Re: Effective rule sets in a jail?

2016-07-07 Thread Grzegorz Junka
On 07/07/2016 13:31, Martin "eto" Misuth wrote: IMHO, regarding jails, better mental model would be like this: - any single jail can have one and only one devfs ruleset number assigned - however, different standalone jails can have different devfs ruleset number assigned - nested

Re: Effective rule sets in a jail?

2016-07-07 Thread Martin "eto" Misuth
On Thu, 7 Jul 2016 11:17:41 + Grzegorz Junka wrote: > > Descendant jails inherit the parent jail's devfs ruleset. Devfs rules > enforced in the jail are defined by the single calculated ruleset. > > What do you think? > IMHO, regarding jails, better mental model would

Re: Effective rule sets in a jail?

2016-07-07 Thread Grzegorz Junka
On 07/07/2016 10:06, Miroslav Lachman wrote: Grzegorz Junka wrote on 07/07/2016 11:42: OK, I am just an user, not very familiar with the terminology. For me (as a programmer) inheriting means overriding, so merging the more specific to the less specific declarations. Does it mean that the

Re: Effective rule sets in a jail?

2016-07-07 Thread Miroslav Lachman
Grzegorz Junka wrote on 07/07/2016 11:42: OK, I am just an user, not very familiar with the terminology. For me (as a programmer) inheriting means overriding, so merging the more specific to the less specific declarations. Does it mean that the "inheriting" works in nested declarations but

Re: Effective rule sets in a jail?

2016-07-07 Thread Grzegorz Junka
On 07/07/2016 09:03, Miroslav Lachman wrote: Grzegorz Junka wrote on 07/07/2016 10:41: I was referring to this clause in the man document: Descendant jails inherit the parent jail's devfs ruleset enforcement. This is true for hierarchical "nested" jails = jail inside jail. And inheriting

Re: Effective rule sets in a jail?

2016-07-07 Thread Miroslav Lachman
Grzegorz Junka wrote on 07/07/2016 10:41: I was referring to this clause in the man document: Descendant jails inherit the parent jail's devfs ruleset enforcement. This is true for hierarchical "nested" jails = jail inside jail. And inheriting doesn't mean merging. You can't allow devices

Re: Effective rule sets in a jail?

2016-07-07 Thread Grzegorz Junka
On 07/07/2016 07:53, Miroslav Lachman wrote: Ultima wrote on 07/07/2016 06:04: Not so. The top variable, devfs_ruleset = 4 is being set as the default for all jails. The devfs_ruleset = 5 inside the brackets is changing the default value. How to check what ruleset is mounted? That is a great

Re: Effective rule sets in a jail?

2016-07-07 Thread Miroslav Lachman
Ultima wrote on 07/07/2016 06:04: Not so. The top variable, devfs_ruleset = 4 is being set as the default for all jails. The devfs_ruleset = 5 inside the brackets is changing the default value. How to check what ruleset is mounted? That is a great question. I'm not sure of an easy way to check