Date: Thu, 08 Jun 2006 12:01:30 +0300 From: Alex Lyashkov <shadow@psoft.net> To: Julian Elischer <julian@elischer.org> Cc: Robert Watson <rwatson@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: jail extensions Message-ID: <1149757290.3222.44.camel@berloga.shadowland> In-Reply-To: <4486EBBD.3090404@elischer.org> References: <1149610678.4074.42.camel@berloga.shadowland> <448633F2.7030902@elischer.org> <20060607095824.W53690@fledge.watson.org> <200606070819.04301.jhb@freebsd.org> <4486E41B.4000003@elischer.org> <1149692184.3224.208.camel@berloga.shadowland> <4486EBBD.3090404@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
=F7 =F3=D2=C4, 07.06.2006, =D7 18:07, Julian Elischer =D0=C9=DB=C5=D4: > Alex Lyashkov wrote: >=20 > >>Marco's work is somewhat similar. > >>All globals related to the network are moved to structures that can be = =20 > >>duplicated. > >> > >>The base system also uses this structure so that in effect the base=20 > >>system is just another instance > >>of the virtual machines. The biggest obstacle is that the 4.x based=20 > >>version just put everything > >>into one structure, meaning that it only worked when all the components= =20 > >>effected were > >>compiled into the kernel. None of them could be implemented as a=20 > >>loadable kernel module. > >>This has become much more important in 6.x. > >> > >>Ther is a way to allow this to work but it would require that we=20 > >>implement a kernel version of > >>the idea used for TLS (Thread Local Storage), so that modules being=20 > >>loaded could be added > >>to all the existing VMs and new VMs could get instances of all loaded=20 > >>modules. > >>(and so that a module could not be unloaded until all VMS have destroye= d=20 > >>their instance > >> =20 > >> > >It`s can be created easy. each module can be full own private data and > >register init/destroy methods, similar SYSINIT macro. > >prison will need add array for store pointers to modules data. > >yes, it possible need lost more memory - but easy for implementation. > > =20 > > >=20 > "Easy" if you are writing something from scratch and you want it to not=20 > be able to be compiled > the old way too. what you implicit as 'old way' ? I think module will be have 2 way init - one for old SYSINIT() who called module_init(&prison0), and additional JAILINIT() who call module_init(struct prisoin *) for init private data from new prisons.=20 for dynamically loaded modules can be 2 ways. 1) if modules loaded - init private data only for (prison0) and wait for 'kldload' from other contexts, where call module_init(struct prisoin *). At this way me simulate 'kldload' for modules. 2) at MOD_LOAD case run loop for each prisons and init private data for this module at all contexts. At this way module always 'exist' at all contexts. and disable module compiling (loading) when module don`t marked jail safe. --=20 FreeVPS Developers Team http://www.freevps.com Positive Software http://www.psoft.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1149757290.3222.44.camel>