From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 10:20:38 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 670C7106566B; Tue, 4 Sep 2012 10:20:38 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id E48388FC15; Tue, 4 Sep 2012 10:20:37 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id B895425D3A99; Tue, 4 Sep 2012 10:20:36 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B0344BE84AE; Tue, 4 Sep 2012 10:20:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id HRoTvPBRKkDz; Tue, 4 Sep 2012 10:20:33 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 90F38BE84AC; Tue, 4 Sep 2012 10:20:33 +0000 (UTC) Date: Tue, 4 Sep 2012 10:20:32 +0000 (UTC) From: "Bjoern A. Zeeb" To: Pawel Jakub Dawidek In-Reply-To: <20120904100054.GA1405@garage.freebsd.pl> Message-ID: References: <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, Martin Matuska , jamie@freebsd.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 10:20:38 -0000 On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: > On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: >> On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: >>> 2) in the case of (1) it should be possible to address jails by name >>> as ZFS would be handled automatically and we would not need another >>> unique identifier I guess? >>> Otherwise I'd prefer for people to be able to delegate ZFS datasets >>> to jail names (as well), as long as they are uniquely identifyable >>> (i.e. there are no 17 jails running with a name of "filesever"). >>> >> The binding of a ZFS dataset to a jail has to be exact. So we end up >> with id's. >> But we could add something like "zfs datasets" to the jail's >> configuration file. The jail command would then simply exec "zfs jail >> jailid dataset" for each of the datasets on jail creation right before >> initiating rc startup and "zfs unjail jailid dataset" for each of the >> datasets after jail's rc shutdown but before the jail is destroyed. > > Datasets shall not be unjailed. Jailing dataset means that it won't be > mounted in the main system. You need to run 'zfs mount -a' within a > jail, during it start-up to mount its datasets. This is much safer than > mounting anything in jail's directory tree from the main system. We > already had security issues because of that. This is also how it works > in Solaris/IllumOS with zones. > > And I can't resist to remind how opposed I was to jail ids in the first > place. Especially because they were dynamically allocated. When they > were introduced I recommended jail names, which we ended up with anyway, > but now we have all this jailid thing to manage in older FreeBSD > versions. > > All in all we should move to using jail names, IMHO, the same way zone > names are used in Solaris/IllumOS. When I was adding jail support to ZFS > there were no jail names, only jail hostnames, which weren't an option > really. I guess we'd need to end up with name and if not uniqe + ID or something? Really IDs are not the problem as long as they never appear anywhere in the config file? Just not sure given names are not unique how to handle it the right way? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.