Date: Wed, 07 Jul 2010 16:11:40 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: Harald Schmalzbauer <h.schmalzbauer@omnilan.de>, freebsd-jail@FreeBSD.org Subject: Re: selective jail restriction controlling in rc.conf Message-ID: <4C34FB9C.8020404@FreeBSD.org> In-Reply-To: <4C30B26D.2010202@omnilan.de> References: <4C2EEF3E.2010008@omnilan.de> <4C2EF065.2020208@omnilan.de> <20100703145827.E14969@maildrop.int.zabbadoz.net> <4C30B26D.2010202@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/04/10 10:10, Harald Schmalzbauer wrote: > Dear freebsd-jail fellows, > > I haven't know of that list yet, nor am I subscribesd, but I did some > work for me to extend rc.d/jail to acclompish with some of my needs and > I'd like to share it. > I don't have much knowledge to join seriouse developement, I'm just > "playing". But I'm sure you can understand my intention of the patch and > maybe take some idea. > > Here's my original post to freebsd-stable@: > > I very much liked the possibillity to easily manage jails via rc.conf. > Unfortunately I was missing some features. > First, there are many security.jail.allow_* sysctl which didn't get > attention. > Second; I needed to allow different things on different jails. For > example only one distinct jail should habe sysvIPC. > > Please find attached a patch wich extends rc.d to my needs. > Some jail_start() modifications were neccessary and some cleanups could > be done in the "Configuring jails:" section (not needed any more) amd in > the _ip_multi processing, since that's not needed any more. > One have to seperatly define ip4 and ip6 addresses. The can be with or > without mask, single oder comma seperated list, doesn't matter, thanks > to the jail_handle_ips_option() coder, it just works :) The new jail(8) syntax is able handle your second concern, allowing features on only some jails. I'm currently working on an update that will use a jail.conf file instead of the rc-based shell variables currently in use; because of that, there are no plans to keep hacking on the rc variables. As for the first concern, the sysctl.jail.allow_* sysctls, those are obsoleted by the new jail system as well. While they will continue to exist in the (at least near) future, they're being deprecated for just the reason you mention, that they don't allow per-jail control. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C34FB9C.8020404>