Date: Tue, 21 Jul 2009 15:44:24 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: jail@FreeBSD.org Subject: Jail parameter patch: disable/new/inherit Message-ID: <4A6636B8.9050204@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
There's a patch to Current at http://gritton.org/freebsd/triple.diff that makes some small changes to the new parameter based jail system. I invite any interested in the future direction of jails to review it before it goes in (hopefully in the next day or two). This patch deals with jailed subsystems that may or may not be virtualized. At first, there was a boolean to describe this situation: for example in the VIMAGE kernels, the setting "vnet" parameter would create a jail with a virtual network stack. But there's more than just virtual or not. In particular there are three things that can be done with a particular subsystem: "disable": Don't use the subsystem at all in a jail. For example, if you create a jail with "ip6=disable", that jail won't be able to use IPv6 sockets, as if it were a system without INET6 defined in the kernel. "new": Create a new virtual instance of the subsystem in the jail. What constitutes a new instance will vary, but it generally means the jail is treated in some way different from the rest of the system. Setting "ip6=new" will restrict IPv6 addresses (to the contents of the list specified by "ip6.addr" which should also be set). Setting "host=new" will let a jail set its own hostname (and related data) separately from the rest of the system. Setting "vnet=new" will create a new network stack for the jail. "inherit": This is the default state, and means the jail is treated the same as the rest of the system. There's no difference between a jailed and non-jailed process as far as that subsystem is concerned. A jail with "ip6=inherit" would allow the full use of the available IPv6 addresses. As yet, this is just a structural/name change. It will become important as other features are added to the jail system, including any modules that want to have jail support. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A6636B8.9050204>