Date: Sat, 20 May 2006 17:01:09 +0200 From: Dirk Engling <erdgeist@erdgeist.org> To: Xin LI <delphij@delphij.net> Cc: freebsd-rc <freebsd-rc@freebsd.org> Subject: Re: [PATCH FOR REVIEW] Implementation of skeleton jail Message-ID: <446F2F35.9060901@erdgeist.org> In-Reply-To: <1148109661.952.26.camel@spirit> References: <1148109661.952.26.camel@spirit>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xin LI wrote: > Here is an implementation of what I call it "skeleton jail". The idea > is that it is more or less to be common that we do not want to actually > copy of the base system (sometimes even other stuff) across zillions of > jails. Nice idea, you might want to check my thoughts on that in the ezjail-project page [1]. > For instance, by default the skeleton jail would mount the following > directories from the skeleton root (/) to the jail: > > bin -> ${_root}/bin > sbin -> ${_root}/sbin > lib -> ${_root}/lib > libexec -> ${_root}/libexec > usr/bin -> ${_root}/usr/bin > usr/sbin -> ${_root}/usr/sbin > usr/include -> ${_root}/usr/include > usr/lib -> ${_root}/usr/lib > usr/libdata -> ${_root}/usr/libdata > usr/libexec -> ${_root}/usr/libexec > usr/sbin -> ${_root}/sbin > usr/share -> ${_root}/share The complete set of sharable files in a FreeBSD system is bin boot lib libexec rescue sbin usr/bin usr/games usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/src usr/share and probably usr/lib32 for amd64 machines. > There are four variables that can be set in either system level default > or per-jail way: > > - _skel_enable > Whether to raise the jail from a skeleton root. The default is NO > - _skel_root > The place of skeleton root. The default is "/" > - _skel_romounts > Which directories (relative to the skeleton root) should be mounted > read-only to the skeleton jail. The default is shown above. > - _skel_rwmounts > Which directories (relative to the skeleton root) should be mounted > read-write to the skeleton jail. The default is nothing, but a > potential useful option might be "/usr/ports", except for security > concerns. Why would you want to reinvent the wheel? What does this offer that /etc/fstab.<Jailname> wont offer you? You can simply add lines of the type /bin /JAILROOT/bin nullfs ro 0 0 /sbin /JAILROOT/sbin nullfs ro 0 0 ... there and /etc/rc.d/jail will take care of the rest. The problem with FreeBSD jails in the moment is not, that you can't automatically start them, rather that it is quite hard to manage them. Adding lots of lines to your /etc/rc.conf for each jail seems like a bad move. I'd rather suggest adding a /etc/jails directory (similar to ezjails /usr/local/etc/ezjail) containing configs for your jails to make them easier managable. Additionally a script to create and manage those configs, the fstabs and, of course, the JAILROOTs will be needed. Futher: there's no need to mount /usr/ports rw. If you alter your make.conf to contain WRKDIRPREFIX= /var/ports DISTDIR= /var/ports/distfiles PACKAGES= /var/ports/packages you can mount ports ro, if you want to share your distfiles through the jails, you can mount /var/ports/distfiles rw and still keep the checksums safe within /usr/ports/. However I implemented a lot of those ideas in the ezjail-project and if noone complains I might try to provide a patch to move it into the base system. Regards, erdgeist [1] http://erdgeist.org/arts/software/ezjail/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) iD8DBQFEby81ImmQdUyYEgkRApDKAJ42VsqA+UgS2I39syOtHMIvwW2KawCdFwWL P9RTxDX5ax/h/9UpTKL3xwY= =luon -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?446F2F35.9060901>