Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5

2008-09-25 Thread Ruslan Ermilov
Hi Bjoern,

On Wed, Sep 24, 2008 at 06:34:53PM +, Bjoern A. Zeeb wrote:
 On Wed, 24 Sep 2008, Ruslan Ermilov wrote:
 
  ru  2008-09-24 15:18:27 UTC
 
   FreeBSD src repository
 
   Modified files:
 etc/rc.d jail
 share/man/man5   rc.conf.5
   Log:
   SVN rev 183325 on 2008-09-24 15:18:27Z by ru
 
   Allow a jail's IP alias to be created with an arbitrary netmask.
 
 So I had been talking with various people during the last weeks/months
 about this feature of configuring an interface from rc.d/jail and I
 had been  close to remove it a lot of times but it seems people
 prefer to actually mix network configuration, management and jail
 startup/teardown in a single script, which I think is a very
 questionable thing especially considering that we already had an
 SA for[1] that script for other means.
 
 So you now I have v4/v6/multi/no-IP jails and once the next vimage
 step is in I plan to have it hit the tree and I am currently
 integrating a patch that would even have allow the ifconfig to work with
 multiple IPv4/v6 addresses because up to now I decided to leave this
 feature in.
 
 Now adding a netmask only makes sense for exactly one use case to my
 understanding and this is not going to play well with whatever will
 hit the tree.
 
At work, we use ezjail as a management tool for jails.  We want our
jails to be moveable between a set of hosts, so a jail's IP doesn't
necessarily belong to host X at any given time.  With the netmask in
rc.d/jail hardcoded to 255.255.255.255, we have to configure a host's
interface with IP addresses/netmasks corresponding to jails' IPs (and
we have different IP networks).  In practice this means we waste real
IPs for nothing -- for a host with a single jail we waste one real
IP address.  To picture it: on a host that's not otherwise configured
with 192.168.0 addresses, to up a jail with 192.168.0.13 we have to
waste one more address from 192.168.0, e.g. 192.168.0.1, for the host
to be able to route packets between 192.168.0.13 and 192.168.0.*.

 Adding yet another variable to rc.conf to control another question
 knob is something, as I hate to say, I am no longer going to be ok
 with (this has nothhing to do with you or that it might be needed in a
 setup).
 
 My suggestion would be, that if we want thos features to add
 them separately doing a superset of the startup script or something
 just for this and actualy use network.subr or the like to set it up
 but keep the list of IP/Netmasks kind of separated from options for
 the jail(8) command.
 
 In worst case stomething like this (read the BUT later) and have a
 jail_example_ipv4_alias0=192.0.2.1/24
 jail_example_ipv4_alias1=192.0.2.2/32
 jail_example_ipv4_alias2=192.0.2.2 netmask 255.255.255.255
 jail_example_ipv6_alias0=2001:dbe::1
 jail_example_ipv6_alias1=2001:dbe::2/128
 and then have a single knob
 jail_example_configure_ips_on_interfaces=NO
 and still use the above list create the jail(8) argument if you want
 it like that.
 
 BUT wait the above is not going to work out as I am missing the
 interface for each alias instance.
 We need a full interface X af X address X netmask tupple with each
 entry and a defined order per AF as the first IP will be specially
 treated.
 
 That's why I am saying networking is networking and jails are jails
 and to combine both you need a management app/script/... as it is
 too many options/knobs/...
 
 FYI for the multi-IP jails (without this feature) I didn't even have
 to think about the startup script as it would just have continued to
 work. Adding no-IP support I had to change an exit case to _foo=\\
 in rc.d/jail.
 
 With supporting the ifconfig you need to a a few more lines.
 
 With the netmasks I still have no idea where we'll end up.
 
 I suggest we once and for all discuss this on freebsd-jail, decide
 how to continue with this feature. I am Cc:ing and setting Reply-to:
 
   MFC after:  3 days
 
 I would kindly ask you to hold back an MFC into 7 until there is a
 conclusion.
 
I'd be happy with anything that allowed us NOT to waste IP addresses,
preferably in FreeBSD 7.1.  I have a solution that involves having
static routes (in the example above, I'd add a route to 192.168.0/24
over some Ethernet interface that's equivalent to saying to resolve
these IPs using ARP on this interface), but it's not ideal as I don't
want these addresses to be accessible/resolvable when a host doesn't
have configured IPs in this range.


Cheers,
-- 
Ruslan Ermilov
[EMAIL PROTECTED]
FreeBSD committer
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5

2008-09-25 Thread Simon L. Nielsen
[Trying to moving off commit lists]

On 2008.09.25 09:20:04 +0400, Ruslan Ermilov wrote:
 Hi Bjoern,
 
 On Wed, Sep 24, 2008 at 06:34:53PM +, Bjoern A. Zeeb wrote:
  On Wed, 24 Sep 2008, Ruslan Ermilov wrote:
  
   ru  2008-09-24 15:18:27 UTC
  
FreeBSD src repository
  
Modified files:
  etc/rc.d jail
  share/man/man5   rc.conf.5
Log:
SVN rev 183325 on 2008-09-24 15:18:27Z by ru
  
Allow a jail's IP alias to be created with an arbitrary netmask.
  
  So I had been talking with various people during the last weeks/months
  about this feature of configuring an interface from rc.d/jail and I
  had been  close to remove it a lot of times but it seems people
  prefer to actually mix network configuration, management and jail
  startup/teardown in a single script, which I think is a very
  questionable thing especially considering that we already had an
  SA for[1] that script for other means.
  
 At work, we use ezjail as a management tool for jails.  We want our

[...]

I think the main problem is that the configuration required for jails
today is simply too much for what should be done in an rc.d script
configured by rc.conf.  At the Cambridge Devsummit we talked about
creating some kind of more advanced jail management system and I think
that is the way to go in the long run and kill off rc.d/jail.

Of course doing this is no small task, but I think adding kludges to
rc.conf is going to be increasingly painful.  I'm not sure what form a
management system should take, but having ezjail like functionality in
base would be a good thing IMO.

Personally I also have a rather strong dislike for the jail auto ip
setting feature, but as people are using it removing the functionality
will cause pain.

-- 
Simon L. Nielsen
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5

2008-09-25 Thread Ruslan Ermilov
On Thu, Sep 25, 2008 at 10:55:59PM +0200, Simon L. Nielsen wrote:
 Personally I also have a rather strong dislike for the jail auto ip
 setting feature, but as people are using it removing the functionality
 will cause pain.
 
It's quite normal that the jail's IP migrates with the jail itself,
including not having an IP address configured if the jail is off.
Otherwise (when the jail is off but its address is on), you may end
up accessing a host system's Web/SSH/etc. server instead of jail's.


Cheers,
-- 
Ruslan Ermilov
[EMAIL PROTECTED]
FreeBSD committer
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]