rc.d/jail and jail.conf
army.of.root
army.of.root at gmail.com
Mon Apr 1 03:23:46 UTC 2013
On 2013-04-1 04:01 , Paul Schenkeveld wrote:
> On Sun, Mar 31, 2013 at 09:14:23PM +0200, Dirk Engling wrote:
>>
>> On Sun, 31 Mar 2013, Jamie Gritton wrote:
>>
>>> If you don't mind some slightly difficult error messages, you can always
>>> "disable" a jail with exec.prestart="false". jail(8) requires all
>>> commands to succeed, and in particular won't even create a jail when one
>>> of the prestart commands fails.
>>
>> This violates POLA, but failing with
>>
>> exec.prestart="echo skipping jail; exit 1"
>>
>> might work. Even though this is not a good marker from a scripting
>> perspective.
>
> Will this prevent all preparations from happening, i.e. will filesystems
> be mounted for jails disabled this way?
I've been fooling around with the new-jails.
I perceive lifecycle management of jails as a common need. External-to-jail
state is often associated with the state of the jail, e.g. firewall rules,
mounts, app level stuff, error handling, fail over etc.
* if I have N operations as prestart and their equivalent N inverse operations
as poststop, and prestart operation X (X>1) fails, the state produced by
1..X is maintained. The inverse operations for 1..X are *not* executed.
___
| This is not a criticism, the design is just quite simple. But the
| use-cases often look like this (I imagine)
* The same happens if the jail dies by it's own hand, the poststop operations
are not executed. To alter this, it would require some kind of supervisor
or event generation (devd?) to trigger the lifecycle hooks.
This could become a bit tedious cleaning up on long running many-jail hosts as
the number of stacked linprocfs/devfs/nullfs mounts raises :)
Especially if the prestart operations are not idempotent.
I assume the pre/post-start/stop exec's are not a core concern of this
interface overhaul. I do a lot of automation and integration stuff and
programmability-friendliness is much appreciated.
(I am a non-Developer in the FreeBSD context)
I find the new jail interface quite awesome! Thanks for the great work!
Best regards
>
> Although this may work, I think that this looks dirty. I'd really prefer
> a "disabled" or "noauto" keyword instead.
Maybe the various init systems have some hints about this. They've been dealing
with dependencies and starting thinks a lot longer.
>
> -- Paul Schenkeveld
More information about the freebsd-jail
mailing list