[PATCH FOR REVIEW] Implementation of skeleton jail

Xin LI delphij at delphij.net
Sat May 20 08:45:36 PDT 2006 

Hi, Dirk,

在 2006-05-20六的 17:01 +0200,Dirk Engling写道:
[snip]
> > usr/sbin     -> ${_root}/sbin
> > usr/share    -> ${_root}/share
> 
> The complete set of sharable files in a FreeBSD system is
> 
> bin boot lib libexec rescue sbin usr/bin usr/games usr/include usr/lib
> usr/libdata usr/libexec usr/sbin usr/src usr/share
> 
> and probably usr/lib32 for amd64 machines.

I will take these into account.  However, it looks like that having
boot/ and rescue/ mounted is not useful for general use, though.

> Why would you want to reinvent the wheel? What does this offer that
> /etc/fstab.<Jailname> wont offer you?
> 
> You can simply add lines of the type
> 
> /bin	/JAILROOT/bin	nullfs	ro	0	0
> /sbin	/JAILROOT/sbin	nullfs	ro	0	0
> ...
> 
> there and /etc/rc.d/jail will take care of the rest.

The story was long.  The "skeljail" is actually being used at my company
before _mount options appeared.

While the per-jail fstab already gives a general way of mounting stuff
into the jail, it would become a headache when you have to manage a
hundred of jails that utilizes the same skel_fstab that is different
only in the mountpoint, especially when you are upgrading the system
which brings a new directory to the distribution.  Moreover, IMHO, the
configuration files should contain common settings as less as possible,
and we should provide common mechanism to handle these, it is especially
error-prone when you have more than a dozen of "system level settings"
while only have 1 or 2 "user settings" in one single file.

> The problem with FreeBSD jails in the moment is not, that you can't
> automatically start them, rather that it is quite hard to manage them.
> Adding lots of lines to your /etc/rc.conf for each jail seems like a bad
> move.
>
> I'd rather suggest adding a /etc/jails directory (similar to ezjails
> /usr/local/etc/ezjail) containing configs for your jails to make them
> easier managable. Additionally a script to create and manage those
> configs, the fstabs and, of course, the JAILROOTs will be needed.

I think this is a good idea.

> Futher: there's no need to mount /usr/ports rw. If you alter your
> make.conf to contain
> 
> WRKDIRPREFIX=           /var/ports
> DISTDIR=                /var/ports/distfiles
> PACKAGES=               /var/ports/packages
> 
> you can mount ports ro, if you want to share your distfiles through the
> jails, you can mount /var/ports/distfiles rw and still keep the
> checksums safe within /usr/ports/.

Actually I am aware of this, perhaps the example provided is just not
that well-thought :-)

> However I implemented a lot of those ideas in the ezjail-project and if
> noone complains I might try to provide a patch to move it into the base
> system.

I will take a closer look at your project and see if we can bring some
part or the whole thing to FreeBSD.  Thanks.

Cheers,
-- 
Xin LI <delphij delphij net>    http://www.delphij.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?=
Url : http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20060520/288849b8/attachment.pgp

More information about the freebsd-rc mailing list