Date: Thu, 21 Jan 2010 17:43:24 +0100 From: Philipp Wuensche <cryx-freebsd@h3q.com> To: freebsd-jail@FreeBSD.org Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail Message-ID: <4B58842C.6080106@h3q.com> In-Reply-To: <4B586095.8020109@h3q.com> References: <201001200940.o0K9e4lO032467@freefall.freebsd.org> <4B586095.8020109@h3q.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Philipp Wuensche wrote:
>
> And shouldn't we implement all the new-style features while we at it?
> All the allow.* stuff, cpuset etc.
I did some testing with vnet and I find the way of using _poststart and
_afterstart to configure ip-addr. inside a vimage jail very impractical.
First we loose all the nice features of configuring ipaddrs. via
ipv4_addrs_if in rc.conf from inside the jail and second, more
important, the jail will be fully bootet before any ipaddr. is
configured or even interfaces are configured. This will result in
services not starting correctly, firewalling going nuts, routing-daemons
not working etc.pp.
A way to solve this would be to create the jail with "jail -c" and not
setting "command=" but persist, resulting in /etc/rc not being run yet.
This will give us a jail without any processes but already in a state to
be manipulated. In this state we could attach interfaces, zfs-datasets,
configure the cpuset etc.pp.
After manipulating the jail, it can be really bootet up by "jail -m
jid=${_jail_id} command=${_exec_start}" which will configure all the
networking and services correctly from within the jail.
For this, there need to be some changes:
- due to the "persist" flag, we need to delete the jail via "jail -r
${_jail_id}" when stopping it
- the changes above are meant for vnet, so we need to make them work
with non-vnet jails too
- this creates the need for a command between creating the jail and
fully booting it as _prestart is to early and _poststart is too late.
- a lot of rc.d script have the KEYWORD nojail, e.g. netif. Some of them
will be needed to run inside vnet jails. Is there a way to distinguish a
vimage-jail from a non vimage-jail inside the jail? Couldn't find a
sysctl, maybe security.jail.jailed should be set to 2 instead of 1?
greetings,
Philipp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B58842C.6080106>