Re: setting MIBs on a per jail bases

Thu, 14 Feb 2013 05:18:55 -0800 

 schrieb Fbsd8 am 06.02.2013 17:57 (localtime):
> Fleuriot Damien wrote:
>> Running 8.3 here and the answer is no.
>>
>>
>> On Feb 6, 2013, at 5:39 PM, Fbsd8 <fb...@a1poweruser.com> wrote:
>>
>>> Is there a way to set these MIBs
>>> on a per jail bases?
>>>
>>> allow.mount.nullfs
>>> allow.raw_sockets
>>> cpuset.id
>>> securelevel
>>
>>
>>
>
> Rereading the  "man jail" for 9.1 talks about securelevel as a jail
> parammeter. So correct me if I an wrong. All the security.jail.param.*
> MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by
> changing the word "parm" to the jailname?
>

This applies to jail.conf(5).
That's a entirely new way to handle jails in FreeBSD 9.1. Very nice, but
not included in rc.d.

If you want to keep the traditional way running jails, I made a patch
some time ago to control more per-jail tunables.
Here you can donwload it for -9:
ftp://ftp.omnilan.de/pub/FreeBSD/OmniLAN/deploy-tools/local-patches/src/jail-allow-selectables.patch_9
That also irons some ip configuration cosmetics, see defaults/rc.conf.

If you want to give the new jail(8) and jail.conf capabilities a try,
here's like I use it with vnet (vimage, virtual per-jail-network stack):
Compile a kernel with "options VIMAGE"
remove "# keyword nojail" in jail's etc/rc.d/netif and routing (if you
want to set IP addresses inside the jail)

And here's the corresponding jail.conf:
###
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown && sleep 2";
exec.clean;
allow.mount;
allow.mount.devfs;
allow.set_hostname;
mount.devfs;
devfs_ruleset=4;

# Dynamic wildcard parameter:
# Base the path off the jail name.
path = "/.jail.$name";
mount.fstab="/etc/fstab.$name";

yourname {
        mount;
        name = "inno";
#       host.hostname = .your hostname.net"; but also set inside the
jail along with network setup
        vnet = "new";
        vnet.interface = "jbb$name";
}
###

You can add "allow.raw_sockets" anywhere.
But with vnet, you don't need that any more.
Just to point you into the right direction.

-Harry

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to