cvs commit: src/usr.sbin/jexec jexec.8 jexec.c

[Oliver Fromme]

Bjoern A. Zeeb wrote:
 > On Thu, 29 May 2008, Oliver Fromme wrote:
 > > I think that an admin who decides to use jexec with IP
 > > numbers or hostnames should be expected to be aware that
 > > there can be ambiguities, and that he should make sure
 > > that his IP numbers and/or hostnames are unique.
 > 
 > I think that's a bad policy but ...

As it currently stands, the hostname is a pretty good
property to identify a jail.  If the admin can guarantee
that they're unique, it works very well.

Of course, the ability to assign unique tags to jails
would be even better, but we don't have that now, as
far as I know.

 > As it already fetched the entire data from the kernel, it would be
 > easy to walk the list to the end and barf on duplicates.

I agree.

 > > Now with the above new jexec feature, those scripts can be
 > > simplified greatly.  Of course I _do_ make sure that all
 > > of my jails have unique hostnames.
 > 
 > lucky you your jail goes away immediately when you stop it and the TCP
 > socket has to be teared down, still and you restarted it and end up in
 > the 'dead' one.

Good point.  That's certainly something that needs to be
taken care of.

(It doesn't happen to me because my stop script waits for
the jail to disappear, FWIW.  Another solution would be
to record the current jail ID in a file somewhere.)

 > > However, I do share the concern that there's an ambiguity
 > > in the syntax:  "127" can be a jail ID as well as an IP
 > > number (same as 0.0.0.127) or a hostname.  Either the
 > 
 > actually 127.0.0.0

I'm afraid I think it is 0.0.0.127.
127.0.0.0 would be 2130706432.

 > > A simple way to resolve it would be to require at least
 > > one dot for IP numbers, otherwise it is matched as a
 > > jail ID.  In practice I've never seen people using single
 > > numbers (without dots) for IP numbers.  In fact I've been
 > > stared at with disbelief by coworkers many times when
 > > using 127.1 as a shotcut for 127.0.0.1.
 > 
 > Yes. because that is 127.1.0.0 and not 127.0.0.1.

I'm pretty sure 127.1 is the same as 127.0.0.1.  Last
time I used telnet 127.1 to test things it worked fine.

127.1.0.0 would be 127.65536.

 > > > What do you think about using jail name from /etc/rc.conf?
 > >
 > > Personally I don't set up my jails via the rc.d stuff (and
 > > I suspect I'm not the only one), so that would only be of
 > > limited usefulness, I'm afraid.
 > 
 > sorry we don't support private stuff.

Of course I'm aware of that.  But we don't force people to
use the rc.d stuff for jails either.  It doesn't fit for
every case.

 > > >     security.jail.set_hostname_allowed=1.
 > >
 > > I agree.  If that sysctl is set to 1 (default!), matching
 > > against the jails' hostnames should not be attempted.
 > 
 > Anyway people have been discussing this more than it is worth.
 > The bugs in the code are still not fixed.
 > As Christian has pointed out we will have a 'jail name' soon.

That would be perfect.

Best regards
   Oliver

-- 
Oliver Fromme, Bunsenstr. 13, 81735 Muenchen, Germany

``We are all but compressed light'' (Albert Einstein)