Idea about "skeleton jail"

Xin LI delphij at frontfree.net
Mon Jan 31 05:41:52 PST 2005 

Dear folks,

The recent discussion about whether we should have the perl port to
touch/install /usr/bin/perl.  While I'm not interested in joining the
discussion, it inspired me that we can make use of the fact that ports
should not install things to "system" area and take advantage from it.
Finally these ideas results me to hack up something that might be
valuable to share with our users.

What I am going to proposal is a concept that I call it "skeleton jail",
or "skeljail" for short.  A skel jail is something that shares most base
system binaries/libraries with the host, through read-only mount_null's.

I have already done some experiments.  Basically we want the following
directories to be mount_null'ed:
	/bin, /sbin, /lib, /libexec, /usr/bin, /usr/sbin, /usr/include,
	/usr/lib, /usr/libdata, /usr/libexec, /usr/sbin, /usr/share

To get most of what we want the jail to do, to work, this includes
ssh(1) and something else.  Optionally, we may want to mount_nullfs a
read-write /usr/ports/distfiles, a readonly /usr/ports, and something
like /usr/game to be mounted into the skeljail.

In order to avoid having to do something magic instead of "make
installworld", I have a patchset against src/Makefile and
src/Makefile.incl to make the work a bit easier.  It adds a so-called
"installskel" target that creates a skeljail that contains necessary
directory hierarchy, and a set of /etc configuration files that will be
useful to start the jail.  The target must be used after a ``make
buildworld''

The two major benefits for the skeljail are:
- Reduces the ordinary management cost because many base system files
are shared, hence you patch only once to get all jails patched.
- Reduces the space cost that needed for a newly created jail.  It used
to need about 110MB and with skeljail you will only need no more than
3MB.

Apparantly skeljail is not suitable for those who want:
- Run different FreeBSD releases on a single box.
- Run ports that does touch system area.

But having it doesn't hurt the ability for you to run a full jail.

I have some handcrafted shell scripts to implement skeljail by having
everything automatically mounted/dismounted.  However, I think it might
be better if we can have jail_<name>_skeljail="YES" switch in our jail
rc.d(8) startup script.  Please let me know if you are interested in the
idea and I'll post a patch for review if there's enough people that
wants this.

Thanks in advance!

Cheers,
-- 
Xin LI <delphij delphij net>  http://www.delphij.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-skel
Type: text/x-patch
Size: 2643 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050131/664cee04/patch-skel.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: 
	=?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050131/664cee04/attachment.bin

More information about the freebsd-hackers mailing list