From owner-freebsd-jail@FreeBSD.ORG Thu Jan 21 16:43:27 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2C0A1065692 for ; Thu, 21 Jan 2010 16:43:27 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [213.73.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 0FC838FC12 for ; Thu, 21 Jan 2010 16:43:26 +0000 (UTC) Received: (qmail 9461 invoked from network); 21 Jan 2010 16:43:25 -0000 Received: from mail.h3q.com (HELO mail.h3q.com) (cryx) by mail.h3q.com with AES256-SHA encrypted SMTP; 21 Jan 2010 16:43:25 -0000 Message-ID: <4B58842C.6080106@h3q.com> Date: Thu, 21 Jan 2010 17:43:24 +0100 From: Philipp Wuensche User-Agent: Postbox 1.1.0 (Macintosh/20091201) MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <201001200940.o0K9e4lO032467@freefall.freebsd.org> <4B586095.8020109@h3q.com> In-Reply-To: <4B586095.8020109@h3q.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jan 2010 16:43:27 -0000 Philipp Wuensche wrote: > > And shouldn't we implement all the new-style features while we at it? > All the allow.* stuff, cpuset etc. I did some testing with vnet and I find the way of using _poststart and _afterstart to configure ip-addr. inside a vimage jail very impractical. First we loose all the nice features of configuring ipaddrs. via ipv4_addrs_if in rc.conf from inside the jail and second, more important, the jail will be fully bootet before any ipaddr. is configured or even interfaces are configured. This will result in services not starting correctly, firewalling going nuts, routing-daemons not working etc.pp. A way to solve this would be to create the jail with "jail -c" and not setting "command=" but persist, resulting in /etc/rc not being run yet. This will give us a jail without any processes but already in a state to be manipulated. In this state we could attach interfaces, zfs-datasets, configure the cpuset etc.pp. After manipulating the jail, it can be really bootet up by "jail -m jid=${_jail_id} command=${_exec_start}" which will configure all the networking and services correctly from within the jail. For this, there need to be some changes: - due to the "persist" flag, we need to delete the jail via "jail -r ${_jail_id}" when stopping it - the changes above are meant for vnet, so we need to make them work with non-vnet jails too - this creates the need for a command between creating the jail and fully booting it as _prestart is to early and _poststart is too late. - a lot of rc.d script have the KEYWORD nojail, e.g. netif. Some of them will be needed to run inside vnet jails. Is there a way to distinguish a vimage-jail from a non vimage-jail inside the jail? Couldn't find a sysctl, maybe security.jail.jailed should be set to 2 instead of 1? greetings, Philipp