[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] Feature Request: Allow flavour to modify files outside of jail



On 12.11.12 19:04, Loyall, Benjamin Farragut (LARC-E302)[SCIENCE SYSTEMS
AND APPLICATIONS, INC] wrote:

> First off, apologies if this is already possible.  If that is the case,
> please just point & laugh and then let me know how  ;)

While I agree that the project's website could benefit from a little
overhaul, the man pages are rather accurate ;)

> I would love to be able to include script in my flavour that runs at
> jail creation time, not jail first start.  The intent is to make
> modifications to the main system.

I understand the desire and discussed that several times with friends
and colleagues. Requests ranged from automatically configuring the IP
address in rc.conf, setting up routing, mounting pre-installed packages,
copying/parsing/rewriting /etc/resolv.conf to deploying backup-scripts
to the host system.

I do just not think that ezjail is the place to do it cleanly and most
importantly: securely.

ezjail is very conservative when it comes to where the line is drawn
between the host system and where jails live. I want to make sure that
ezjail only messes with three locations by default: ezjail_jaildir,
$PREFIX/etc/ezjail/ and /etc/fstab.*

Flavours were intended to be community provided. But once I install a
foreign flavour, I want to make sure that every explosion that may
possibly occur, happens inside the jail's container.

There exist third party tools, allowing automation of many ezjail-admin
commands: https://github.com/tomster/ezjail-remote , it is written in a
scripting language and can be executed from your desktop system. So I
consider it to be much more suited to control an automated setup of
multiple jails.

Regards,

  erdgeist