Idea about "skeleton jail"

Justin Hopper jhopper at bsdhosting.net
Tue Feb 1 13:31:28 PST 2005


On Tue, 2005-02-01 at 11:40 +0100, Pawel Jakub Dawidek wrote:
> On Mon, Jan 31, 2005 at 11:13:04PM -0800, Justin Hopper wrote:
> +> We are considering open sourcing all of our stuff, to contribute back
> +> what we can to the OS that allowed us to build our entire company.  I'd
> +> really like to see what others have done to make jails more manageable,
> +> as it seems like there is so much that can be done but not many people
> +> are working on it.  It seems jails have the potential to become an
> +> incredible way to virtually partition servers, and it would not be that
> +> hard to implement solid tools for managing them.  We have things like
> +> JID-aware top and tools for automated jail builds, but it would be great
> +> to work with some FreeBSD heavies to finish up clean development of
> +> things like jail resource restrictions (CPU,MEM,#PROCS,etc) and perhaps
> +> a clean and universally useful way to easily configure and launch full
> +> jail environments.
> 
> Yes, it would be useful (I mean CPU/MEM/#PROCS limits), but as I understand
> there are two kinds of opinions about jails. First is that it should be
> extended and allow to create a real virtual server and second is that it
> should be light-weight.

I would definitely like to see the jails extended in a way that would
still leave them uncomplicated for people that just want to jail a
single process or create a very simple jailed environment.  I'm hoping
that all the extensions can be created in a way that will not interfere
with this.  For example, each prison can have CPU/MEM/#PROCS limits in
them, but by default they would be ignored.  We have implemented MEM and
#PROCS limits in our prison structures, but we have not settled on a
method to control them.  Currently we are using a kernel module approach
that allows the alteration of prison values, but there is no proper
locking, so it's of course not safe.

> +> Pawel had some really interesting ideas for jails, but it seems that
> +> he's too busy to work on them at the moment.  Speaking of which, his
> +> multiple IPs patch for 5.3 is still broken, and I haven't been able to
> +> find what the problem is =(
> 
> Could you describe the brokeness?

I had sent you an email about 4 weeks ago about it, but didn't hear a
response.  I also emailed the hackers list about it, but no one
responded.  There was also a Devon H. O'Dell who said that he might be
able to assist with any problems with the patch, but emails to him were
not answered either.  The problem is simply that jails cannot use
sockets.  I can forward my email with kernel trace if you do not have a
copy.

>  I've made some fixes a week or something
> ago, I just created a patch against HEAD if you want to try it:
> 
> 	http://people.freebsd.org/~pjd/patches/jail_2005020101.patch
> 
> There can still be some remaining issues, but I don't have time for more
> detailed tests.

Excellent, I'll try the patch here in a couple of minutes.  Can you tell
me what the known issues are with the patch?  Perhaps I can lend a hand
on helping to resolve them.

> The thing that can be useful IMHO is possibility to use
> reboot(8)/shutdown(8), etc. inside a jail, but...
> I'm unfortunately too busy with other (probably less interesting, but
> profitable) projects.
> 
-- 
Justin Hopper  <jhopper at bsdhosting.net>
UNIX Systems Engineer
BSDHosting.net
Hosting Division of Digital Oasys Inc.
http://www.bsdhosting.net



More information about the freebsd-hackers mailing list