Date: Thu, 12 Feb 2009 13:02:27 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: d@delphij.net Cc: freebsd-jail@freebsd.org, freebsd-rc@FreeBSD.org, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: [RFC] Skeleton jail (rc.d feature proposal) Message-ID: <20090212122419.Q53478@maildrop.int.zabbadoz.net> In-Reply-To: <499244E6.9030205@delphij.net> References: <499244E6.9030205@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Feb 2009, Xin LI wrote: Hi, PreS: I added freebsd-jail@ to Cc:. > Ok, some local users has prodded me in committing the "skeleton jail" > feature, I find it useful myself but not sure if it's appropriate to > commit it against -HEAD, so I'd like to explain it, try to present it in > a better way, and request for comments. I have seen lots of "skeleton jail" features the last years working with lots of different parties and I have a private one myself tied into some other stuff which is even more meagre than most. It's 2 files and 7 lines of sh and that's only because I am lazy. I have seen everything from sh scripts to install worlds/distribution for a jail, to the same and then remove stuff, unionfs tries and nullfs mounts. From mergemaster setups populating worlds for jail from private trees to restores from master images. Some were really nice, others were .. improvable. They all helped the people in their environment but few could use what the others had done in their environment. > The rc.d infrastructure would automatically mount the following > directories from the template (when not specified, /) as read-only: > > bin > lib > libexec > sbin > usr/bin > usr/include > usr/lib > usr/libdata > usr/libexec > usr/sbin > usr/share I do not have the following two on most/any of my machines: > usr/src > usr/obj The correct way to do this I think would leave rc.d/jail untouched and (pre-)populate an /etc/fstab.<jname> and use that. Considering that my last commit messages already said that Simon and I have big worries about all the features in /etc/rc.d/jail and would rather remove than than keep them and that this is basically two things: 1) pre-seed a jail hierachy and etc from a source tree 2) mount some nullfs into the jail on start, unmount on stop (I hope I didn't miss anything else) I am wondering if this large patch cannot be reduced to a few line sh script to seed the jail + fstab, not needing to fiddle with base for that. 1 #/bin/sh 2 # $1 is DESTDIR of the jail 3 # $2 is the jail name as in rc.conf 4 # $3 is the skel root to mount from 5 # other arguments are rw nullfs mounts 6 cd /usr/src 7 make hierachy DESTDIR=$1 8 make distribution DESTDIR=$1 9 for d in bin lib libexec ..; do 10 echo "$3/${d} $1/$3 nullfs ro 0 0" >> /etc/fstab.$2 11 done 12 shift; shift; shift 13 for d in bin lib libexec ..; do 14 echo "$3/${d} $1/$3 nullfs rw 0 0" >> /etc/fstab.$2 15 done 16 echo "Add jail_$2_mount_enable='YES' to /etc/rc.conf" This is untested and doesn't have error checking etc. I would even put it in a Makefile instead of doing it in sh. A lot more flexible than anything in base will ever be. Just my 5ct. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090212122419.Q53478>