allow.sysvipc      = 0;
allow.raw_sockets  = 0;

## Dynamic wildcard parameter:
path            = "/vol1/jail/$name";
exec.consolelog = "/var/log/jail/$name.console";
mount.fstab     = "/etc/fstab.$name";

## Jail myjail0
myjail0 {
         host.hostname = "myjail0.example.conf";
         ip4.addr      = 10.20.30.40;
}

## Jail myjail1
myjail1 {
         host.hostname = "myjail1.example.conf";
         ip4.addr      = 10.20.30.41;
}


devfs_ruleset is the same as the other variables - you can't (and I hope 
nobody expect) to merge global default value of e.g. exec.system_user or 
allow.sysvipc with variables defined in specific jail context. Those 
variables can have only one value (bool, or string, or number; not an 
array). It is the same for devfs_rules. Can't have more than one numeric 
value, can't combine two together.

I think you will be familiar with this very soon.

Miroslav Lachman