Date: Tue, 04 Feb 2014 06:49:28 -0700 From: James Gritton <jamie@freebsd.org> To: Julian Elischer <julian@freebsd.org>, "Robert N. M. Watson" <rwatson@FreeBSD.org>, Doug Ambrisko <ambrisko@ambrisko.com> Cc: svn-src-head@FreeBSD.org, Alexander Leidinger <Alexander@Leidinger.net>, svn-src-all@FreeBSD.org, Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@FreeBSD.org Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail Message-ID: <52F0EFE8.7030105@freebsd.org> In-Reply-To: <52F0E9E9.2080402@freebsd.org> References: <201401291341.s0TDfDcB068211@svn.freebsd.org> <20140129134344.GW66160@FreeBSD.org> <52E906CD.9050202@freebsd.org> <20140129222210.0000711f@unknown> <alpine.BSF.2.00.1401311231490.36707@fledge.watson.org> <20140131223011.0000163b@unknown> <52EC4DBB.50804@freebsd.org> <20140203235336.GA46006@ambrisko.com> <6AF2ADA6-8BAD-4875-8B15-A859B41DDCC0@FreeBSD.org> <52F0E9E9.2080402@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/4/2014 6:23 AM, Julian Elischer wrote: > On 2/4/14, 3:40 PM, Robert N. M. Watson wrote: >> On 3 Feb 2014, at 23:53, Doug Ambrisko <ambrisko@ambrisko.com> wrote: >> >>> It's unfortunate that vimage requires jail. I want to use vimage but >>> not have the security restrictions of a jail. To do this I patched >>> jail to basically let everything through. It would be nice to be >>> able to run jail in an insecure mode which I understand is a >>> contradition. >>> I do use the jail infrastructure to set the uname*/getosreldate so >>> that a specific jail thinks it is FreeBSD version blah. Then I can ssh >>> into that jail and pkg_add things, make ports etc. I use this on >>> my laptop running current on the base. My other jails run various >>> versions of FreeBSD. I don't care about security in this case. > > vimage was not originally tied to jails. I can't remember why we > decided to do that :-) Leaving the smiley aside for the present, I remember that one - and it's closely tied to this discussion. It was part of this more flexible vision of jails that had added features, of which security was just one (optional) part. I thought of them as a more general encapsulation framework as needs would arise. Vimage was one of those needs. Marko Zec had originally implemented it with its own set of containers that ran parallel with jails, partially implementing some parts of jail but only well enough for the proof-of-concept of his networking idea. One thing vimage had going for it was hierarchies, which allowed one virtual network to exist encapsulated inside another, and that's how jails themselves became hierarchical. It was a requirement for Marko to agree to allow his own vimage-only encapsulation to be subsumed inside jails. Perhaps all that is what the smiley meant, but it's good to have a little history every now and then. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52F0EFE8.7030105>