Dear folks, The recent discussion about whether we should have the perl port to touch/install /usr/bin/perl. While I'm not interested in joining the discussion, it inspired me that we can make use of the fact that ports should not install things to "system" area and take advantage from it. Finally these ideas results me to hack up something that might be valuable to share with our users.
What I am going to proposal is a concept that I call it "skeleton jail",
or "skeljail" for short. A skel jail is something that shares most base
system binaries/libraries with the host, through read-only mount_null's.
I have already done some experiments. Basically we want the following
directories to be mount_null'ed:
/bin, /sbin, /lib, /libexec, /usr/bin, /usr/sbin, /usr/include,
/usr/lib, /usr/libdata, /usr/libexec, /usr/sbin, /usr/share
To get most of what we want the jail to do, to work, this includes
ssh(1) and something else. Optionally, we may want to mount_nullfs a
read-write /usr/ports/distfiles, a readonly /usr/ports, and something
like /usr/game to be mounted into the skeljail.
In order to avoid having to do something magic instead of "make
installworld", I have a patchset against src/Makefile and
src/Makefile.incl to make the work a bit easier. It adds a so-called
"installskel" target that creates a skeljail that contains necessary
directory hierarchy, and a set of /etc configuration files that will be
useful to start the jail. The target must be used after a ``make
buildworld''
The two major benefits for the skeljail are:
- Reduces the ordinary management cost because many base system files
are shared, hence you patch only once to get all jails patched.
- Reduces the space cost that needed for a newly created jail. It used
to need about 110MB and with skeljail you will only need no more than
3MB.
Apparantly skeljail is not suitable for those who want:
- Run different FreeBSD releases on a single box.
- Run ports that does touch system area.
But having it doesn't hurt the ability for you to run a full jail.
I have some handcrafted shell scripts to implement skeljail by having
everything automatically mounted/dismounted. However, I think it might
be better if we can have jail_<name>_skeljail="YES" switch in our jail
rc.d(8) startup script. Please let me know if you are interested in the
idea and I'll post a patch for review if there's enough people that
wants this.
Thanks in advance!
Cheers,
--
Xin LI <delphij delphij net> http://www.delphij.net/
Index: Makefile
===================================================================
RCS file: /home/ncvs/src/Makefile,v
retrieving revision 1.315
diff -u -r1.315 Makefile
--- Makefile 21 Dec 2004 09:59:39 -0000 1.315
+++ Makefile 31 Jan 2005 13:02:34 -0000
@@ -65,7 +65,7 @@
TGTS= all all-man buildkernel buildworld checkdpadd clean \
cleandepend cleandir depend distribute distributeworld everything \
hierarchy install installcheck installkernel installkernel.debug\
- reinstallkernel reinstallkernel.debug installworld \
+ reinstallkernel reinstallkernel.debug installskel installworld \
kernel-toolchain libraries lint maninstall \
obj objlink regress rerelease tags toolchain update \
_worldtmp _legacy _bootstrap-tools _cleanobj _obj \
Index: Makefile.inc1
(Items indicated with * means non-essential items) ===================================================================
RCS file: /home/ncvs/src/Makefile.inc1,v
retrieving revision 1.473
diff -u -r1.473 Makefile.inc1
--- Makefile.inc1 20 Jan 2005 10:49:02 -0000 1.473
+++ Makefile.inc1 31 Jan 2005 13:02:34 -0000
@@ -516,6 +516,18 @@
rm -rf ${INSTALLTMP}
#
+# installskel
+#
+# Installs a minimum set of files that can support a mini-jail
+#
+installskel:
+ @echo "--------------------------------------------------------------"
+ @echo ">>> Making installskel"
+ @echo "--------------------------------------------------------------"
+ ${_+_}cd ${.CURDIR}; ${MAKE} hierarchy DESTDIR=${DESTDIR}
+ ${_+_}cd ${.CURDIR}/etc; ${MAKE} distribution DESTDIR=${DESTDIR}
+
+#
# reinstall
#
# If you have a build server, you can NFS mount the source and obj directories
signature.asc
Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=
