Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Mar 2005 21:31:35 +0000
From:      Chris Hodgins <christopher.hodgins@gmail.com>
To:        freebsd-hackers@freebsd.org
Subject:   Re: Idea about 'skeleton jail
Message-ID:  <63c3899e05031413311b453715@mail.gmail.com>
In-Reply-To: <4235EF24.5060804@cis.strath.ac.uk>
References:  <4235EF24.5060804@cis.strath.ac.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Not sure if this has already made it to the mailing list or not.  My
uni email account has started blocking email inbound and outbound to
the freebsd servers.  If I have missed anything since the post I am
replying to I would appreciate if it could be forwarded on to me at
this address...thanks :)  A few more comments below. :)

Anish Mistry wrote:
> On Monday 14 March 2005 10:15 am, Samuel J. Greear wrote:
>
>>On Sunday 13 March 2005 14:24, Anish Mistry wrote:
>>
>>>On Sunday 13 March 2005 01:23 pm, Chris Hodgins wrote:
>>>
>>>>Samuel J. Greear wrote:
>>>>
>>>>>Not a bad 'idea' at all, although I won't comment on
>>>>>semantics. I had something implemented using fs stacking (in
>>>>>a very hackish way, and I believe it's lost now, so don't ask
>>>>>to see it...) to implement per-jail quota's that seemed to
>>>>>work quite well.
>>>>>
>>>>>Sam
>>>>
>>>>Feel free to comment on the semantics.  As I said before, I am
>>>>not very knowledgable about filesystems and any insight or
>>>>alternative implementation you can provide would be interesting
>>>>I'm sure to everyone.
>>>
>>>Yeah, if there was jailfs that was setup automatically for the
>>>jails that supported quotas out of the box that would kill my
>>>major gripe about setting up jails.
>>
>>Chris, your concept looks reasonable to me. I think I would
>>probably do something along those lines but borrow some idea's from
>>my 'jail-build' script.  It has the concept of both includes and
>>excludes, but it also handles another directory for what I call
>>overrides.  My overrides directories are per-jail and typically
>>include nothing more than config. files, but it works pretty
>>handily.  The overrides may best be implemented in a seperate
>>layer...  and I don't even know that I would call something like
>>this a jailfs, more like a globfs or something...  I can see
>>potential uses beyond jails.
>>

I like the idea of the overrides directory.  That would work nicely.  If
you made the overrides directory the actual jail root that might make
sense.  Then when the [jail|glob]fs is mounted it will simply choose the
file in the jail root directory instead of the one on the normal file
system.

If we implemented a sort of copy of write architecture we could add to
the exceptions list on the fly.  That is everything from the host
(everything allowed by the config file that is) is available as a copy
of the host system.  When you edit a file, the filesystem simply creates
its own copy for the overrides directory and we edit that.  That would
be very neat. Imagine that working on the ports system!! :)  What do you
think?

>>The reasons that I never finished implementing my jailfs with quota
>>support were primarily, that stackable filesystems seem to be
>>somewhat of a black-art.  Secondarily, I concluded that the time
>>would be better spent implementing filesystem agnostic quota's in
>>the vfs layer.  A proper design should enable you to do a lot of
>>fun things, I was thinking something along the lines of just a
>>simple aggregator that a module could hand function pointers to and
>>register interest in events, with options like..  just-notify-me
>>and dont-continue-without-my-approval. Throw in some helpers for
>>synchronizing module state to disk. The kernel side of this
>>shouldn't really be very hard, but all of the userland quota
>>utilities would need to be rewritten as they are tied to UFS at the
>>block level.  This all from about 3 years ago, and I haven't
>>implemented any of it.  I rock!

Sounds, very interesting.

>>
>>Sam
>
> Would you be able to write up some design specs for getting all this
> done?  This might be a prime example of something to try to get
> funding for development.
>

I would be willing to donate some time to work on designing and building
this.  Especially if working with someone who knows a lot more about
filesystems than me. :)

Chris



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63c3899e05031413311b453715>