Bug 233310

Summary: jails: Modularize configuration system (conf.d)
Product: Base System Reporter: rocky
Component: confAssignee: freebsd-jail (Nobody) <jail>
Status: Open ---    
Severity: Affects Some People CC: bch, daniel, driesm.michiels, hrs, jamie.baxter, jamie, joeb1, markj, reezer, sharky
Priority: --- Keywords: feature, needs-patch
Version: CURRENTFlags: koobs: mfc-stable13?
koobs: mfc-stable12?
Hardware: Any   
OS: Any   
See Also: https://reviews.freebsd.org/D24570

Description rocky 2018-11-19 05:28:50 UTC
The jail.conf system seems to be rather useful in and of itself, but given the approach of docker, xorg, openldap, and such, shouldn't this be easier to drop and replace config like in the conf.d format rather than appending the one conf file? I believe even rc has this approach available using rc.conf.d system.

This would make much more sense given that jails are individual objects in the system. Individual conf files allow quicker deployment, copy and modify, and updates to the individual jail rather than the whole conf file - especially by automation tools, where it is likely you'd want better protection to individual jails rather than bork the lot if something goes sideways if the one conf file is modified.
Comment 1 christian barthel 2018-12-25 17:32:18 UTC
(In reply to rocky from comment #0)

It seems that in FreeBSD 12.0, it is possible to have per-jail rc.conf files.  Perhaps, this might help you because the approach seems similar to conf.d.  Good examples can be found at /usr/share/examples/jails or at:
I haven't tested this myself, but while reading through the example, the "conf.d" style may be already possible in 12.0.
Comment 2 Christian Sturm 2019-01-20 13:09:56 UTC
I don't think it really is the same thing, as it seems that one is required
to use rc.conf. While that might be a workaround allowing something like

include /etc/jail.d/*.conf

or even:

include /usr/local/etc/jail.d/*.conf

would allow one to simply use a file system overlay or installing
a jail for example via a package without having to modify rc scripts.

In that regard it could behave similar to newsyslog.conf.d which recently
got a similar features allowing the same thing.

This might even benefit the ports system.

So while using rc.conf is a workaround /etc/rc.d/jail defaults to
just loading /etc/jail.conf and it would be nice for software that
is able to handle jail.conf(5) syntax to create (or parse) such
jail configuration files and not having to understand how /etc/rc.d
precisely parses options in the rc.conf.

It would be really helpful for third party software and automation
to have a setup similar to newsyslog.conf.d, where includes are
supported (the syntax above is just an example, maybe )
and per default - if enabled - looks in both /etc/ and /usr/local/etc.
Comment 3 Sebastian S 2019-07-04 11:30:26 UTC
/signed I think this would really improve jails . Moving jails around from one host to another is a pain.
Comment 4 Jamie Baxter 2020-08-31 18:53:52 UTC
/signed to Further support for this. Would significantly aid portability and transport of individual jails between systems.
Comment 5 Hiroki Sato freebsd_committer 2020-08-31 21:07:09 UTC
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-22 01:47:55 UTC
^Triage: Assignee timeout, reset.
Comment 7 Daniel Morante 2021-04-22 02:02:17 UTC
I would look to an official tool/process to appear in base.  In the mean time I created a tool for myself that (so far) has worked well for my use cases.  It's very crude, but does the job.

Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-05 03:00:12 UTC
^Triage: Antranig has a PoC/WIP in review, add references:

Comment 9 joeb1 2021-06-22 02:11:56 UTC
The function your talking about adding is all ready there in jail. There is no restriction in having more that a single jail.conf formatted file as in one for each jail on the host. All that is needed is a jail start command line to target each individual jail on the host. The jail command allows you to point to any file no matter its name as long as its formatted with jail statements.

The qjail utility uses this concept as the standard way of defining and running all it's non-vnet and vnet jails. Would like to see qjail become part of the base system. Comment 3 and comment 4 are also already handled in qjail.

And one thing no one has brought up before is that the jail parameters defined in the rc.conf file are depreciated and were scheduled to be removed in release 11 but are still being carried along forgotten.