cvs commit: src/usr.bin/killall killall.1 killall.c src/usr.sbin Makefile src/usr.sbin/jail jail.8 jail.c src/usr.sbin/jexec Makefile jexec.8 jexec.c src/usr.sbin/jls Makefile jls.8 jls.c

Pawel Jakub Dawidek nick at garage.freebsd.pl
Wed Apr 9 16:04:32 PDT 2003 

On Wed, Apr 09, 2003 at 06:41:03PM -0400, Robert Watson wrote:
+> > But IMHO JID should be a string, not a number. For example we're running
+> > many jails at startup or somewhere else and because JID is set dynamicly
+> > there could be problems in writing scripts for handle jails (attaching
+> > processes to it or something).  As we can see on your example, we aren't
+> > able to find out which jail was ran first (looking at PIDs isn't good
+> > idea:)).  If JID will be a string there will be no such problems. 
+> > 
+> > What you think? 
+> 
+> Hmm.  In the jailNG patches, I used a string name for each jail, for
+> pretty much that reason: jid values are meaningless, but
+> administrator-provided jail names can be quite a bit more useful.  I would
+> not be opposed to that direction at all, although it's worth noting that
+> Mike managed to maintain the current ABI and API for jail() with the
+> current model.  One of the issues with user-provided names, if you adopt
+> the hierarchal jail changes you posted, is how to control the namespace.
+> Since jail id's have no real meaning themselves, no one really cares which
+> jail gets jid 2038201.  With a jail name, you might care about issues such
+> as name spoofing, etc.  One of the problems that jid's do have, and it's
+> related, is the race condition issue present for pids: better not get the
+> wrong jail in the same we we can currently get the wrong process. 

JID couldn't be changed in jail, thats for sure.
In hierarchal jails we can do something else: hierarchal names.

Example jails tree:

	-alpha-+-beta-+-delta
	       |      +-sigma
	       +-gamma

Jail named 'alpha' is create in mainsystem. Jail 'beta' is created inside
jail 'alpha'. Jails 'delta' and 'sigma' are created in jail 'beta', etc.
When I'm listing those jails it looks like this:

	beta# jls
	JID	[...]
	delta	[...]
	sigma	[...]

	alpha# jls
	JID	[...]
	beta	[...]
	beta.delta	[...]
	beta.sigma	[...]
	gamma	[...]

	mainsystem# jls
	JID	[...]
	alpha	[...]
	alpha.beta	[...]
	alpha.beta.delta	[...]
	alpha.beta.sigma	[...]
	alpha.gamma	[...]

And there can't be names spoofing. (If, ofcourse '.' is invalid char in
jail name:)).

-- 
Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20030410/38b7fa5e/attachment.bin

More information about the cvs-src mailing list