From owner-freebsd-jail@FreeBSD.ORG Wed Sep 24 18:35:08 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20EF1106564A; Wed, 24 Sep 2008 18:35:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 800548FC0A; Wed, 24 Sep 2008 18:35:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9E5D741C6A1; Wed, 24 Sep 2008 20:35:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 68Hr5puIo3dh; Wed, 24 Sep 2008 20:35:04 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id E149241C690; Wed, 24 Sep 2008 20:35:04 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 41CBB44487F; Wed, 24 Sep 2008 18:34:54 +0000 (UTC) Date: Wed, 24 Sep 2008 18:34:53 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Ruslan Ermilov In-Reply-To: <200809241525.m8OFPifi095256@repoman.freebsd.org> Message-ID: <20080924181315.S65801@maildrop.int.zabbadoz.net> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, freebsd-jail@FreeBSD.org Subject: Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2008 18:35:08 -0000 On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > ru 2008-09-24 15:18:27 UTC > > FreeBSD src repository > > Modified files: > etc/rc.d jail > share/man/man5 rc.conf.5 > Log: > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > Allow a jail's IP alias to be created with an arbitrary netmask. So I had been talking with various people during the last weeks/months about this feature of configuring an interface from rc.d/jail and I had been >< close to remove it a lot of times but it seems people prefer to actually mix network configuration, management and jail startup/teardown in a single script, which I think is a very questionable thing especially considering that we already had an SA for[1] that script for other means. So you now I have v4/v6/multi/no-IP jails and once the next vimage step is in I plan to have it hit the tree and I am currently integrating a patch that would even have allow the ifconfig to work with multiple IPv4/v6 addresses because up to now I decided to leave this feature in. Now adding a netmask only makes sense for exactly one use case to my understanding and this is not going to play well with whatever will hit the tree. Adding yet another variable to rc.conf to control another question knob is something, as I hate to say, I am no longer going to be ok with (this has nothhing to do with you or that it might be needed in a setup). My suggestion would be, that if we want thos features to add them separately doing a superset of the startup script or something just for this and actualy use network.subr or the like to set it up but keep the list of IP/Netmasks kind of separated from options for the jail(8) command. In worst case stomething like this (read the BUT later) and have a jail_example_ipv4_alias0="192.0.2.1/24" jail_example_ipv4_alias1="192.0.2.2/32" jail_example_ipv4_alias2="192.0.2.2 netmask 255.255.255.255" jail_example_ipv6_alias0="2001:dbe::1" jail_example_ipv6_alias1="2001:dbe::2/128" and then have a single knob jail_example_configure_ips_on_interfaces="NO" and still use the above list create the jail(8) argument if you want it like that. BUT wait the above is not going to work out as I am missing the interface for each alias instance. We need a full interface X af X address X netmask tupple with each entry and a defined order per AF as the first IP will be specially treated. That's why I am saying networking is networking and jails are jails and to combine both you need a management app/script/... as it is too many options/knobs/... FYI for the multi-IP jails (without this feature) I didn't even have to think about the startup script as it would just have continued to work. Adding no-IP support I had to change an exit case to _foo="\"\"" in rc.d/jail. With supporting the ifconfig you need to a a few more lines. With the netmasks I still have no idea where we'll end up. I suggest we once and for all discuss this on freebsd-jail, decide how to continue with this feature. I am Cc:ing and setting Reply-to: > MFC after: 3 days I would kindly ask you to hold back an MFC into 7 until there is a conclusion. > > Revision Changes Path > 1.40 +3 -1 src/etc/rc.d/jail > 1.348 +7 -1 src/share/man/man5/rc.conf.5 > References: [1] http://security.freebsd.org/advisories/FreeBSD-SA-07:01.jail.asc -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.