freebsd-ports/sysutils/qjail/pkg-descr

Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail
system that includes security and performance enhancements. Plus a new level
of "user friendliness" enhancements dealing with deploying just a few jails or
large scale jail environments consisting of 100's of jails.

This version of qjail uses the jail(8) jail.conf method. This provides the 
ability to enable the following options on a per-jail basis. exec.fib, 
securelevel, allow.sysvipc, devfs_rulesets, allow.raw_sockets, allow.quotas,
allow.mount.nullfs, allow.mount.tmpfs, allow.mount.zfs, vnet.interface, and 
vnet. The vnet option gives a jail its own network stack using the experimental
vimage kernel module. This qjail version is not intended for RELEASES older than
RELEASE-9.2. The vnet option has only been tested on i386 and amd64 equipment.

Qjail requires no knowledge of the jail command usage. It uses "nullfs" for
read-only system executables, sharing one copy of them with all the jails.

Uses "mdconfig" to create sparse image jails. Sparse image jails provide a
method to limit the total disk space a jail can consume, while only occupying
the physical disk space of the sum size of the files in the image jail.

Ability to assign ip address with their network device name,
so aliases are auto created on jail start and auto removed on jail stop.

Ability to create "ZONE"s of identical qjail systems, each with their own
group of jails.

Ability to designate a portion of the jail name as a group prefix so the
command being executed will apply to only those jail names matching that prefix.

Qjail has been incorporated into the Finch open source project, 
see http://dreamcat4.github.io/finch/ for details.

WWW: http://qjail.sourceforge.net/
Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail system that includes security and performance enhancements. Plus a new level of "user friendliness" enhancements dealing with deploying just a few jails or large jail environments consisting of 100's of jails. Qjail requires no knowledge of the jail command usage. It uses "nullfs" for read-only system binaries, sharing one copy of them with all the jails. Uses "mdconfig" to create sparse image jails. Sparse image jails provide a method to limit the total disk space a jail can consume, while only occupying the physical disk space of the sum size of the files in the image jail. Ability to assign ip address with their network device name, so aliases are auto created on jail start and auto removed on jail stop. Ability to create "ZONE"s of identical qjail systems, each with their own group of jails. Ability to designate a portion of the jail name as a group prefix so the command being executed will apply to only those jail names matching that prefix. WWW: http://sourceforge.net/projects/qjail/ http://qjail.sourceforge.net/ PR: ports/148777 Submitted by: Joe Barbish <joeb@a1poweruser.com> Approved by: rene (mentor) 2011-06-11 23:22:20 +02:00			`Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail`
			`system that includes security and performance enhancements. Plus a new level`
			`of "user friendliness" enhancements dealing with deploying just a few jails or`
sysutils/qjail: upgrade 3.2 -> 3.3 1. Fix typo in qjail.8 manual. Change "See jailip below" to "See -4 option" 2. Fix typo in qjail-howto.8 manual as per PR# 186269. Change a comma , inside of ip address to a . period. 73.x.97,51,10.0.10.126 to 73.x.97.51,10.0.10.126 3. Change qjail.portsnap.conf, remove index-6 index-7 index-8 statements replace index-9 with index-10 4. Removed rcvar=`set_rcvar` statement from qjail.bootime script. In Release 10.0 its no longer included in the rc.d scripts and was causing a non-harmful bogus boot time message. But this de-activated the ability to control the selection of boot time starting of jails using the qjail_enable="YES" statement in the hosts /etc/rc.conf. Put rcvar="qjail_enable" in qjail.bootime script and things work as exspected. 5. Correct coding bug in archive logic to archive sharedfs per zone. 6. Correct coding bug for Sanity check to see if any jails are running. 7. Changed "qjail install" logic to check that this version of qjail only runs on release-10.0. This is due to unique properties of jail(8) & rc.d that are not in 9.2 and older releases. 8. Changed "qjail create" and "qjail config" logic to check if the -4 and/or -6 IP address are prefixed with "<if_device>\|" and/or suffixed with "/<netmask>" values. jail(8) says this is valid syntax, but its NOT allowed as valid syntax to qjail. 9. Changed "qjail create" logic to check if no -n value was entered. If not then populate the -n value with the interface default nic device name obtained from route command. This is now the automatic default behavior. The default interface is the one connected to the public internet. This shortens the "qjail create command" and forces the use of the automatic creation and deletation of the alias for the jails IP address on that "network interface name". Made appropriate changes to qjail.8 man page documentation. 10. Changed "qjail create" logic to target another zones archives as input source. Now you can use any zones archive file as a template to create a new jail using the existing -a option. New -A option is coded with the zone name of the target archive file name populating the -a value. Made appropriate changes to qjail.8 man page documentation. 11. Added -S option to "qjail update" This option will copy the hosts /usr/src filesystem to sharedfs/usr/src to be shared among all the jails. Made appropriate changes to qjail.8 man page documentation. 12. Add -P option to "qjail update" This option will copy the hosts /usr/ports filesystem to sharedfs/usr/ports to be shared among all the jails. Made appropriate changes to qjail.8 man page documentation. 13. The long time jail(8) bug since 9.1 that deals with the jails /dev directory which allowed the jail to access things jail should be restricted from became fixed with 10.0-RELEASE-p2. The hosts /etc/defaults/rc.conf devfs_load_rulesets="NO" changed to devfs_load_rulesets="YES" Removed the jail.conf work-a-round statments from the qjail script build_config_def routine as they are no longer needed. 14. Converted the Port's Makefile to do "stageing". PR: ports/189120 Submitted by: Joe Barbish (maintainer) Approved by: culot (mentor) 2014-05-15 12:40:19 +02:00			`large scale jail environments consisting of 100's of jails.`
Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail system that includes security and performance enhancements. Plus a new level of "user friendliness" enhancements dealing with deploying just a few jails or large jail environments consisting of 100's of jails. Qjail requires no knowledge of the jail command usage. It uses "nullfs" for read-only system binaries, sharing one copy of them with all the jails. Uses "mdconfig" to create sparse image jails. Sparse image jails provide a method to limit the total disk space a jail can consume, while only occupying the physical disk space of the sum size of the files in the image jail. Ability to assign ip address with their network device name, so aliases are auto created on jail start and auto removed on jail stop. Ability to create "ZONE"s of identical qjail systems, each with their own group of jails. Ability to designate a portion of the jail name as a group prefix so the command being executed will apply to only those jail names matching that prefix. WWW: http://sourceforge.net/projects/qjail/ http://qjail.sourceforge.net/ PR: ports/148777 Submitted by: Joe Barbish <joeb@a1poweruser.com> Approved by: rene (mentor) 2011-06-11 23:22:20 +02:00
Upgrade to 3.6. 1. Add allow.mount.tmpfs parameter to build-jail.conf routine. Check if kernel tmpfs.ko has been loaded to host and if not then issue "kldload tmpfs" command. 2. Add code to config logic for lower case t to enable allow.mount.tmpfs parameter and upper case T to disable allow.mount.tmpfs parameter. 3. Remove -l null as method to disable nullfs and replace with upper case L to to disable nullfs. 4. Add upper case S to disable lower case s option. 5. Remove -w null as method to disable and replace with upper case W to to disable. 6. Fix fib -f parameter so it now works as wanted. 7. Comment out code for setcpu parameter as jail(8) now has bug about it. 8. Remove -w null as method to disable vnet interface parameter and replace with upper case W to disable it. 9. Make appropriate changes to man qjail.8 file. 10. Change good os version from 93 to 92. 11. Make appropriate changes to qjail.bootime script. PR: ports/192220 Submitted by: maintainer 2014-07-29 05:46:20 +02:00			`This version of qjail uses the jail(8) jail.conf method. This provides the`
			`ability to enable the following options on a per-jail basis. exec.fib,`
			`securelevel, allow.sysvipc, devfs_rulesets, allow.raw_sockets, allow.quotas,`
			`allow.mount.nullfs, allow.mount.tmpfs, allow.mount.zfs, vnet.interface, and`
			`vnet. The vnet option gives a jail its own network stack using the experimental`
			`vimage kernel module. This qjail version is not intended for RELEASES older than`
			`RELEASE-9.2. The vnet option has only been tested on i386 and amd64 equipment.`
Update to version 3.0 PR: ports/179184 Submitted by: Joe Barbish <qjail@a1poweruser.com> (maintainer) 2013-06-03 00:13:33 +02:00
Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail system that includes security and performance enhancements. Plus a new level of "user friendliness" enhancements dealing with deploying just a few jails or large jail environments consisting of 100's of jails. Qjail requires no knowledge of the jail command usage. It uses "nullfs" for read-only system binaries, sharing one copy of them with all the jails. Uses "mdconfig" to create sparse image jails. Sparse image jails provide a method to limit the total disk space a jail can consume, while only occupying the physical disk space of the sum size of the files in the image jail. Ability to assign ip address with their network device name, so aliases are auto created on jail start and auto removed on jail stop. Ability to create "ZONE"s of identical qjail systems, each with their own group of jails. Ability to designate a portion of the jail name as a group prefix so the command being executed will apply to only those jail names matching that prefix. WWW: http://sourceforge.net/projects/qjail/ http://qjail.sourceforge.net/ PR: ports/148777 Submitted by: Joe Barbish <joeb@a1poweruser.com> Approved by: rene (mentor) 2011-06-11 23:22:20 +02:00			`Qjail requires no knowledge of the jail command usage. It uses "nullfs" for`
Update to version 3.0 PR: ports/179184 Submitted by: Joe Barbish <qjail@a1poweruser.com> (maintainer) 2013-06-03 00:13:33 +02:00			`read-only system executables, sharing one copy of them with all the jails.`
Qjail [ q = quick ] is a 4th generation wrapper for the basic chroot jail system that includes security and performance enhancements. Plus a new level of "user friendliness" enhancements dealing with deploying just a few jails or large jail environments consisting of 100's of jails. Qjail requires no knowledge of the jail command usage. It uses "nullfs" for read-only system binaries, sharing one copy of them with all the jails. Uses "mdconfig" to create sparse image jails. Sparse image jails provide a method to limit the total disk space a jail can consume, while only occupying the physical disk space of the sum size of the files in the image jail. Ability to assign ip address with their network device name, so aliases are auto created on jail start and auto removed on jail stop. Ability to create "ZONE"s of identical qjail systems, each with their own group of jails. Ability to designate a portion of the jail name as a group prefix so the command being executed will apply to only those jail names matching that prefix. WWW: http://sourceforge.net/projects/qjail/ http://qjail.sourceforge.net/ PR: ports/148777 Submitted by: Joe Barbish <joeb@a1poweruser.com> Approved by: rene (mentor) 2011-06-11 23:22:20 +02:00
			`Uses "mdconfig" to create sparse image jails. Sparse image jails provide a`
			`method to limit the total disk space a jail can consume, while only occupying`
			`the physical disk space of the sum size of the files in the image jail.`

			`Ability to assign ip address with their network device name,`
			`so aliases are auto created on jail start and auto removed on jail stop.`

			`Ability to create "ZONE"s of identical qjail systems, each with their own`
			`group of jails.`

			`Ability to designate a portion of the jail name as a group prefix so the`
			`command being executed will apply to only those jail names matching that prefix.`

Upgrade to 3.6. 1. Add allow.mount.tmpfs parameter to build-jail.conf routine. Check if kernel tmpfs.ko has been loaded to host and if not then issue "kldload tmpfs" command. 2. Add code to config logic for lower case t to enable allow.mount.tmpfs parameter and upper case T to disable allow.mount.tmpfs parameter. 3. Remove -l null as method to disable nullfs and replace with upper case L to to disable nullfs. 4. Add upper case S to disable lower case s option. 5. Remove -w null as method to disable and replace with upper case W to to disable. 6. Fix fib -f parameter so it now works as wanted. 7. Comment out code for setcpu parameter as jail(8) now has bug about it. 8. Remove -w null as method to disable vnet interface parameter and replace with upper case W to disable it. 9. Make appropriate changes to man qjail.8 file. 10. Change good os version from 93 to 92. 11. Make appropriate changes to qjail.bootime script. PR: ports/192220 Submitted by: maintainer 2014-07-29 05:46:20 +02:00			`Qjail has been incorporated into the Finch open source project,`
			`see http://dreamcat4.github.io/finch/ for details.`

- Update to 2.2 - Unrestrict - license issue has been resolved PR: ports/178186 Submitted by: Joe Barbish <qjail@a1poweruser.com> (maintainer) 2013-04-26 23:25:52 +02:00			`WWW: http://qjail.sourceforge.net/`