Idea about 'skeleton jail' -- desirable jail features

H. S. security at revolutionsp.com
Tue Feb 1 12:02:22 PST 2005 

In my opinion, FreeBSD is currently behind in virtual server
implementations for a few reasons;

It does not support multiple IPs in jails. Sure, there are patches, but
the one here doesn't compile on 5.3-STABLE, for example. Support
integrated into the base system would be neat. It would also be nice a
jipconfig which lets the host system root user add IPs to the jails
(perhaps a sysctl to control this behaviour? Sometimes it's not desirable
to let jail root add IPs at will, while in other situations the jails root
user is trustable and would be allowed to add IPs at will.)

Also, there was a project for 4.10 if I remember correctly about interface
virtualization, it allowed jails to have their own firewall, among other
things. I don't know if this would induce a far greater load on the system
(it would have to pass the jail firewall and then the host system), but,
it's a really nice feature.

On a totally off-topic subject, can we, faithful FreeBSD users, expect
systrace support in the future ?




> On Mon, Jan 31, 2005 at 11:13:04PM -0800, Justin Hopper wrote:
> +> We are considering open sourcing all of our stuff, to contribute back
> +> what we can to the OS that allowed us to build our entire company.  I'd
> +> really like to see what others have done to make jails more manageable,
> +> as it seems like there is so much that can be done but not many people
> +> are working on it.  It seems jails have the potential to become an
> +> incredible way to virtually partition servers, and it would not be that
> +> hard to implement solid tools for managing them.  We have things like
> +> JID-aware top and tools for automated jail builds, but it would be
> great
> +> to work with some FreeBSD heavies to finish up clean development of
> +> things like jail resource restrictions (CPU,MEM,#PROCS,etc) and perhaps
> +> a clean and universally useful way to easily configure and launch full
> +> jail environments.
>
> Yes, it would be useful (I mean CPU/MEM/#PROCS limits), but as I
> understand
> there are two kinds of opinions about jails. First is that it should be
> extended and allow to create a real virtual server and second is that it
> should be light-weight.
>
> +> Pawel had some really interesting ideas for jails, but it seems that
> +> he's too busy to work on them at the moment.  Speaking of which, his
> +> multiple IPs patch for 5.3 is still broken, and I haven't been able to
> +> find what the problem is =(
>
> Could you describe the brokeness? I've made some fixes a week or something
> ago, I just created a patch against HEAD if you want to try it:
>
> 	http://people.freebsd.org/~pjd/patches/jail_2005020101.patch
>
> There can still be some remaining issues, but I don't have time for more
> detailed tests.
>
>
> The thing that can be useful IMHO is possibility to use
> reboot(8)/shutdown(8), etc. inside a jail, but...
> I'm unfortunately too busy with other (probably less interesting, but
> profitable) projects.
>
> --
> Pawel Jakub Dawidek                       http://www.wheel.pl
> pjd at FreeBSD.org                           http://www.FreeBSD.org
> FreeBSD committer                         Am I Evil? Yes, I Am!
>

More information about the freebsd-hackers mailing list