From owner-freebsd-jail@FreeBSD.ORG Thu Feb 12 13:05:09 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F47D106564A; Thu, 12 Feb 2009 13:05:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 2266A8FC1A; Thu, 12 Feb 2009 13:05:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id DFAEC41C70C; Thu, 12 Feb 2009 14:05:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id OlWeUiC4ysJ7; Thu, 12 Feb 2009 14:05:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 71C9E41C707; Thu, 12 Feb 2009 14:05:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 882934448EC; Thu, 12 Feb 2009 13:02:28 +0000 (UTC) Date: Thu, 12 Feb 2009 13:02:27 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: d@delphij.net In-Reply-To: <499244E6.9030205@delphij.net> Message-ID: <20090212122419.Q53478@maildrop.int.zabbadoz.net> References: <499244E6.9030205@delphij.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, freebsd-rc@FreeBSD.org, FreeBSD Current Subject: Re: [RFC] Skeleton jail (rc.d feature proposal) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 13:05:10 -0000 On Tue, 10 Feb 2009, Xin LI wrote: Hi, PreS: I added freebsd-jail@ to Cc:. > Ok, some local users has prodded me in committing the "skeleton jail" > feature, I find it useful myself but not sure if it's appropriate to > commit it against -HEAD, so I'd like to explain it, try to present it in > a better way, and request for comments. I have seen lots of "skeleton jail" features the last years working with lots of different parties and I have a private one myself tied into some other stuff which is even more meagre than most. It's 2 files and 7 lines of sh and that's only because I am lazy. I have seen everything from sh scripts to install worlds/distribution for a jail, to the same and then remove stuff, unionfs tries and nullfs mounts. From mergemaster setups populating worlds for jail from private trees to restores from master images. Some were really nice, others were .. improvable. They all helped the people in their environment but few could use what the others had done in their environment. > The rc.d infrastructure would automatically mount the following > directories from the template (when not specified, /) as read-only: > > bin > lib > libexec > sbin > usr/bin > usr/include > usr/lib > usr/libdata > usr/libexec > usr/sbin > usr/share I do not have the following two on most/any of my machines: > usr/src > usr/obj The correct way to do this I think would leave rc.d/jail untouched and (pre-)populate an /etc/fstab. and use that. Considering that my last commit messages already said that Simon and I have big worries about all the features in /etc/rc.d/jail and would rather remove than than keep them and that this is basically two things: 1) pre-seed a jail hierachy and etc from a source tree 2) mount some nullfs into the jail on start, unmount on stop (I hope I didn't miss anything else) I am wondering if this large patch cannot be reduced to a few line sh script to seed the jail + fstab, not needing to fiddle with base for that. 1 #/bin/sh 2 # $1 is DESTDIR of the jail 3 # $2 is the jail name as in rc.conf 4 # $3 is the skel root to mount from 5 # other arguments are rw nullfs mounts 6 cd /usr/src 7 make hierachy DESTDIR=$1 8 make distribution DESTDIR=$1 9 for d in bin lib libexec ..; do 10 echo "$3/${d} $1/$3 nullfs ro 0 0" >> /etc/fstab.$2 11 done 12 shift; shift; shift 13 for d in bin lib libexec ..; do 14 echo "$3/${d} $1/$3 nullfs rw 0 0" >> /etc/fstab.$2 15 done 16 echo "Add jail_$2_mount_enable='YES' to /etc/rc.conf" This is untested and doesn't have error checking etc. I would even put it in a Makefile instead of doing it in sh. A lot more flexible than anything in base will ever be. Just my 5ct. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.