Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Mar 2012 09:52:53 +0100
From:      Martin Matuska <mm@FreeBSD.org>
To:        Alexander Leidinger <Alexander@Leidinger.net>
Cc:        svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, pjd@FreeBSD.org, jamie@FreeBSD.org
Subject:   Re: svn commit: r233048 - head/etc/defaults
Message-ID:  <4F66F3E5.2020600@FreeBSD.org>
In-Reply-To: <20120319094222.Horde.3rlwV5jmRSRPZvFuXTdGj_A@webmail.leidinger.net>
References:  <201203162130.q2GLUQaw035726@svn.freebsd.org> <20120317163539.00004d8f@unknown> <4F6653C6.6020405@FreeBSD.org> <4F665895.1050803@FreeBSD.org> <20120319094222.Horde.3rlwV5jmRSRPZvFuXTdGj_A@webmail.leidinger.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 19. 3. 2012 9:42, Alexander Leidinger wrote:
>>> The only disclosed information I know of is whether the zfs module is
>>> loaded on your system.
>>> Other alternative I was thinking of would be using a new ruleset (e.g.
>>> devfsrules_jail_zfs=5).
>>> The disadvantage here is that users that already have defined a ruleset
>>> with this number should be informed somehow.
>
> Well... we always have this issue. If the rulsets in defaults changes,
> the user has to change his own rulesets. I have a lot of rules on my
> system and there was at least one occasion where I had to handle a
> change because of this. I don't remember if there was an entry in
> UPDATING or not, but I don't think we should make a decission about it
> based upon if an user has to renumber his rulesets or not. As the
> rulesets do not need to be continous, we may want to add an advise to
> the man-page(s) to start at a specifc value for the ruleset-numbers
> and reserve everything below for the system. I didn't do this myself,
> and I have a lot of rulesets, for me this falls within 'nice to have
> but easy to handle'.
>
>> Btw. jail has access to sysctl(8) and this discloses a *LOT* of
>> information, including if ZFS is loaded or not (existence of vfs.zfs)
>> and all its settings and statistics, hardware devices, geom devices,
>> network card counters and many more. Compared to this is /dev/zfs really
>> a minor issue :-)
>
> I agree.
>
>> Until we limit the output of sysctl() we don't hide this information
>> just by hiding /dev/zfs.
>
> What about not imported pools. Can I see them in jails or are they
> hidden (I don't have one around to test ATM)? 
Until you delegate a zfs dataset to a jail, the jail does not see any
pools or datasets.

If you delegate a dataset to a jail, the jail sees information about the
delegated dataset, the dataset's pool, the parent datasets of this
delegated dataset (=the path from pool up to the delegated dataset) and
the descendant datasets, if any.

We might want to continue this discussion outside of the svn-src mailing
lists.

-- 
Martin Matuska
FreeBSD committer
http://blog.vx.sk




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F66F3E5.2020600>