From owner-freebsd-current@FreeBSD.ORG Thu Jul 28 18:00:47 2011 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83BBA106566C; Thu, 28 Jul 2011 18:00:47 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (mail.vx.sk [IPv6:2a01:4f8:100:1043::3]) by mx1.freebsd.org (Postfix) with ESMTP id 1E3648FC08; Thu, 28 Jul 2011 18:00:47 +0000 (UTC) Received: from core.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id 40D7618AC7E; Thu, 28 Jul 2011 20:00:46 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk ([127.0.0.1]) by core.vx.sk (mail.vx.sk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 0fFdb-01nGoL; Thu, 28 Jul 2011 20:00:44 +0200 (CEST) Received: from [10.9.8.3] (chello085216231078.chello.sk [85.216.231.78]) by mail.vx.sk (Postfix) with ESMTPSA id 686C718AC76; Thu, 28 Jul 2011 20:00:43 +0200 (CEST) Message-ID: <4E31A3CD.60500@FreeBSD.org> Date: Thu, 28 Jul 2011 20:00:45 +0200 From: Martin Matuska User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Jamie Gritton References: <4E316E19.9040309@FreeBSD.org> <4E318D75.608@FreeBSD.org> In-Reply-To: <4E318D75.608@FreeBSD.org> X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: FreeBSD Current Subject: Re: [PATCH] updated /etc/rc.d/jail and added ZFS support X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 18:00:47 -0000 If you start jail(8) witth "-c" (the new "param" way,) the values of the actual security.jail. variables are not initialized inside the jail, default values are used instead. I don't know if this is intentional, but probably yes. Default enforce_statfs=2, allow.mount=0. As of me we can leave everything for ${_params}, but then ${_zfs} makes sense only if enforce_statfs<2 and allow.mount=1. Regarding zfs, if you want to operate zfs from the very start of a jail (and e.g. make use of /etc/rc.d/zfs which has jail support), you have to pair datasets with an existing jail. In simple words, you have to create a process-less jail (persist=1), attach zfs datasets and then run the command. The persist option can be made optional - but we always start with persist=1, then we can set (or not) persist=0 depending on user setting. The question that opens, should we remove a persisting jail on "stop"? Or should we support new commands "create" and "remove" in addition to "start" and "stop"? Create would just make a processless jail, remove would wipe out a jail and start/stop would just deal with the processes (if persist=0 the old way, of course)? Cheers, mm Dňa 28. 7. 2011 18:25, Jamie Gritton wrote / napísal(a): > Since I missed the 9.0 boat with jail config file capability, something > like this seems necessary; rc.d/jail has long been unable to handle the > full scale of what jail(8) can do. > > I gather that setting persist is necessary for the ZFS operation. As > long as we're making the parameter setting more generic from rc, we > should handle the case where persist is specified in ${_params}, and not > always set/reset it around the jail creation unless ZFS is used. > > Also, why the specific inclusion of the security-related parameters? > They could just be folded into ${_params}, and if left unspecified then > jail(8) should by default do the right thing. > > - Jamie > > > On 07/28/11 08:11, Martin Matuska wrote: >> The attached patch allows better fine-tuning of jails started via >> /etc/rc.d, uses the new jail(8) flags (-c -m), the persist parameter and >> adds ZFS support. >> Patch is fully backward compatible. >> >> Please review, comment and/or test my attached patch. >> >> Cheers, >> mm -- Martin Matuska FreeBSD committer http://blog.vx.sk