New jail(8) with configuration files, not yet in head

Paul Schenkeveld freebsd at psconsult.nl
Mon Jul 18 19:37:32 UTC 2011 

Hi,

On Sun, Jul 03, 2011 at 11:24:57PM -0600, Jamie Gritton wrote:
> I'm hoping to get the latest version of jail(8) in before the door slams 
> shut on 9.0.  If anyone wants to take a look at the new code and give it 
> a spin, it may help to ease RE's mind about my tardiness.  The included 
> diff applies to the current usr.sbin/jail directory.  In addition to the 
> new program, it adds a jail.conf(5) man page that explains the config 
> file format (hint: it's a typical C-style block config).

Although I really like this new functionality, there is one issue that
I am concerned about.  Should all this functionality be integrated into
the jail(8) command?

In UNIX tradition we have simple interfaces[1] in the base system and
jail(8) used to fit in quite well.  Your new jail(8) tries to be an all
singing and dancing subsystem for managing jails but there will always
be users that need one more feature[2].  That's why we have ezjail,
jailer, jailadmin and others in ports and over time there will be new
ones with new features.

Jail(8) is the one FreeBSD command to create, modify and destroy jails
and is used by many of these wrappers.  Your new jail(8) covers part
of the functionality of these wrapper but not all.  It may grow new
features as people submit ideas and you or someone else is willing to
code the feature but there will always be wrappers to suit needs not
covered by this jail command.

I don't want to start a bikeshed discussion and will shut up immediately
if I appear to be the only one concerned but if others care like I do,
I'd suggest to put this functionality into a separate program and leave
jail(8) to be the minimalistic interface to just control the jail(2)
system call from a command interpreter.

Again, I'm not against your enhancements, I'm just worried about
pollution of OS primitives.

With kind regards,

Paul Schenkeveld

[1] Chown/chgrp/chmod are nice examples, I could easily think of at
    least a dozen enhancements like only operating on files matching a
    specific user/group or mapping a list of old uids/gids to a list of
    new ones or looking up user info in LDAP.  Sometimes throwing in
    find(1) will help you solve the problem at hand, sometimes you need
    to write a script or program.

[2] My favorites: starting jails in parallel, dependency graph of jails,
    monitoring jails and restarting them when they die, migration of
    jails to other hosts and populating new jails from a release DVD,
    /usr/src or the source repository and provisioning jails from a
    database.

More information about the freebsd-arch mailing list