Skip to content

Commit

Permalink
WIP: mapping from jail config
Browse files Browse the repository at this point in the history
  • Loading branch information
@dfr
dfr committed May 2, 2024
1 parent 47d2e47 commit cc55828
Showing 1 changed file with 93 additions and 0 deletions.
93 changes: 93 additions & 0 deletions docs/proposals/PROPOSAL_A.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,99 @@ The following parameters can be specified for for the container jail:
* **`nfsd`** *(bool, OPTIONAL)* - Allow the jail to act as an NFS server.
* **`reservedPorts`** *(bool, OPTIONAL)* - Allow the jail to bind to ports lower than 1024.
* **`suser`** *(bool, OPTIONAL)* - The value of the jail's security.bsd.suser_enabled sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default.

### Mapping from jail(8) config file

This table shows how to map settings from a typical jail(8) config file to the proposed JSON format.

| Jail parameter | JSON equivalent |
|----------------|----------------------|
| jid | - |
|----------------|----------------------|
| name | see below |
|----------------|----------------------|
| path | root.path |
|----------------|----------------------|
| ip4.addr | freebsd.jail.ip4Addr |
|----------------|----------------------|
| ip4.saddrsel | - |
|----------------|----------------------|
| ip4 | freebsd.jail.ip4 |
|----------------|----------------------|
| ip6.addr | freebsd.jail.ip6Addr |
|----------------|----------------------|
| ip6.saddrsel | - |
|----------------|----------------------|
| ip6 | freebsd.jail.ip6 |
|----------------|----------------------|
| vnet | freebsd.jail.vent |
|----------------|----------------------|
| host.hostname | hostname |
|----------------|----------------------|
| host.hostname | hostname |
|----------------|----------------------|
| host | freebsd.jail.host |
|----------------|----------------------|
| sysvmsg | freebsd.jail.sysvmsg |
|----------------|----------------------|
| sysvsem | freebsd.jail.sysvsem |
|----------------|----------------------|
| sysvshm | freebsd.jail.sysvshm |
|----------------|----------------------|
| securelevel | - |
|----------------|----------------------|
| devfs_ruleset | see below |
|----------------|----------------------|
| children.max | see below |
|----------------|----------------------|
| enforce_statfs | freebsd.jail.enforceStatfs |
|----------------|----------------------|
| persist | - |
|----------------|----------------------|
| parent | freebsd.jail.parent |
|----------------|----------------------|
| osrelease | - |
|----------------|----------------------|
| osreldate | - |
|----------------|----------------------|
| allow.set_hostname | freebsd.jail.allow.setHostname |
|----------------|----------------------|
| allow.sysvipc | freebsd.jail.allow.sysvipc |
|----------------|----------------------|
| allow.raw_sockers | freebsd.jail.allow.rawSockets |
|----------------|----------------------|
| allow.chflags | freebsd.jail.allow.chflags |
|----------------|----------------------|
| allow.mount | freebsd.jail.allow.mount |
|----------------|----------------------|
| allow.quotas | freebsd.jail.allow.quotas |
|----------------|----------------------|
| allow.read_msgbuf | freebsd.jail.allow.readMsgbuf |
|----------------|----------------------|
| allow.socket_af | freebsd.jail.allow.socketAf |
|----------------|----------------------|
| allow.mlock | freebsd.jail.allow.mlock |
|----------------|----------------------|
| allow.nfsd | freebsd.jail.allow.nfsd |
|----------------|----------------------|
| allow.reserved_ports | freebsd.jail.allow.reservedPorts |
|----------------|----------------------|
| allow.unprivileged_proc_debug | - |
|----------------|----------------------|
| allow.suser | freebsd.jail.allow.suser |
|----------------|----------------------|
| allow.mount.* | see below |
|----------------|----------------------|
| securelevel | - |
|----------------|----------------------|

The jail name is set to the create command's `container-id` argument.

The `devfs_ruleset` parameter is only required for jails which create new `devfs` mounts - typically OCI runtimes will mount `devfs` on the host.

The `children.max` parameter is managed by the OCI runtime e.g when a new container is added to a pod.

The `allow.mount.*` parameter set is extensible - this proposal suggests representing allowed mount types as an array. As with `devfs`, typically the OCI runtime will manage mounts for the container by performing mount operations on the host.

### Example
```json
Expand Down

0 comments on commit cc55828

Please sign in to comment.