Jail metadata feature
Links:
The main commit URL: https://cgit.freebsd.org/src/commit/?id=30e6e008bc06385a66756bebb41676f4f9017eca
Contact: Igor Ostapenko <igoro@FreeBSD.org>
Contact: Dave Cottlehuber <dch@FreeBSD.org>
The meta and env new parameters of jail(8) have been introduced.
Each one is an arbitrary string associated with a jail.
It can be set upon jail creation or added/modified later:
# jail -cm ... meta="tag1=value1 tag2=value2" env="configuration"
The values are not inherited from the parent jail.
A parent jail can read both metadata parameters, while a child jail can read only env via the newly added security.jail.env sysctl.
The maximum size of meta or env per jail is controlled by the global security.jail.meta_maxbufsize sysctl.
Decreasing it does not alter the existing meta information.
Each metadata buffer can optionally be handled as a set of key=value\n strings:
# jail -cm ... meta="$(echo k1=v1; echo k2=v2)" env.1=one # jls meta.k2 env.1 meta.k1
While meta.k1="" or meta.k1= resets the value to an empty string, the meta.k1 without the equal sign removes the given key.
The flua’s libjail has been updated respectively to support the key-based handling.
Sponsor: SkunkWerks GmbH
Last modified on: April 8, 2025 by Igor Ostapenko