svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail

[James Gritton]

On 2/4/2014 6:23 AM, Julian Elischer wrote:
> On 2/4/14, 3:40 PM, Robert N. M. Watson wrote:
>> On 3 Feb 2014, at 23:53, Doug Ambrisko <ambrisko at ambrisko.com> wrote:
>>
>>> It's unfortunate that vimage requires jail.  I want to use vimage but
>>> not have the security restrictions of a jail.  To do this I patched
>>> jail to basically let everything through.  It would be nice to be
>>> able to run jail in an insecure mode which I understand is a 
>>> contradition.
>>> I do use the jail infrastructure to set the uname*/getosreldate so
>>> that a specific jail thinks it is FreeBSD version blah.  Then I can ssh
>>> into that jail and pkg_add things, make ports etc.  I use this on
>>> my laptop running current on the base.  My other jails run various
>>> versions of FreeBSD.  I don't care about security in this case.
>
> vimage was not originally tied to jails. I can't remember why we 
> decided to do that :-)

Leaving the smiley aside for the present, I remember that one - and
it's closely tied to this discussion.  It was part of this more
flexible vision of jails that had added features, of which security
was just one (optional) part.  I thought of them as a more general
encapsulation framework as needs would arise.

Vimage was one of those needs.  Marko Zec had originally implemented
it with its own set of containers that ran parallel with jails,
partially implementing some parts of jail but only well enough for the
proof-of-concept of his networking idea.  One thing vimage had going
for it was hierarchies, which allowed one virtual network to exist
encapsulated inside another, and that's how jails themselves became
hierarchical.  It was a requirement for Marko to agree to allow his
own vimage-only encapsulation to be subsumed inside jails.

Perhaps all that is what the smiley meant, but it's good to have a
little history every now and then.

- Jamie