From owner-freebsd-jail@freebsd.org Thu Sep 13 13:11:15 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94400108D4DE for ; Thu, 13 Sep 2018 13:11:15 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [104.236.197.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A4427027B for ; Thu, 13 Sep 2018 13:11:15 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.15.2/8.15.2) with ESMTP id w8DDB8JY000925 for ; Thu, 13 Sep 2018 09:11:08 -0400 (EDT) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.15.2/8.15.2/Submit) id w8DDB8TZ000924 for freebsd-jail@freebsd.org; Thu, 13 Sep 2018 09:11:08 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 13 Sep 2018 09:11:08 -0400 From: "Michael W. Lucas" To: freebsd-jail@freebsd.org Subject: does anyone use these any more? Message-ID: <20180913131108.GA899@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.michaelwlucas.com X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (mail.michaelwlucas.com [127.0.0.1]); Thu, 13 Sep 2018 09:11:08 -0400 (EDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2018 13:11:15 -0000 Hi, Context: I'm writing a book on jails on FreeBSD. There's a few options that I can't figure out why anyone would use them. Does anyone use any of these any more, or are they leftovers from the primordial jail era? If you do use any of these on FreeBSD 11+, would you mind saying why and how? allow.dying - it's not dying very long, why make changes? persist - why keep it around? exec.jail_user, exec.system_user -lots of permissions problems exec.system_jail_user - use a system uid inside the jail, why? Thanks, ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... From owner-freebsd-jail@freebsd.org Thu Sep 13 13:26:58 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57FE8108DC09 for ; Thu, 13 Sep 2018 13:26:58 +0000 (UTC) (envelope-from freebsd-jail@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA64A70B5C for ; Thu, 13 Sep 2018 13:26:57 +0000 (UTC) (envelope-from freebsd-jail@dino.sk) Received: from zeta.dino.sk (fw3.dino.sk [84.245.95.254]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Thu, 13 Sep 2018 15:26:55 +0200 id 00DB9423.5B9A659F.00009670 Date: Thu, 13 Sep 2018 15:26:55 +0200 From: Milan Obuch To: freebsd-jail@freebsd.org Subject: Re: does anyone use these any more? Message-ID: <20180913152655.2e85c29e@zeta.dino.sk> In-Reply-To: <20180913131108.GA899@mail.michaelwlucas.com> References: <20180913131108.GA899@mail.michaelwlucas.com> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; i386-portbld-freebsd10.4) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2018 13:26:58 -0000 On Thu, 13 Sep 2018 09:11:08 -0400 "Michael W. Lucas" wrote: > Hi, > > Context: I'm writing a book on jails on FreeBSD. > > There's a few options that I can't figure out why anyone would use > them. Does anyone use any of these any more, or are they leftovers > from the primordial jail era? > > If you do use any of these on FreeBSD 11+, would you mind saying why > and how? > > allow.dying - it's not dying very long, why make changes? > persist - why keep it around? I think this is usefull for vnet jails, aka VIMAGE. Milan > exec.jail_user, exec.system_user -lots of permissions problems > > exec.system_jail_user - use a system uid inside the jail, why? > > Thanks, > ==ml > From owner-freebsd-jail@freebsd.org Thu Sep 13 14:35:06 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 60217108FA24 for ; Thu, 13 Sep 2018 14:35:06 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1521739B1 for ; Thu, 13 Sep 2018 14:35:05 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id EC24B3FF for ; Thu, 13 Sep 2018 10:35:03 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute1.internal (MEProxy); Thu, 13 Sep 2018 10:35:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= blackskyresearch.net; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=eYg 0MRFl4wobi3wGs5NlBI5ZfWZ5JwrwCF0+gyDY6Pg=; b=mtO31srEpRsfkxCb99o jsnUxV+J6YJDXk/QsumuoxNlpZIhLPXMszSu5JkCCNd7OIuUzjDOc4UnaHYvGk4h X/RX5bc6KVKuHnNQIxmR6beTO+70iTx/s/XXGmdLSdb4hs8ISgfETcS9xiRVY3It sQU91GmfoqSbY1drQFjQJOyw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=eYg0MR Fl4wobi3wGs5NlBI5ZfWZ5JwrwCF0+gyDY6Pg=; b=Xgf/ldc0bNfUhB+0iqex9N rrQqyAWCiYul6IsSguonGLb0k1ctw2nWpLMX67CRBzYQxEixFgO9hszZd7ZuWdlr 2LXJgmX/yhAmdTefqtd8KYDUzczI5iaM4EBkVMcGQVigD2kfVEA+7/3goR+NM2rd N5I3Fe+MIEl66LkOiYDIRmOR+8NzrOH5/zaI9LJgbonJjctgqygSSKg4oo6pBPx/ R2oRwfWcokNoTvqpzG3FCScC00ET7s2pTOu9hH0LYbwpNAlSm3YPfILqiqgKtM7W 9o8Gshk6d5Jm92CkgF3vfJVkN9th+/cFtdSAoRerZhmE+KWJSzDmxpHsraqp+E8Q == X-ME-Proxy: X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 01D54BA79C; Thu, 13 Sep 2018 10:35:02 -0400 (EDT) Message-Id: <1536849302.1027204.1506933680.463B23E5@webmail.messagingengine.com> From: "Isaac (.ike) Levy" To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-e556cd15 Date: Thu, 13 Sep 2018 10:35:02 -0400 In-Reply-To: <20180913131108.GA899@mail.michaelwlucas.com> Subject: Re: does anyone use these any more? References: <20180913131108.GA899@mail.michaelwlucas.com> X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2018 14:35:06 -0000 Hi MWL, On Thu, Sep 13, 2018, at 9:11 AM, Michael W. Lucas wrote: > Hi, > > Context: I'm writing a book on jails on FreeBSD. CAN'T WAIT. > > There's a few options that I can't figure out why anyone would use > them. Does anyone use any of these any more, or are they leftovers > from the primordial jail era? > > If you do use any of these on FreeBSD 11+, would you mind saying why > and how? I'm answering based on much use/abuse of jail(8) over the years, but big caveat: I've never *used* the features you're asking about in any meaningful way. > > allow.dying - it's not dying very long, why make changes? > persist - why keep it around? So use for this is somewhat nuanced, IMHO. When running hosts with many jailed systems, or jailed processes which are hogging/pegging the system, or hardware which is flaky or nondetermistically performant, jails can take their sweet time time to start or stop. (I mean long time even without large exec.stop or exec.poststop or exec.prestop or exec.clean etc...). The system may simply be busy. Now, real world problem I've had: - large scale jailed host with active healthy jailed systems doing stuff - I go to kill a jail running a web server (and for whatever reason, I want it to stop serving http asap) - The jail takes it's sweet time and appears hung, (it's not), as it comes down slow- STILL SERVING THE http) In this case, because the jailed process tree is in the process of being torn down, killing that http server can get, um, *messy*. Messy like: - Do I really want to kill the jailed pid straight from the host? (What if I make a mistake and kill some other jail's httpd?) - Do I have some security context whereby I do not want to even manipulate the jailed process directly? (e.g. risk of jailed process causing harm by running kill(1) from the jailing host) So, I'd assume, "allow.dying" lets us jexec into the jail after the process tree is in the process of being destroyed, so we can cleanly do stuff to the jail as it dies. Real world: I've never even thought to use this "allow.dying" feature, but I do certainly it's intent as useful. > > exec.jail_user, exec.system_user -lots of permissions problems Not sure, I've frankly never understood these, they seem antithetical to everything I find powerful about jailing, (combining with base utilities which everyone cares about maintaining- not features that "jail people" care about). Using su(1) in the jailed process tree is frankly something I trust, (shouldn't we all?) I'd love to hear a good case for these, (or love to see them go away). > > exec.system_jail_user - use a system uid inside the jail, why? Bigsigh. So this gets into more "but jail, but not jail" stuff which I don't really understand (or like). Yet, I think I know why it happened: chroot(2) doesn't have the great socket/other process features which jail(2) has, and jail(8) can certainly be used much like one would use chroot. So, for that person who *really* wants chroot(8), but wants some feature from jail(2), they can jail(8) and use host system users (in assumed absence of any /etc/passwd in the jail). To me, this stuff which crosses the line between host and jail, totally goes against what I love about the simplicity in isolation of jailed systems, but I'm certain someone out there has an excellent and powerful mastery of using jail(8) to replace their uses of chroot(8) to some great effect. Hope my rambling here is useful- Best, .ike > > Thanks, > ==ml > > -- > Michael W. Lucas https://mwl.io/ > author of: Absolute OpenBSD, SSH Mastery, git commit murder, > Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@freebsd.org Thu Sep 13 15:45:53 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 221DA10917E6 for ; Thu, 13 Sep 2018 15:45:53 +0000 (UTC) (envelope-from olevole@olevole.ru) Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B560176654 for ; Thu, 13 Sep 2018 15:45:52 +0000 (UTC) (envelope-from olevole@olevole.ru) Received: by mail-it0-x241.google.com with SMTP id d10-v6so8435684itj.5 for ; Thu, 13 Sep 2018 08:45:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=olevole-ru.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=fq1ElxtxZqFmqQBJ1fHWsMObY+gcM75HPd9f2TpjFww=; b=GoMnQTYuM32O2yWPATeUdLPdYyCkAgiKjrBWgl9TiZVBtssLNyqIOFWnWi65cx/M8/ swNzIhvq8Zw7DT0Z/NC1W3B12HRHwT0enmpcsHBizT0byZYGY3LFI3RJcQI8gjFpN/8C 0ZyZ80bGVAf/i24jxeLP9StVZlsACXHwDximO7Ba1ed29IZqQFJLq2SkLt2edWCT1FAl whO6bxJTQdUE5f3bNw399l6Njytip1MUT4AQBAdlHLF0YIDO/IVuntwimgfsPm6Ch0H2 qEKVXZJZUUEBLegZeFkzNtH08A/SLgqdRV1cGoDmvokdT74Y904vabAYbZ/ihT4w+tPS HlQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=fq1ElxtxZqFmqQBJ1fHWsMObY+gcM75HPd9f2TpjFww=; b=CMByr9DxY8u/aCO/PYI2t3TjGNZ1l8AmpHr+PNdVRZxZdkfvGfSXOjc/RCYM/hJ7RQ D8HcGSX1SPxalqYJFpafCne6DcvtIpiSO0tIejy8U7WvK8rx6MGACicQIQoVq2lOHpkb uCElHvDHeWmS28AbjDb9STLywSP3s/LaDShfl01aRG3kg8GVbt7ZhuZxYnIsgQN8J7K4 dSd+VmjaXqudUkcnJJFcQ7zqE5JJDUmSNEE1qP29I2vgF0pTWFjxVzB5JD8aBr5Nx2DE Qt0D5qs7fbpwWNdO69gbjnVhb1t8u3mM4dHicrHJULoZQfmto94MDWiTXlNWw+tIUtPr xBIQ== X-Gm-Message-State: APzg51CK+YmP2Ccwp12ZefS/esNL+bdFb8hQJOfXyCKnxqcRejvs3Bnd yiOBCDWzIlFFd0JXq0cHJFCgSjX+KX9VGPDMwSsILcLgnOc= X-Google-Smtp-Source: ANB0Vdb+NqXQJnDUB24G9k9Zus+KNV38J9tuTwiTwXVF2pCrmUUT4kL5IRQ2hkbigdnmdBgrNwd+msrtNdXcE0CWiUw= X-Received: by 2002:a24:7cca:: with SMTP id a193-v6mr7106473itd.9.1536853551769; Thu, 13 Sep 2018 08:45:51 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ac0:a83d:0:0:0:0:0 with HTTP; Thu, 13 Sep 2018 08:45:51 -0700 (PDT) X-Originating-IP: [185.18.126.114] From: Oleg Ginzburg Date: Thu, 13 Sep 2018 18:45:51 +0300 Message-ID: Subject: Re: does anyone use these any more? To: "Michael W. Lucas" , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2018 15:45:53 -0000 Hi, (sorry, I am not a member of freebsd-jails ML) mwlucas > https://lists.freebsd.org/pipermail/freebsd-jail/2018-September/003619.html mwlucas > persist - why keep it around? One case of persist in CBSD (as example) for many years is ability to ZFS attach and interface renaming for vnet-based jails without 'post-execution' script: https://github.com/cbsd/cbsd/blob/11.2.1/tools/makejconf#L95 Without persist mode, jail was created and execute script atomically and without interruption (you can not insert between creating a container and /etc/rc start sentience anything that you need, for example: 'zfs attach' or rename epairXXX to eth0 ) With persist mode, CBSD created jail in follow scenario: 1) jail -c (create jail) in persist mode ( with empty exec.start script ) 2) exec inside jail something (zfs attach, /sbin/ifconfig ... ), what you need to do before launching /etc/rc -> /etc/rc.d/* 3) execute normal /etc/rc sequence in this way, /etc/rc.d/zfs can mount ZFS on 'start' stage without execution from CBSD wrapper 'late' commands after jail start, e.g ( jexec X /sbin/zfs mount + restart all services )) Perhaps because of a misunderstanding of this option, exec.created hook was created in FreeBSD 12-HEAD ;-): https://lists.freebsd.org/pipermail/freebsd-jail/2018-August/003616.html With exec.create, the 'persist' option is no longer so relevant as before. From owner-freebsd-jail@freebsd.org Thu Sep 13 19:11:44 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 778061096847 for ; Thu, 13 Sep 2018 19:11:44 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D3887E2A0; Thu, 13 Sep 2018 19:11:44 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 0D67D1F696; Thu, 13 Sep 2018 19:11:44 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [172.28.128.1] (ptr-8rh08k0gm93wz6hgg67.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240e:402:9d91:c951:3fad:6edf]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id DE39D3E10B; Thu, 13 Sep 2018 21:11:41 +0200 (CEST) From: "Kristof Provost" To: "Michael W. Lucas" Cc: freebsd-jail@freebsd.org Subject: Re: does anyone use these any more? Date: Thu, 13 Sep 2018 21:11:40 +0200 X-Mailer: MailMate (2.0BETAr6121) Message-ID: In-Reply-To: <20180913131108.GA899@mail.michaelwlucas.com> References: <20180913131108.GA899@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2018 19:11:44 -0000 On 13 Sep 2018, at 15:11, Michael W. Lucas wrote: > Context: I'm writing a book on jails on FreeBSD. > > There's a few options that I can't figure out why anyone would use > them. Does anyone use any of these any more, or are they leftovers > from the primordial jail era? > > If you do use any of these on FreeBSD 11+, would you mind saying why > and how? > > allow.dying - it's not dying very long, why make changes? > persist - why keep it around? > The pf tests (/usr/src/tests/sys/netpfil/pf) use persisted vnet jails to test pf. They set up jails with varying configurations and throw traffic at them. There’s no need for any process to be running in the jail. The relevant part is the network configuration. Regards, Kristof From owner-freebsd-jail@freebsd.org Fri Sep 14 08:45:23 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78F6A10A7FD5 for ; Fri, 14 Sep 2018 08:45:23 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.2 with cipher DHE-RSA-CAMELLIA128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0BDDD79AB9 for ; Fri, 14 Sep 2018 08:45:22 +0000 (UTC) (envelope-from Alexander@leidinger.net) Date: Fri, 14 Sep 2018 10:44:52 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1536914715; bh=urnwRNZxU96BHzylgMxMBCrZHGv4b9swQ5fnw+192/M=; h=Date:From:To:Cc:Subject:In-Reply-To; b=2eA5GC7UX9kS7tZ3icGpivg2DbJHZhDCxcHcRRn9xSoPEYXj65i+af1IftH80y/6p dmUnncRg9qAwAmbQHRzNqE7EtMGcPmLTC0GTtvtF2NCB0eIjWM3EryrgQmQ1qGA39C yoOTO0+xoUrYtj54DNh9Y0tcIc0gTFqslv3DW2oPaOZpufB4jEM4OVXhe7En9k/kaP CN7GIEbDqePFWZYJZyFF86Pg3DgSUEiXe/+L7LFTVyELGY9Q38BCubE/qm5eFfRvZ2 r/Fzvn6zyp2ZWQVL5MWnlkg4oOXCeI4Hu4qq/PpXsyT497uWCwtNsIAR7Hyhxoi0OG sohBz69QaeTeA== Message-ID: <20180914104452.Horde.LO19bmX4iYFEelx2yJSI8fw@webmail.leidinger.net> From: Alexander Leidinger To: Oleg Ginzburg Cc: "Michael W. Lucas" , freebsd-jail@freebsd.org Subject: Re: does anyone use these any more? In-Reply-To: User-Agent: Horde Application Framework 5 Accept-Language: de,en Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2018 08:45:23 -0000 Quoting Oleg Ginzburg (from Thu, 13 Sep 2018 18:45:51 +0300): > With persist mode, CBSD created jail in follow scenario: > > 1) jail -c (create jail) in persist mode ( with empty exec.start script ) > 2) exec inside jail something (zfs attach, /sbin/ifconfig ... ), what > you need to do before launching /etc/rc -> /etc/rc.d/* > 3) execute normal /etc/rc sequence > > in this way, /etc/rc.d/zfs can mount ZFS on 'start' stage without > execution from CBSD wrapper 'late' commands after jail start, e.g ( > jexec X /sbin/zfs mount + restart all services )) > > Perhaps because of a misunderstanding of this option, exec.created > hook was created in FreeBSD 12-HEAD ;-): You could also call exec.created to be a much cleaner solution to this problem which also allows to do something like this with the base system only without the need for replacements for the jail rc scripts (additionally it makes it more easy for 3rd party jail management tools). > https://lists.freebsd.org/pipermail/freebsd-jail/2018-August/003616.html Note, the MFC to 11 of this is on my TODO list. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF