Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 May 2014 14:56:50 +0200
From:      Andreas Nilsson <andrnils@gmail.com>
To:        Fbsd8 <fbsd8@a1poweruser.com>, Mailinglists FreeBSD <freebsd-jail@freebsd.org>
Subject:   Re: new jail framework with vnet, zfs and jail.conf support
Message-ID:  <CAPS9%2BSs4JEXwENkaNsgALyGXM4=vJny0t-DfMoMyjMy%2BuZ-nCw@mail.gmail.com>
In-Reply-To: <537212B7.8080909@a1poweruser.com>
References:  <640993be45d72e4dac19181ae6644d27@dachev.info> <53720C0F.9010707@a1poweruser.com> <CAPS9%2BSsZFSOkSO%2B2G6P041-9nZjvpZfU0ZKxjW4k3cZHeaZhLg@mail.gmail.com> <537212B7.8080909@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 13, 2014 at 2:40 PM, Fbsd8 <fbsd8@a1poweruser.com> wrote:

> Andreas Nilsson wrote:
>
>>
>>
>>
>> On Tue, May 13, 2014 at 2:11 PM, Fbsd8 <fbsd8@a1poweruser.com <mailto:
>> fbsd8@a1poweruser.com>> wrote:
>>
>>
>>     freebsd_jail@dachev.info <mailto:freebsd_jail@dachev.info> wrote:
>>
>>         Hi,
>>
>>         I'm currently in process of development of new tool for easy
>>         jail administration with zfs and vimage/vnet(bridge epair
>>         interface) support
>>         The idea is to have a single application (python script) without
>>         any other confg files and customization
>>         This tool is written on Python, also work only with vnet, zfs
>>         and FreeBSD 10 (probably will work on FreeBSD 9.1 but i never
>>         test it)
>>         JADM work only with native /etc/jail.conf
>>         When is started for first time jadm generate new /etc/jail.conf
>>         in special format developed by me.
>>         jail.conf file can be used and without JADM.
>>
>>         for more information please contact me or visit:
>>         https://github.com/__NikolayDachev/jadm
>>
>>         <https://github.com/NikolayDachev/jadm>;
>>
>>         JADM is in development status more of functions work normal
>>         (with bugs but work :)).
>>
>>         Unfortunately i don't have a lot of time for it so i need test
>>         users.
>>         At the moment last function for JADM is to support skeleton jail
>>         model (similar to ezjail with base jail and etc.)
>>         This function is still in progress meanwhile, if someone have a
>>         time to test all other functions and to report any issue, bug or
>>         ideas
>>
>>
>>
>>
>>     I think you have made some poor basic design choices.
>>
>>     1. Requiring python as a dependent. Thats a lot of overhead just for
>>     a script. Not a show stopper, but a csh script would have been better.
>>
>> Why is csh better than sh?
>>
>>     2. Using the highly experimental "vimage" as the cornerstone of the
>>     over all design. Vimage has many long standing PRs, does not work
>>     with any of the firewalls, has NO maintainer, requires a custom
>>     kernel to enable.
>>     This is a major show stopper. Can not risk a production jail
>>     environment on highly experimental software. Even if vimage gets a
>>     maintainer, all the firewalls need to be updated to play nice in an
>>     vimage environment, and there are existing PRs to that effect which
>>     the firewall maintainers are reluctant to address because of
>>     vimage's status as highly experimental. What your trying to do may
>>     never bare fruit due to things totally out of your control.
>>
>> What do you mean by "not work with any of the firewalls"?
>>
>
> When enabled with a kernel that has vimage they hang the system on boot,
> page fault, or in the case of ipfw, Nat page faults. Just check the
> outstanding pr list for the gory details.


And that is a gross overstatement. I run vimage-kernel and ipfw on a number
of machines. Not one kernel panic.

>
>
>> And for people who require separate networking, vimage is the answer. I
>> say it is a shame vimage is not in generic yet.
>>
>>
> I agree with you. But its out of our control. If I remember correctly, the
> vimage author completed his dissertation which was based on his writing
> vimage, graduated college and moved on with his life.
>
> That would be very sad. Maybe the foundation could sponsor him and/or
someone else to have another go at it. It's not like pf and ipfilter are
the most well-maintained things either.

I however long for the day when FreeBSD catches up with illumos in terms of
light-weight virtualization with separate networking (seeing as jails were
the model for zones). But maybe netmap+vale-switches with vimage could be
made to play better together. But I guess we each want different things.

Best regards
Andreas



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BSs4JEXwENkaNsgALyGXM4=vJny0t-DfMoMyjMy%2BuZ-nCw>