Date: Tue, 04 Sep 2012 11:14:33 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-jail@FreeBSD.org, Pawel Jakub Dawidek <pjd@FreeBSD.org>, Martin Matuska <mm@FreeBSD.org> Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? Message-ID: <504636F9.6050202@FreeBSD.org> In-Reply-To: <alpine.BSF.2.00.1209041019240.76284@ai.fobar.qr> References: <alpine.BSF.2.00.1209040846530.76284@ai.fobar.qr> <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> <alpine.BSF.2.00.1209041019240.76284@ai.fobar.qr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/12 04:20, Bjoern A. Zeeb wrote: > On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: > >> On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: >>> On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: >>>> 2) in the case of (1) it should be possible to address jails by name >>>> as ZFS would be handled automatically and we would not need another >>>> unique identifier I guess? >>>> Otherwise I'd prefer for people to be able to delegate ZFS datasets >>>> to jail names (as well), as long as they are uniquely identifyable >>>> (i.e. there are no 17 jails running with a name of "filesever"). >>>> >>> The binding of a ZFS dataset to a jail has to be exact. So we end up >>> with id's. >>> But we could add something like "zfs datasets" to the jail's >>> configuration file. The jail command would then simply exec "zfs jail >>> jailid dataset" for each of the datasets on jail creation right before >>> initiating rc startup and "zfs unjail jailid dataset" for each of the >>> datasets after jail's rc shutdown but before the jail is destroyed. >> >> Datasets shall not be unjailed. Jailing dataset means that it won't be >> mounted in the main system. You need to run 'zfs mount -a' within a >> jail, during it start-up to mount its datasets. This is much safer than >> mounting anything in jail's directory tree from the main system. We >> already had security issues because of that. This is also how it works >> in Solaris/IllumOS with zones. >> >> And I can't resist to remind how opposed I was to jail ids in the first >> place. Especially because they were dynamically allocated. When they >> were introduced I recommended jail names, which we ended up with anyway, >> but now we have all this jailid thing to manage in older FreeBSD >> versions. >> >> All in all we should move to using jail names, IMHO, the same way zone >> names are used in Solaris/IllumOS. When I was adding jail support to ZFS >> there were no jail names, only jail hostnames, which weren't an option >> really. > > I guess we'd need to end up with name and if not uniqe + ID or > something? Really IDs are not the problem as long as they never > appear anywhere in the config file? Just not sure given names are not > unique how to handle it the right way? > > /bz Names are unique. And we don't have the dying-jail problem with them, as creating a jail with the same name as a dying jail is allowed. OK, that means that jail names aren't quite unique - but they're at least unique among the non-dying set. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?504636F9.6050202>