Date: Tue, 4 Sep 2012 12:00:54 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Martin Matuska <mm@FreeBSD.org> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-jail@freebsd.org, jamie@freebsd.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? Message-ID: <20120904100054.GA1405@garage.freebsd.pl> In-Reply-To: <5045CAD2.9030507@FreeBSD.org> References: <alpine.BSF.2.00.1209040846530.76284@ai.fobar.qr> <5045CAD2.9030507@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: > On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: > > 2) in the case of (1) it should be possible to address jails by name > > as ZFS would be handled automatically and we would not need another > > unique identifier I guess? > > Otherwise I'd prefer for people to be able to delegate ZFS datasets > > to jail names (as well), as long as they are uniquely identifyable > > (i.e. there are no 17 jails running with a name of "filesever"). > > > The binding of a ZFS dataset to a jail has to be exact. So we end up > with id's. > But we could add something like "zfs datasets" to the jail's > configuration file. The jail command would then simply exec "zfs jail > jailid dataset" for each of the datasets on jail creation right before > initiating rc startup and "zfs unjail jailid dataset" for each of the > datasets after jail's rc shutdown but before the jail is destroyed. Datasets shall not be unjailed. Jailing dataset means that it won't be mounted in the main system. You need to run 'zfs mount -a' within a jail, during it start-up to mount its datasets. This is much safer than mounting anything in jail's directory tree from the main system. We already had security issues because of that. This is also how it works in Solaris/IllumOS with zones. And I can't resist to remind how opposed I was to jail ids in the first place. Especially because they were dynamically allocated. When they were introduced I recommended jail names, which we ended up with anyway, but now we have all this jailid thing to manage in older FreeBSD versions. All in all we should move to using jail names, IMHO, the same way zone names are used in Solaris/IllumOS. When I was adding jail support to ZFS there were no jail names, only jail hostnames, which weren't an option really. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBF0VYACgkQForvXbEpPzTyQwCcDhIDnYnwtCykB4EbOQ5iSqxg B0IAn0qOzF8x+IufLYkwIqh5iV56ujiv =Sh58 -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120904100054.GA1405>