Jail metadata feature
Links:
The main commit URL: https://cgit.freebsd.org/src/commit/?id=30e6e008bc06385a66756bebb41676f4f9017eca
Contact: Igor Ostapenko <igoro@FreeBSD.org>
Contact: Dave Cottlehuber <dch@FreeBSD.org>
The meta and env new parameters of
jail(8) have been introduced. Each one is an arbitrary string
associated with a jail. It can be set upon jail creation or
added/modified later:
# jail -cm ... meta="tag1=value1 tag2=value2" env="configuration"
The values are not inherited from the parent jail. A parent jail
can read both metadata parameters, while a child jail can read only
env via the newly added security.jail.env
sysctl.
The maximum size of meta or env per
jail is controlled by the global
security.jail.meta_maxbufsize sysctl. Decreasing it
does not alter the existing meta information.
Each metadata buffer can optionally be handled as a set of
key=value\n strings:
# jail -cm ... meta="$(echo k1=v1; echo k2=v2)" env.1=one # jls meta.k2 env.1 meta.k1
While meta.k1="" or meta.k1= resets
the value to an empty string, the meta.k1 without the
equal sign removes the given key. The flua’s libjail has been
updated respectively to support the key-based handling.
Sponsor: SkunkWerks GmbH
Last modified on: April 8, 2025 by Igor Ostapenko