From owner-freebsd-rc@FreeBSD.ORG Sat May 20 15:01:13 2006 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F184B16A436 for ; Sat, 20 May 2006 15:01:12 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CE0543D46 for ; Sat, 20 May 2006 15:01:09 +0000 (GMT) (envelope-from erdgeist@erdgeist.org) Received: (qmail 4771 invoked by uid 0); 20 May 2006 15:01:11 -0000 Received: from e178056118.adsl.alicedsl.de (HELO ?10.1.1.103?) (erdgeist@erdgeist.org@85.178.56.118) by elektropost.org with AES256-SHA encrypted SMTP; 20 May 2006 15:01:11 -0000 Message-ID: <446F2F35.9060901@erdgeist.org> Date: Sat, 20 May 2006 17:01:09 +0200 From: Dirk Engling User-Agent: Thunderbird 1.5.0.2 (Macintosh/20060308) MIME-Version: 1.0 To: Xin LI References: <1148109661.952.26.camel@spirit> In-Reply-To: <1148109661.952.26.camel@spirit> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-rc Subject: Re: [PATCH FOR REVIEW] Implementation of skeleton jail X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 May 2006 15:01:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xin LI wrote: > Here is an implementation of what I call it "skeleton jail". The idea > is that it is more or less to be common that we do not want to actually > copy of the base system (sometimes even other stuff) across zillions of > jails. Nice idea, you might want to check my thoughts on that in the ezjail-project page [1]. > For instance, by default the skeleton jail would mount the following > directories from the skeleton root (/) to the jail: > > bin -> ${_root}/bin > sbin -> ${_root}/sbin > lib -> ${_root}/lib > libexec -> ${_root}/libexec > usr/bin -> ${_root}/usr/bin > usr/sbin -> ${_root}/usr/sbin > usr/include -> ${_root}/usr/include > usr/lib -> ${_root}/usr/lib > usr/libdata -> ${_root}/usr/libdata > usr/libexec -> ${_root}/usr/libexec > usr/sbin -> ${_root}/sbin > usr/share -> ${_root}/share The complete set of sharable files in a FreeBSD system is bin boot lib libexec rescue sbin usr/bin usr/games usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/src usr/share and probably usr/lib32 for amd64 machines. > There are four variables that can be set in either system level default > or per-jail way: > > - _skel_enable > Whether to raise the jail from a skeleton root. The default is NO > - _skel_root > The place of skeleton root. The default is "/" > - _skel_romounts > Which directories (relative to the skeleton root) should be mounted > read-only to the skeleton jail. The default is shown above. > - _skel_rwmounts > Which directories (relative to the skeleton root) should be mounted > read-write to the skeleton jail. The default is nothing, but a > potential useful option might be "/usr/ports", except for security > concerns. Why would you want to reinvent the wheel? What does this offer that /etc/fstab. wont offer you? You can simply add lines of the type /bin /JAILROOT/bin nullfs ro 0 0 /sbin /JAILROOT/sbin nullfs ro 0 0 ... there and /etc/rc.d/jail will take care of the rest. The problem with FreeBSD jails in the moment is not, that you can't automatically start them, rather that it is quite hard to manage them. Adding lots of lines to your /etc/rc.conf for each jail seems like a bad move. I'd rather suggest adding a /etc/jails directory (similar to ezjails /usr/local/etc/ezjail) containing configs for your jails to make them easier managable. Additionally a script to create and manage those configs, the fstabs and, of course, the JAILROOTs will be needed. Futher: there's no need to mount /usr/ports rw. If you alter your make.conf to contain WRKDIRPREFIX= /var/ports DISTDIR= /var/ports/distfiles PACKAGES= /var/ports/packages you can mount ports ro, if you want to share your distfiles through the jails, you can mount /var/ports/distfiles rw and still keep the checksums safe within /usr/ports/. However I implemented a lot of those ideas in the ezjail-project and if noone complains I might try to provide a patch to move it into the base system. Regards, erdgeist [1] http://erdgeist.org/arts/software/ezjail/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) iD8DBQFEby81ImmQdUyYEgkRApDKAJ42VsqA+UgS2I39syOtHMIvwW2KawCdFwWL P9RTxDX5ax/h/9UpTKL3xwY= =luon -----END PGP SIGNATURE-----