From owner-freebsd-jail@FreeBSD.ORG Tue Jul 21 21:44:31 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87D80106564A for ; Tue, 21 Jul 2009 21:44:31 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5340C8FC15 for ; Tue, 21 Jul 2009 21:44:30 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n6LLiUrE021090 for ; Tue, 21 Jul 2009 15:44:30 -0600 (MDT) Message-ID: <4A6636B8.9050204@FreeBSD.org> Date: Tue, 21 Jul 2009 15:44:24 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: jail@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Jail parameter patch: disable/new/inherit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2009 21:44:31 -0000 There's a patch to Current at http://gritton.org/freebsd/triple.diff that makes some small changes to the new parameter based jail system. I invite any interested in the future direction of jails to review it before it goes in (hopefully in the next day or two). This patch deals with jailed subsystems that may or may not be virtualized. At first, there was a boolean to describe this situation: for example in the VIMAGE kernels, the setting "vnet" parameter would create a jail with a virtual network stack. But there's more than just virtual or not. In particular there are three things that can be done with a particular subsystem: "disable": Don't use the subsystem at all in a jail. For example, if you create a jail with "ip6=disable", that jail won't be able to use IPv6 sockets, as if it were a system without INET6 defined in the kernel. "new": Create a new virtual instance of the subsystem in the jail. What constitutes a new instance will vary, but it generally means the jail is treated in some way different from the rest of the system. Setting "ip6=new" will restrict IPv6 addresses (to the contents of the list specified by "ip6.addr" which should also be set). Setting "host=new" will let a jail set its own hostname (and related data) separately from the rest of the system. Setting "vnet=new" will create a new network stack for the jail. "inherit": This is the default state, and means the jail is treated the same as the rest of the system. There's no difference between a jailed and non-jailed process as far as that subsystem is concerned. A jail with "ip6=inherit" would allow the full use of the available IPv6 addresses. As yet, this is just a structural/name change. It will become important as other features are added to the jail system, including any modules that want to have jail support. - Jamie