[PATCH FOR REVIEW] Implementation of skeleton jail

Sat May 20 08:01:13 PDT 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xin LI wrote:

> Here is an implementation of what I call it "skeleton jail".  The idea
> is that it is more or less to be common that we do not want to actually
> copy of the base system (sometimes even other stuff) across zillions of
> jails.

Nice idea, you might want to check my thoughts on that in the
ezjail-project page [1].

> For instance, by default the skeleton jail would mount the following
> directories from the skeleton root (/) to the jail:
> 
> bin          -> ${_root}/bin
> sbin         -> ${_root}/sbin
> lib          -> ${_root}/lib
> libexec      -> ${_root}/libexec
> usr/bin      -> ${_root}/usr/bin
> usr/sbin     -> ${_root}/usr/sbin
> usr/include  -> ${_root}/usr/include
> usr/lib      -> ${_root}/usr/lib
> usr/libdata  -> ${_root}/usr/libdata
> usr/libexec  -> ${_root}/usr/libexec
> usr/sbin     -> ${_root}/sbin
> usr/share    -> ${_root}/share

The complete set of sharable files in a FreeBSD system is

bin boot lib libexec rescue sbin usr/bin usr/games usr/include usr/lib
usr/libdata usr/libexec usr/sbin usr/src usr/share

and probably usr/lib32 for amd64 machines.

> There are four variables that can be set in either system level default
> or per-jail way:
> 
>  - _skel_enable
> Whether to raise the jail from a skeleton root.  The default is NO
>  - _skel_root
> The place of skeleton root.  The default is "/"
>  - _skel_romounts
> Which directories (relative to the skeleton root) should be mounted
> read-only to the skeleton jail.  The default is shown above.
>  - _skel_rwmounts
> Which directories (relative to the skeleton root) should be mounted
> read-write to the skeleton jail.  The default is nothing, but a
> potential useful option might be "/usr/ports", except for security
> concerns.

Why would you want to reinvent the wheel? What does this offer that
/etc/fstab.<Jailname> wont offer you?

You can simply add lines of the type

/bin	/JAILROOT/bin	nullfs	ro	0	0
/sbin	/JAILROOT/sbin	nullfs	ro	0	0
...

there and /etc/rc.d/jail will take care of the rest.

The problem with FreeBSD jails in the moment is not, that you can't
automatically start them, rather that it is quite hard to manage them.
Adding lots of lines to your /etc/rc.conf for each jail seems like a bad
move.

I'd rather suggest adding a /etc/jails directory (similar to ezjails
/usr/local/etc/ezjail) containing configs for your jails to make them
easier managable. Additionally a script to create and manage those
configs, the fstabs and, of course, the JAILROOTs will be needed.

Futher: there's no need to mount /usr/ports rw. If you alter your
make.conf to contain

WRKDIRPREFIX=           /var/ports
DISTDIR=                /var/ports/distfiles
PACKAGES=               /var/ports/packages

you can mount ports ro, if you want to share your distfiles through the
jails, you can mount /var/ports/distfiles rw and still keep the
checksums safe within /usr/ports/.

However I implemented a lot of those ideas in the ezjail-project and if
noone complains I might try to provide a patch to move it into the base
system.

Regards,

  erdgeist

[1] http://erdgeist.org/arts/software/ezjail/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)

iD8DBQFEby81ImmQdUyYEgkRApDKAJ42VsqA+UgS2I39syOtHMIvwW2KawCdFwWL
P9RTxDX5ax/h/9UpTKL3xwY=
=luon
-----END PGP SIGNATURE-----