vnet jails and rc-scripts
Andreas Nilsson
andrnils at gmail.com
Wed Feb 27 08:31:03 UTC 2013
On Wed, Feb 27, 2013 at 5:44 AM, Jamie Gritton <jamie at freebsd.org> wrote:
> On 02/26/13 01:56, Andreas Nilsson wrote:
>
> However I still don't get the purpose of the security.jail.param.*. Are
>> the
>> to be set in loader.conf/sysctl.conf to influence default config of jails,
>> or are the supposed to be per-jail ( from inside jail ) carriers of
>> config?
>> The PR seems to indicate it's not really clear.
>>
>> Also, man jail says:
>> "The current set of available parameters can be
>> retrieved via ``sysctl -d security.jail.param''. Any parameters not
>> set
>> will be given default values, often based on the current
>> environment.
>> The core parameters are:
>> "
>> and then lists some. For example jid. I take that to mean that the value
>> of security.jail.param.jid from inside jail should return the jid of the
>> jail. I just get 0. And security.jail.param.path is 1024, which is not at
>> all the path of the jail... There seems to be quite a discrepancy between
>> manpage and implementation.
>>
>
> The bit that the man page says is in fact the entire (user-visible) user
> for those sysctls: they're just there to show what parameters are
> available, and what types they are. Actually, they also show jail(8) the
> same thing, and that's how it knows what parameters exist.
>
Ok. I'm feeling a bit daft here, from within a jail do they say "these
parameters can be set" or "those parameters have been set"?
> But the parameters don't actually have any useful values. Only their
> types, sizes and descriptions are valid.
>
> - Jamie
>
Ok, somewhat disappointing ;) Is there a ongoing effort to teach rc and
friends about difference between jails and vnet jails? Or is it deemed a
security problem that a jail knows the "circumstances of its conception"?
Best regards
Andreas
More information about the freebsd-jail
mailing list