Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Jan 2005 21:39:52 +0800
From:      Xin LI <delphij@frontfree.net>
To:        freebsd-hackers@FreeBSD.org
Cc:        ru@FreeBSD.org
Subject:   Idea about "skeleton jail"
Message-ID:  <1107178792.613.22.camel@spirit>
next in thread | raw e-mail | index | archive | help 

--=-A2JRhvRU9r1j1TWxARE7
Content-Type: multipart/mixed; boundary="=-2/zraRYP0ClI3EPi75PN"


--=-2/zraRYP0ClI3EPi75PN
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Dear folks,

The recent discussion about whether we should have the perl port to
touch/install /usr/bin/perl.  While I'm not interested in joining the
discussion, it inspired me that we can make use of the fact that ports
should not install things to "system" area and take advantage from it.
Finally these ideas results me to hack up something that might be
valuable to share with our users.

What I am going to proposal is a concept that I call it "skeleton jail",
or "skeljail" for short.  A skel jail is something that shares most base
system binaries/libraries with the host, through read-only mount_null's.

I have already done some experiments.  Basically we want the following
directories to be mount_null'ed:
	/bin, /sbin, /lib, /libexec, /usr/bin, /usr/sbin, /usr/include,
	/usr/lib, /usr/libdata, /usr/libexec, /usr/sbin, /usr/share

To get most of what we want the jail to do, to work, this includes
ssh(1) and something else.  Optionally, we may want to mount_nullfs a
read-write /usr/ports/distfiles, a readonly /usr/ports, and something
like /usr/game to be mounted into the skeljail.

In order to avoid having to do something magic instead of "make
installworld", I have a patchset against src/Makefile and
src/Makefile.incl to make the work a bit easier.  It adds a so-called
"installskel" target that creates a skeljail that contains necessary
directory hierarchy, and a set of /etc configuration files that will be
useful to start the jail.  The target must be used after a ``make
buildworld''

The two major benefits for the skeljail are:
- Reduces the ordinary management cost because many base system files
are shared, hence you patch only once to get all jails patched.
- Reduces the space cost that needed for a newly created jail.  It used
to need about 110MB and with skeljail you will only need no more than
3MB.

Apparantly skeljail is not suitable for those who want:
- Run different FreeBSD releases on a single box.
- Run ports that does touch system area.

But having it doesn't hurt the ability for you to run a full jail.

I have some handcrafted shell scripts to implement skeljail by having
everything automatically mounted/dismounted.  However, I think it might
be better if we can have jail_<name>_skeljail=3D"YES" switch in our jail
rc.d(8) startup script.  Please let me know if you are interested in the
idea and I'll post a patch for review if there's enough people that
wants this.

Thanks in advance!

Cheers,
--=20
Xin LI <delphij delphij net>  http://www.delphij.net/

--=-2/zraRYP0ClI3EPi75PN
Content-Disposition: attachment; filename=patch-skel
Content-Type: text/x-patch; name=patch-skel; charset=ISO-8859-1
Content-Transfer-Encoding: base64

SW5kZXg6IE1ha2VmaWxlDQogPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNTIGZpbGU6IC9ob21lL25jdnMvc3JjL01h
a2VmaWxlLHYNCnJldHJpZXZpbmcgcmV2aXNpb24gMS4zMTUNCmRpZmYgLXUgLXIxLjMxNSBNYWtl
ZmlsZQ0KLS0tIE1ha2VmaWxlCTIxIERlYyAyMDA0IDA5OjU5OjM5IC0wMDAwCTEuMzE1DQorKysg
TWFrZWZpbGUJMzEgSmFuIDIwMDUgMTM6MDI6MzQgLTAwMDANCkBAIC02NSw3ICs2NSw3IEBADQpU
R1RTPQlhbGwgYWxsLW1hbiBidWlsZGtlcm5lbCBidWlsZHdvcmxkIGNoZWNrZHBhZGQgY2xlYW4g
XA0KCWNsZWFuZGVwZW5kIGNsZWFuZGlyIGRlcGVuZCBkaXN0cmlidXRlIGRpc3RyaWJ1dGV3b3Js
ZCBldmVyeXRoaW5nIFwNCgloaWVyYXJjaHkgaW5zdGFsbCBpbnN0YWxsY2hlY2sgaW5zdGFsbGtl
cm5lbCBpbnN0YWxsa2VybmVsLmRlYnVnXA0KLQlyZWluc3RhbGxrZXJuZWwgcmVpbnN0YWxsa2Vy
bmVsLmRlYnVnIGluc3RhbGx3b3JsZCBcDQorCXJlaW5zdGFsbGtlcm5lbCByZWluc3RhbGxrZXJu
ZWwuZGVidWcgaW5zdGFsbHNrZWwgaW5zdGFsbHdvcmxkIFwNCglrZXJuZWwtdG9vbGNoYWluIGxp
YnJhcmllcyBsaW50IG1hbmluc3RhbGwgXA0KCW9iaiBvYmpsaW5rIHJlZ3Jlc3MgcmVyZWxlYXNl
IHRhZ3MgdG9vbGNoYWluIHVwZGF0ZSBcDQoJX3dvcmxkdG1wIF9sZWdhY3kgX2Jvb3RzdHJhcC10
b29scyBfY2xlYW5vYmogX29iaiBcDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEluZGV4OiBN
YWtlZmlsZS5pbmMxDQooSXRlbXMgaW5kaWNhdGVkIHdpdGggKiBtZWFucyBub24tZXNzZW50aWFs
IGl0ZW1zKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgUkNTIGZpbGU6IC9ob21lL25jdnMvc3JjL01ha2VmaWxlLmlu
YzEsdg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByZXRyaWV2aW5nIHJldmlzaW9uIDEuNDcz
DQpkaWZmIC11IC1yMS40NzMgTWFrZWZpbGUuaW5jMQ0KLS0tIE1ha2VmaWxlLmluYzEJMjAgSmFu
IDIwMDUgMTA6NDk6MDIgLTAwMDAJMS40NzMNCisrKyBNYWtlZmlsZS5pbmMxCTMxIEphbiAyMDA1
IDEzOjAyOjM0IC0wMDAwDQpAQCAtNTE2LDYgKzUxNiwxOCBAQA0KIAlybSAtcmYgJHtJTlNUQUxM
VE1QfQ0KIA0KICMNCisjIGluc3RhbGxza2VsDQorIw0KKyMgSW5zdGFsbHMgYSBtaW5pbXVtIHNl
dCBvZiBmaWxlcyB0aGF0IGNhbiBzdXBwb3J0IGEgbWluaS1qYWlsDQorIw0KK2luc3RhbGxza2Vs
Og0KKwlAZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0iDQorCUBlY2hvICI+Pj4gTWFraW5nIGluc3RhbGxza2VsIg0KKwlA
ZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0iDQorCSR7XytffWNkICR7LkNVUkRJUn07ICR7TUFLRX0gaGllcmFyY2h5IERF
U1RESVI9JHtERVNURElSfQ0KKwkke18rX31jZCAkey5DVVJESVJ9L2V0YzsgJHtNQUtFfSBkaXN0
cmlidXRpb24gREVTVERJUj0ke0RFU1RESVJ9DQorDQorIw0KICMgcmVpbnN0YWxsDQogIw0KICMg
SWYgeW91IGhhdmUgYSBidWlsZCBzZXJ2ZXIsIHlvdSBjYW4gTkZTIG1vdW50IHRoZSBzb3VyY2Ug
YW5kIG9iaiBkaXJlY3Rvcmllcw0K


--=-2/zraRYP0ClI3EPi75PN--

--=-A2JRhvRU9r1j1TWxARE7
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: 
	=?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBB/jUn/cVsHxFZiIoRAvWSAJ9m4aFrKkw/Wthdj+3B5oAZdAkT1wCfZ/c5
A73eTT2EV5i1Z4Nw7Pz5LsE=
=WBri
-----END PGP SIGNATURE-----

--=-A2JRhvRU9r1j1TWxARE7--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1107178792.613.22.camel>