[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] ezjail-admin vs. make.conf



I just saw another message in this thread that reminded me that you're looking to get another release out the door...  This is all I have to reply to sitting in my mailbox.

I have one lingering request (or request for discussion), and that is to look at another way to handle configuring a jail with a large number of IPs (for example, I have two that have had from 200 to 400 IPs in each).  Specifying all those IPs in a single line in ezjail.conf is rough.  It would be nice if there were another option, either include another file that lists one IP/line, or even cooler, being able to specify a range of IPs as in the interface config in rc.conf.

Another thing that you'll run into if you use a ton of IPs is that there's a sysctl (security.jail.jail_max_af_ips) that arbitrarily limits the max IPs per jail.  ezjail will silently fail when this limit is hit.  It would be nice to check if that limit will be exceeded.

FWIW, the multi-IP patches in 7.2 are great.  I've been running a few jails with hundreds of IPs and I've yet to have any problems.

Thanks,

Charles

Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
spork AT bway DOT net - 212.655.9344



On Jan 19, 2010, at 9:53 AM, Dirk Engling wrote:

> Dear fellow hackers,
> 
> while I'm ironing out the last wrinkles in ezjail to get it ready for
> 3.1 release, containing some newjail features, I encountered some things
> I'd like to get feedback from you.
> 
> Currently ezjail-admin does automatically, what normally only flavours
> should do: put a convenience-make.conf into the jail:
> 
>  # A ports collection inside jails is hardly useful w/o an appropriate
>  # /etc/make.conf.
>  if [ -f "${ezjail_examples}/example/etc/make.conf" -a ! -f
> "${ezjail_jailtemplate}/etc/make.conf" ]; then
>    cp -p "${ezjail_examples}/example/etc/make.conf"
> "${ezjail_jailtemplate}/etc/"
>    echo "Note: a non-standard /etc/make.conf was copied to the template
> jail in order to get the ports collection running inside jails."
>  fi
> 
> This was invented way before flavours were introduced. Now, some tools
> like portupgrade also break when their INDEXDIR is not writable.
> However, I am not fond of chasing any given inconvenience.
> 
> I am considering removing this behaviour alltogether and move it to
> where it should live: in the example flavour. Is there any reason not to
> do so? Would it create confusion to change the behaviour?
> 
> Regards,
> 
>  erdgeist