Idea about "skeleton jail"
Jeremie Le Hen
jeremie at le-hen.org
Mon Jan 31 08:10:29 PST 2005
On Mon, Jan 31, 2005 at 09:39:52PM +0800, Xin LI wrote:
> Dear folks,
>
> The recent discussion about whether we should have the perl port to
> touch/install /usr/bin/perl. While I'm not interested in joining the
> discussion, it inspired me that we can make use of the fact that ports
> should not install things to "system" area and take advantage from it.
> Finally these ideas results me to hack up something that might be
> valuable to share with our users.
>
> What I am going to proposal is a concept that I call it "skeleton jail",
> or "skeljail" for short. A skel jail is something that shares most base
> system binaries/libraries with the host, through read-only mount_null's.
>
> I have already done some experiments. Basically we want the following
> directories to be mount_null'ed:
> /bin, /sbin, /lib, /libexec, /usr/bin, /usr/sbin, /usr/include,
> /usr/lib, /usr/libdata, /usr/libexec, /usr/sbin, /usr/share
>
> To get most of what we want the jail to do, to work, this includes
> ssh(1) and something else. Optionally, we may want to mount_nullfs a
> read-write /usr/ports/distfiles, a readonly /usr/ports, and something
> like /usr/game to be mounted into the skeljail.
>
> In order to avoid having to do something magic instead of "make
> installworld", I have a patchset against src/Makefile and
> src/Makefile.incl to make the work a bit easier. It adds a so-called
> "installskel" target that creates a skeljail that contains necessary
> directory hierarchy, and a set of /etc configuration files that will be
> useful to start the jail. The target must be used after a ``make
> buildworld''
>
> The two major benefits for the skeljail are:
> - Reduces the ordinary management cost because many base system files
> are shared, hence you patch only once to get all jails patched.
> - Reduces the space cost that needed for a newly created jail. It used
> to need about 110MB and with skeljail you will only need no more than
> 3MB.
>
> Apparantly skeljail is not suitable for those who want:
> - Run different FreeBSD releases on a single box.
> - Run ports that does touch system area.
>
> But having it doesn't hurt the ability for you to run a full jail.
>
> I have some handcrafted shell scripts to implement skeljail by having
> everything automatically mounted/dismounted. However, I think it might
> be better if we can have jail_<name>_skeljail="YES" switch in our jail
> rc.d(8) startup script. Please let me know if you are interested in the
> idea and I'll post a patch for review if there's enough people that
> wants this.
Sold ! I just use the same setup you described in order to reduce disk
usage and synchonize automatically jails with base system. It would be
indeed a great step forward for jail management IMHO.
Why don't you simply call the target "installjail" instead of
"installskel" ?
--
Jeremie Le Hen
jeremie at le-hen.org
More information about the freebsd-hackers
mailing list