From owner-svn-src-head@FreeBSD.ORG Tue Feb 4 13:49:51 2014 Return-Path: Delivered-To: svn-src-head@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7418967C; Tue, 4 Feb 2014 13:49:51 +0000 (UTC) Received: from m2.gritton.org (gritton.org [199.192.164.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2C5D71DC3; Tue, 4 Feb 2014 13:49:50 +0000 (UTC) Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net [50.168.192.61]) (authenticated bits=0) by m2.gritton.org (8.14.7/8.14.7) with ESMTP id s14DnbQK005491; Tue, 4 Feb 2014 06:49:37 -0700 (MST) (envelope-from jamie@freebsd.org) Message-ID: <52F0EFE8.7030105@freebsd.org> Date: Tue, 04 Feb 2014 06:49:28 -0700 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Julian Elischer , "Robert N. M. Watson" , Doug Ambrisko Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail References: <201401291341.s0TDfDcB068211@svn.freebsd.org> <20140129134344.GW66160@FreeBSD.org> <52E906CD.9050202@freebsd.org> <20140129222210.0000711f@unknown> <20140131223011.0000163b@unknown> <52EC4DBB.50804@freebsd.org> <20140203235336.GA46006@ambrisko.com> <6AF2ADA6-8BAD-4875-8B15-A859B41DDCC0@FreeBSD.org> <52F0E9E9.2080402@freebsd.org> In-Reply-To: <52F0E9E9.2080402@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: svn-src-head@FreeBSD.org, Alexander Leidinger , svn-src-all@FreeBSD.org, Gleb Smirnoff , src-committers@FreeBSD.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2014 13:49:51 -0000 On 2/4/2014 6:23 AM, Julian Elischer wrote: > On 2/4/14, 3:40 PM, Robert N. M. Watson wrote: >> On 3 Feb 2014, at 23:53, Doug Ambrisko wrote: >> >>> It's unfortunate that vimage requires jail. I want to use vimage but >>> not have the security restrictions of a jail. To do this I patched >>> jail to basically let everything through. It would be nice to be >>> able to run jail in an insecure mode which I understand is a >>> contradition. >>> I do use the jail infrastructure to set the uname*/getosreldate so >>> that a specific jail thinks it is FreeBSD version blah. Then I can ssh >>> into that jail and pkg_add things, make ports etc. I use this on >>> my laptop running current on the base. My other jails run various >>> versions of FreeBSD. I don't care about security in this case. > > vimage was not originally tied to jails. I can't remember why we > decided to do that :-) Leaving the smiley aside for the present, I remember that one - and it's closely tied to this discussion. It was part of this more flexible vision of jails that had added features, of which security was just one (optional) part. I thought of them as a more general encapsulation framework as needs would arise. Vimage was one of those needs. Marko Zec had originally implemented it with its own set of containers that ran parallel with jails, partially implementing some parts of jail but only well enough for the proof-of-concept of his networking idea. One thing vimage had going for it was hierarchies, which allowed one virtual network to exist encapsulated inside another, and that's how jails themselves became hierarchical. It was a requirement for Marko to agree to allow his own vimage-only encapsulation to be subsumed inside jails. Perhaps all that is what the smiley meant, but it's good to have a little history every now and then. - Jamie