Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Sep 2012 11:14:33 -0600
From:      Jamie Gritton <jamie@FreeBSD.org>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-jail@FreeBSD.org, Pawel Jakub Dawidek <pjd@FreeBSD.org>, Martin Matuska <mm@FreeBSD.org>
Subject:   Re: Fixed Jail ID for ZFS -> need proper mgmt?
Message-ID:  <504636F9.6050202@FreeBSD.org>
In-Reply-To: <alpine.BSF.2.00.1209041019240.76284@ai.fobar.qr>
References:  <alpine.BSF.2.00.1209040846530.76284@ai.fobar.qr> <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> <alpine.BSF.2.00.1209041019240.76284@ai.fobar.qr>

next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/12 04:20, Bjoern A. Zeeb wrote:
> On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote:
>
>> On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote:
>>> On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote:
>>>> 2) in the case of (1) it should be possible to address jails by name
>>>> as ZFS would be handled automatically and we would not need another
>>>> unique identifier I guess?
>>>> Otherwise I'd prefer for people to be able to delegate ZFS datasets
>>>> to jail names (as well), as long as they are uniquely identifyable
>>>> (i.e. there are no 17 jails running with a name of "filesever").
>>>>
>>> The binding of a ZFS dataset to a jail has to be exact. So we end up
>>> with id's.
>>> But we could add something like "zfs datasets" to the jail's
>>> configuration file. The jail command would then simply exec "zfs jail
>>> jailid dataset" for each of the datasets on jail creation right before
>>> initiating rc startup and "zfs unjail jailid dataset" for each of the
>>> datasets after jail's rc shutdown but before the jail is destroyed.
>>
>> Datasets shall not be unjailed. Jailing dataset means that it won't be
>> mounted in the main system. You need to run 'zfs mount -a' within a
>> jail, during it start-up to mount its datasets. This is much safer than
>> mounting anything in jail's directory tree from the main system. We
>> already had security issues because of that. This is also how it works
>> in Solaris/IllumOS with zones.
>>
>> And I can't resist to remind how opposed I was to jail ids in the first
>> place. Especially because they were dynamically allocated. When they
>> were introduced I recommended jail names, which we ended up with anyway,
>> but now we have all this jailid thing to manage in older FreeBSD
>> versions.
>>
>> All in all we should move to using jail names, IMHO, the same way zone
>> names are used in Solaris/IllumOS. When I was adding jail support to ZFS
>> there were no jail names, only jail hostnames, which weren't an option
>> really.
>
> I guess we'd need to end up with name and if not uniqe + ID or
> something? Really IDs are not the problem as long as they never
> appear anywhere in the config file? Just not sure given names are not
> unique how to handle it the right way?
>
> /bz

Names are unique. And we don't have the dying-jail problem with them, as
creating a jail with the same name as a dying jail is allowed. OK, that
means that jail names aren't quite unique - but they're at least unique
among the non-dying set.

- Jamie



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?504636F9.6050202>