[RFC] Skeleton jail (rc.d feature proposal)

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Thu Feb 12 05:05:10 PST 2009

On Tue, 10 Feb 2009, Xin LI wrote:


PreS: I added freebsd-jail@ to Cc:.

> Ok, some local users has prodded me in committing the "skeleton jail"
> feature, I find it useful myself but not sure if it's appropriate to
> commit it against -HEAD, so I'd like to explain it, try to present it in
> a better way, and request for comments.

I have seen lots of "skeleton jail" features the last years working
with lots of different parties and I have a private one myself tied
into some other stuff which is even more meagre than most.
  It's 2 files and 7 lines of sh and that's only because I am lazy.

I have seen everything from sh scripts to install worlds/distribution
for a jail, to the same and then remove stuff, unionfs tries and nullfs
mounts. From mergemaster setups populating worlds for jail from private
trees to restores from master images.

Some were really nice, others were .. improvable.

They all helped the people in their environment but few could use what
the others had done in their environment.

> The rc.d infrastructure would automatically mount the following
> directories from the template (when not specified, /) as read-only:
> 	bin
> 	lib
> 	libexec
> 	sbin
> 	usr/bin
> 	usr/include
> 	usr/lib
> 	usr/libdata
> 	usr/libexec
> 	usr/sbin
> 	usr/share

I do not have the following two on most/any of my machines:

> 	usr/src
> 	usr/obj

The correct way to do this I think would leave rc.d/jail untouched and
(pre-)populate an /etc/fstab.<jname> and use that.

Considering that my last commit messages already said that Simon and I
have big worries about all the features in /etc/rc.d/jail and would
rather remove than than keep them and that this is basically two things:

1) pre-seed a jail hierachy and etc from a source tree
2) mount some nullfs into the jail on start, unmount on stop
(I hope I didn't miss anything else)

I am wondering if this large patch cannot be reduced to a few line sh
script to seed the jail + fstab, not needing to fiddle with base for

  1 #/bin/sh
  2 # $1 is DESTDIR of the jail
  3 # $2 is the jail name as in rc.conf
  4 # $3 is the skel root to mount from
  5 # other arguments are rw nullfs mounts
  6 cd /usr/src
  7 make hierachy DESTDIR=$1
  8 make distribution DESTDIR=$1
  9 for d in bin lib libexec ..;  do
10  echo "$3/${d} $1/$3 nullfs ro 0 0" >> /etc/fstab.$2
11 done
12 shift; shift; shift
13 for d in bin lib libexec ..;  do
14  echo "$3/${d} $1/$3 nullfs rw 0 0" >> /etc/fstab.$2
15 done
16 echo "Add jail_$2_mount_enable='YES' to /etc/rc.conf"

This is untested and doesn't have error checking etc.
I would even put it in a Makefile instead of doing it in sh.

A lot more flexible than anything in base will ever be.

Just my 5ct.


Bjoern A. Zeeb                      The greatest risk is not taking one.

More information about the freebsd-current mailing list