From owner-freebsd-arch@FreeBSD.ORG Thu Jun 8 10:37:52 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7219416BDE9; Thu, 8 Jun 2006 09:01:29 +0000 (UTC) (envelope-from shadow@psoft.net) Received: from mail.sevcity.net (ns.sevcity.net [193.47.166.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CD6E43D45; Thu, 8 Jun 2006 09:01:27 +0000 (GMT) (envelope-from shadow@psoft.net) Received: from mail.sevcity.net (service.sevcity [127.0.0.1]) by mail.sevcity.net (Postfix) with ESMTP id 5FC7D17000F; Thu, 8 Jun 2006 12:02:56 +0300 (EEST) Received: from berloga.shadowland (umka.sevcity.net [193.47.166.138]) by mail.sevcity.net (Postfix) with ESMTP id 2F70A170007; Thu, 8 Jun 2006 12:02:55 +0300 (EEST) Received: from berloga.shadowland (berloga.shadowland [127.0.0.1]) by berloga.shadowland (8.12.11.20060308/8.12.11) with ESMTP id k5891V1p004391; Thu, 8 Jun 2006 12:01:31 +0300 Received: (from root@localhost) by berloga.shadowland (8.12.11.20060308/8.12.11/Submit) id k5891U1c004389; Thu, 8 Jun 2006 12:01:30 +0300 From: Alex Lyashkov To: Julian Elischer In-Reply-To: <4486EBBD.3090404@elischer.org> References: <1149610678.4074.42.camel@berloga.shadowland> <448633F2.7030902@elischer.org> <20060607095824.W53690@fledge.watson.org> <200606070819.04301.jhb@freebsd.org> <4486E41B.4000003@elischer.org> <1149692184.3224.208.camel@berloga.shadowland> <4486EBBD.3090404@elischer.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: quoted-printable Organization: Positive Software Message-Id: <1149757290.3222.44.camel@berloga.shadowland> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 (1.4.5-17) Date: Thu, 08 Jun 2006 12:01:30 +0300 X-Virus-Scanned: ClamAV using ClamSMTP Cc: Robert Watson , freebsd-arch@freebsd.org Subject: Re: jail extensions X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 10:37:58 -0000 =F7 =F3=D2=C4, 07.06.2006, =D7 18:07, Julian Elischer =D0=C9=DB=C5=D4: > Alex Lyashkov wrote: >=20 > >>Marco's work is somewhat similar. > >>All globals related to the network are moved to structures that can be = =20 > >>duplicated. > >> > >>The base system also uses this structure so that in effect the base=20 > >>system is just another instance > >>of the virtual machines. The biggest obstacle is that the 4.x based=20 > >>version just put everything > >>into one structure, meaning that it only worked when all the components= =20 > >>effected were > >>compiled into the kernel. None of them could be implemented as a=20 > >>loadable kernel module. > >>This has become much more important in 6.x. > >> > >>Ther is a way to allow this to work but it would require that we=20 > >>implement a kernel version of > >>the idea used for TLS (Thread Local Storage), so that modules being=20 > >>loaded could be added > >>to all the existing VMs and new VMs could get instances of all loaded=20 > >>modules. > >>(and so that a module could not be unloaded until all VMS have destroye= d=20 > >>their instance > >> =20 > >> > >It`s can be created easy. each module can be full own private data and > >register init/destroy methods, similar SYSINIT macro. > >prison will need add array for store pointers to modules data. > >yes, it possible need lost more memory - but easy for implementation. > > =20 > > >=20 > "Easy" if you are writing something from scratch and you want it to not=20 > be able to be compiled > the old way too. what you implicit as 'old way' ? I think module will be have 2 way init - one for old SYSINIT() who called module_init(&prison0), and additional JAILINIT() who call module_init(struct prisoin *) for init private data from new prisons.=20 for dynamically loaded modules can be 2 ways. 1) if modules loaded - init private data only for (prison0) and wait for 'kldload' from other contexts, where call module_init(struct prisoin *). At this way me simulate 'kldload' for modules. 2) at MOD_LOAD case run loop for each prisons and init private data for this module at all contexts. At this way module always 'exist' at all contexts. and disable module compiling (loading) when module don`t marked jail safe. --=20 FreeVPS Developers Team http://www.freevps.com Positive Software http://www.psoft.net