jail(8) vs. rc.d/jail features - fstab, zfs, vnet

Jamie Gritton jamie at FreeBSD.org
Fri Apr 12 00:14:49 UTC 2013 

On 04/11/13 12:48, Dirk Engling wrote:
> Dear jail hackers,
>
> in my ongoing quest to understand the direction jail development is
> heading, I noticed that per-jail-fstabs are not (anymore?, yet?)
> supported by the new jail(8)-rc.d/jail2-combo. Are there official plans
> to drop the support?
>
> A nice new jail+zfs feature is the "zfs jail" command, allowing to
> attach a zfs to a jail. The way[tm] to properly use this feature is to
> first create a prison, attach the zfs file system(s) to the jid and only
> then run the exec.start command. So either jail(8) needs to be zfs aware
> and execute the zfs jail command(s) by itself, or a exec.postprestart
> command that is being passed the prison id of the new jail needs to be
> run in system context. (For shutting down and unjail-ing vice versa).
>
> The same goes with the vimage features. Most of the ways I can think of
> using vnet interfaces require some configuration in the host system
> after the vnet has been attached to the jid but before exec.start (and
> thus the jail's rc.d/netif) is executed.
>
> Since I speak C, posix and sh fluidly, I am willing to implement or help
> implementing any of the proposals in question, so do not misunderstand
> them as just demands ;)

As mentioned, fstab support is there.

I have a parameter, vnet.interface, which runs the necessary "ifconfig
... vnet" command between jail creation and exec.start. We could have a
similar parameter for zfs, or we could create another set of exec.*
parameters, which would be more flexible in the long run. But as you
hinted at with "postprestart", there doesn't seem to be a good logical
name for it.

Since the vnet.interface command exists, you could use that as a guide
for adding a "zfs" parameter. vnet.interface only does anything on jail
creation, as the interface automatically reverts to the parent on jail
removal. I don't know if the zfs stuff works the same way - if it
doesn't, then you'll need a similar "prepoststop" kind of operation.

- Jamie

More information about the freebsd-jail mailing list