Thoughts on jail.config
Alexander Leidinger
Alexander at Leidinger.net
Tue Jun 29 10:12:36 UTC 2010
Quoting James O'Gorman <james at netinertia.co.uk> (from Mon, 28 Jun 2010
23:40:21 +0100):
> On 28 Jun 2010, at 16:38, Jamie Gritton wrote:
>
>> On 06/28/10 08:41, Rodrigo Mosconi wrote:
>>
>>> An idea: if it works like a "jaild"? A daemon management the start-up,
>>> shutdown, console redirection? All the admins task could be done by a
>>> "jailctl"?
>>
>> I don't know what work a daemon would have to do. I only see it running
>> tasks on startup, and then waiting until something tells it on shutdown
>> to wake up and stop the jails. That "something" would have to be that
>> jailctl you mention. If there's a jail program running anyway, might as
>> well keep all functionality in that one program.
>
> Perhaps it's worth looking at Solaris Zones here, as that runs a
> daemon in both the global zone and each container. I can't recall
> exactly what it does off-hand as I don't have a Solaris box to hand
> but it's probably similar to what you're talking about. I'm pretty
> sure zoneadm talks to zoneadmd to start/stop/configure each zone in
> the kernel.
Yes, but it also takes care about the zone console device
(http://docs.sun.com/app/docs/doc/817-1592/z.inst.ov-12?l=en&a=view).
This (and maybe some resource control stuff) is the only thing I see
which may make sense to be handled by a daemon, everything else could
be handled by zoneadm directly. I also see a security benefit of the
daemon if you give the right to manage zones to an user/role != root.
Both is not available in FreeBSD.
There is also the zsched running per zone. This process is explained
at http://docs.sun.com/app/docs/doc/817-1592/z.inst.ov-13?a=view
Bye,
Alexander.
--
Never have so many understood so little about so much.
-- James Burke
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-jail
mailing list