From owner-freebsd-arch Mon Apr 23 11:29: 6 2001 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A585837B422 for ; Mon, 23 Apr 2001 11:28:59 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3NITMf02680 for ; Mon, 23 Apr 2001 14:29:23 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 23 Apr 2001 14:29:22 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-arch@FreeBSD.org Subject: jailNG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This weekend I was spending some time tweaking the jail(8) code to improve it's SMPng-happiness as well as manageability. Unfortunately, I ended up rewriting it in the process :-). I changed the model somewhat so that jails are now persistently configred, joined, et al, and broke out the chroot() from the creation/joining process, as with increased namespaces (such as System V IPC) creating a nice clean failure was increasingly difficult. Aspects of individual jails may now be managed using sysctl's, which appears to work reasonably well. Clearly there's a lot of work left to do, but I'd appreciate comments if people are interested: http://www.watson.org/~robert/jailng/ Simple example: dev# ./jailctl usage: jailctl create [jailname] jailctl destroy [jailname] jailctl join [jailname] [-c chrootpath] [path] [cmd] [args...] dev# ./jailctl create test dev# sysctl -a | grep jail jail.instance.test.sysvipc_permitted: 0 jail.instance.test.set_hostname_permitted: 1 jail.instance.test.socket_ipv4_permitted: 1 jail.instance.test.socket_unix_permitted: 1 jail.instance.test.socket_route_permitted: 1 jail.instance.test.socket_other_permitted: 0 jail.instance.test.ipv4addr: 0 dev# ./jailctl join test -c /tmp /bin/sh # ps ax PID TT STAT TIME COMMAND 907 d0 DWJ 0:00.02 /bin/sh 908 d0 RW+J 0:00.00 ps ax # exit dev# ./jailctl destroy test dev# I also have a jailinit(8) in the works which would allow improved startup/shutdown in the style of init(8) (sans the whole sigchild thing). Another feature I'd like to add is a jail signal call that allows a signal to be delivered to all processes inside a jail from outside, allowing an easier forceable shutdown. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message