From owner-freebsd-virtualization@FreeBSD.ORG Mon Jun 9 17:07:20 2008 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7196106564A for ; Mon, 9 Jun 2008 17:07:20 +0000 (UTC) (envelope-from jamie@gritton.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id A2DB18FC2C for ; Mon, 9 Jun 2008 17:07:20 +0000 (UTC) (envelope-from jamie@gritton.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id m59H7JWt074438 for ; Mon, 9 Jun 2008 11:07:19 -0600 (MDT) Message-ID: <484D6342.1080901@gritton.org> Date: Mon, 09 Jun 2008 11:07:14 -0600 From: James Gritton User-Agent: Thunderbird 2.0.0.9 (X11/20080228) MIME-Version: 1.0 To: freebsd-virtualization@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.92.1/7413/Mon Jun 9 10:06:39 2008 on gritton.org X-Virus-Status: Clean Subject: jail_set X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 17:07:20 -0000 I've gotten the first stage working of the extensible name-based jail settings framework, with a patch available at http://gritton.org/jail_set.diff This is based around a new jail_set() system call, much like nmount() - in fact it even uses the same vfs options calls. It allows for modules (the existing "prison services" hooks that zfs use) to have be controlled via this interface, both to enable or disable the entire module, or to have their own module-specific parameters. The old jail() system call still exists and is compatible with this setup - it just becomes a stub to jail_set with the "path", "hostname", and "ip_number" parameters. There's also a sysctl tree security.jail.jid, that shows all parameters for current jails, once again with hooks for per-module parameters. The expectation is that vimage's vnet and vinet will become prison services under this framework, and the other more minor vimage bits will be rolled in as well. This would fit in with the goals of the 21 Jul deadline in Julian's recently posted schedule. Work still to do: Allow for hierarchical jails (which vimage needs). Actually integrate this with vimage. Integrate with other subsystems, more for proof of concept than anything else. SYSV IPC perhaps, since I've already done similar work on them. Or replace the one-off "pr_linux" hook on the prison structure with the standard services hook. Perhaps add a jail_get() system call, to read jail parameters. Currently, they can be read via sysctl, but that might not be the best way around this. If there's both a jail_set and jail_get, there may be no need for the extra effort of the sysctl tree. - Jamie