On 26.08.25 13:41, Anthony Pankov wrote:
Hello,
I've developing some own jail management solution based on naming jail as a
number in hexadecimal form.
On a half way I encountered an error with digit only jail name (in my case -
47777). Discussion via hackers@ reveal that despite the error itself kernel
part of a jail would treat numeric name as a JID and nothing can be done with
it.
It's a very disappointing because jail(8) contain nothing about numeric only
case:
name The jail name. This is an arbitrary string that identifies a
jail (except it may not contain a ďż˝.ďż˝).
May be there is a way to solve the problem?
If the jail name is a decimal number it's interpreted as the jail ID
instead. In a jail.conf(5) jail block e.g. `23 { path = "/jails/foo"; }`
the $name parameter remains unbound and can be assigned like this `23 {
name = "foo"; path = "/jails/$name"; }`. Yes this is confusing and
should be better documented. This behavior if you prefix the hex numbers
with the common "0x" prefix it will always be interpreted as a name. If
you want a stable jail id for your jail manager I would recommend
setting it in the jail.conf(5) and only picking jail ids above one
million, because the range from 1 to one million is used for automatic
jail id selection by the kernel. The dot character is not available for
use in a jail name since it encodes the parent-child relation between
jails similar to / in unix paths. You can work around this by escaping
the dot character. A simple scheme would be to just replace dots with
underscores, but then users must be trusted not to use "foo.bar" and
"foo_bar" for different jails. A proper bijective escaping function is
also possible, but it would result in uglier jail names when viewing the
system state with base system tools like jls.
for reference:
On 2025-08-09 04:01, Anthony Pankov wrote:
This is an artifact of how numeric names work. When you use a purely >> numeric name, it's
taken as both the jid and the name. jail(8) has >> some logic up-front that will set one
or the other variable based on >> the name, but it omits the other.
I think to prevent ambiguity there must be a possibility or requirement > to
quote jail name to force interpretation as a string.
Using "47777" instead of 47777 doesn't help for now.
That's fine for user space. But in the kernel, you still have a numeric name,
and that's only allowed if the name is the same as the jid. The work to make
the $jid and $name parameters available to jail(8) is good, but that's separate
from the kernel level.
If you want to use numeric names you have to prefix/suffix them with
something so that the name isn't interpreted as a decimal number.
