Date: Tue, 13 May 2014 14:56:50 +0200 From: Andreas Nilsson <andrnils@gmail.com> To: Fbsd8 <fbsd8@a1poweruser.com>, Mailinglists FreeBSD <freebsd-jail@freebsd.org> Subject: Re: new jail framework with vnet, zfs and jail.conf support Message-ID: <CAPS9%2BSs4JEXwENkaNsgALyGXM4=vJny0t-DfMoMyjMy%2BuZ-nCw@mail.gmail.com> In-Reply-To: <537212B7.8080909@a1poweruser.com> References: <640993be45d72e4dac19181ae6644d27@dachev.info> <53720C0F.9010707@a1poweruser.com> <CAPS9%2BSsZFSOkSO%2B2G6P041-9nZjvpZfU0ZKxjW4k3cZHeaZhLg@mail.gmail.com> <537212B7.8080909@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 13, 2014 at 2:40 PM, Fbsd8 <fbsd8@a1poweruser.com> wrote: > Andreas Nilsson wrote: > >> >> >> >> On Tue, May 13, 2014 at 2:11 PM, Fbsd8 <fbsd8@a1poweruser.com <mailto: >> fbsd8@a1poweruser.com>> wrote: >> >> >> freebsd_jail@dachev.info <mailto:freebsd_jail@dachev.info> wrote: >> >> Hi, >> >> I'm currently in process of development of new tool for easy >> jail administration with zfs and vimage/vnet(bridge epair >> interface) support >> The idea is to have a single application (python script) without >> any other confg files and customization >> This tool is written on Python, also work only with vnet, zfs >> and FreeBSD 10 (probably will work on FreeBSD 9.1 but i never >> test it) >> JADM work only with native /etc/jail.conf >> When is started for first time jadm generate new /etc/jail.conf >> in special format developed by me. >> jail.conf file can be used and without JADM. >> >> for more information please contact me or visit: >> https://github.com/__NikolayDachev/jadm >> >> <https://github.com/NikolayDachev/jadm> >> >> JADM is in development status more of functions work normal >> (with bugs but work :)). >> >> Unfortunately i don't have a lot of time for it so i need test >> users. >> At the moment last function for JADM is to support skeleton jail >> model (similar to ezjail with base jail and etc.) >> This function is still in progress meanwhile, if someone have a >> time to test all other functions and to report any issue, bug or >> ideas >> >> >> >> >> I think you have made some poor basic design choices. >> >> 1. Requiring python as a dependent. Thats a lot of overhead just for >> a script. Not a show stopper, but a csh script would have been better. >> >> Why is csh better than sh? >> >> 2. Using the highly experimental "vimage" as the cornerstone of the >> over all design. Vimage has many long standing PRs, does not work >> with any of the firewalls, has NO maintainer, requires a custom >> kernel to enable. >> This is a major show stopper. Can not risk a production jail >> environment on highly experimental software. Even if vimage gets a >> maintainer, all the firewalls need to be updated to play nice in an >> vimage environment, and there are existing PRs to that effect which >> the firewall maintainers are reluctant to address because of >> vimage's status as highly experimental. What your trying to do may >> never bare fruit due to things totally out of your control. >> >> What do you mean by "not work with any of the firewalls"? >> > > When enabled with a kernel that has vimage they hang the system on boot, > page fault, or in the case of ipfw, Nat page faults. Just check the > outstanding pr list for the gory details. And that is a gross overstatement. I run vimage-kernel and ipfw on a number of machines. Not one kernel panic. > > >> And for people who require separate networking, vimage is the answer. I >> say it is a shame vimage is not in generic yet. >> >> > I agree with you. But its out of our control. If I remember correctly, the > vimage author completed his dissertation which was based on his writing > vimage, graduated college and moved on with his life. > > That would be very sad. Maybe the foundation could sponsor him and/or someone else to have another go at it. It's not like pf and ipfilter are the most well-maintained things either. I however long for the day when FreeBSD catches up with illumos in terms of light-weight virtualization with separate networking (seeing as jails were the model for zones). But maybe netmap+vale-switches with vimage could be made to play better together. But I guess we each want different things. Best regards Andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BSs4JEXwENkaNsgALyGXM4=vJny0t-DfMoMyjMy%2BuZ-nCw>