From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 17:14:46 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0ADE1065670; Tue, 4 Sep 2012 17:14:46 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 773C98FC21; Tue, 4 Sep 2012 17:14:45 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q84HEc28076703; Tue, 4 Sep 2012 11:14:38 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <504636F9.6050202@FreeBSD.org> Date: Tue, 04 Sep 2012 11:14:33 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org, Pawel Jakub Dawidek , Martin Matuska Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 17:14:46 -0000 On 09/04/12 04:20, Bjoern A. Zeeb wrote: > On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: > >> On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: >>> On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: >>>> 2) in the case of (1) it should be possible to address jails by name >>>> as ZFS would be handled automatically and we would not need another >>>> unique identifier I guess? >>>> Otherwise I'd prefer for people to be able to delegate ZFS datasets >>>> to jail names (as well), as long as they are uniquely identifyable >>>> (i.e. there are no 17 jails running with a name of "filesever"). >>>> >>> The binding of a ZFS dataset to a jail has to be exact. So we end up >>> with id's. >>> But we could add something like "zfs datasets" to the jail's >>> configuration file. The jail command would then simply exec "zfs jail >>> jailid dataset" for each of the datasets on jail creation right before >>> initiating rc startup and "zfs unjail jailid dataset" for each of the >>> datasets after jail's rc shutdown but before the jail is destroyed. >> >> Datasets shall not be unjailed. Jailing dataset means that it won't be >> mounted in the main system. You need to run 'zfs mount -a' within a >> jail, during it start-up to mount its datasets. This is much safer than >> mounting anything in jail's directory tree from the main system. We >> already had security issues because of that. This is also how it works >> in Solaris/IllumOS with zones. >> >> And I can't resist to remind how opposed I was to jail ids in the first >> place. Especially because they were dynamically allocated. When they >> were introduced I recommended jail names, which we ended up with anyway, >> but now we have all this jailid thing to manage in older FreeBSD >> versions. >> >> All in all we should move to using jail names, IMHO, the same way zone >> names are used in Solaris/IllumOS. When I was adding jail support to ZFS >> there were no jail names, only jail hostnames, which weren't an option >> really. > > I guess we'd need to end up with name and if not uniqe + ID or > something? Really IDs are not the problem as long as they never > appear anywhere in the config file? Just not sure given names are not > unique how to handle it the right way? > > /bz Names are unique. And we don't have the dying-jail problem with them, as creating a jail with the same name as a dying jail is allowed. OK, that means that jail names aren't quite unique - but they're at least unique among the non-dying set. - Jamie