-
Notifications
You must be signed in to change notification settings - Fork 331
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Status/2023Q2/service-jails.adoc: Fixes
Approved by: carlavilla (mentor, implicit) Pull Request: #211
- Loading branch information
1 parent
639340b
commit 2fbddac
Showing
1 changed file
with
9 additions
and
10 deletions.
There are no files selected for viewing
19 changes: 9 additions & 10 deletions
19
website/content/en/status/report-2023-04-2023-06/service-jails.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,27 +1,26 @@ | ||
| === Service Jails - automatic jailing of rc.d services | ||
| === Service Jails -- automatic jailing of rc.d services | ||
|
|
||
| Links: + | ||
|
|
||
| link:https://reviews.freebsd.org/D40369[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:https://reviews.freebsd.org/D40369[] + | ||
| link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] + | ||
| link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[] | ||
|
|
||
| Contact: Alexander Leidinger <netchild@FreeBSD.org> | ||
|
|
||
| Service Jails are an extension to the rc system which allows automatic jailing of rc.d services. | ||
| Service jails inherit the filesystem of the parent host or jail, but use all the other limits of a jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. | ||
| Additional configuration allows to inherit the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). | ||
| Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services. | ||
| A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. | ||
| Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). | ||
|
|
||
| If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, you simply have to change rc.conf to have | ||
| If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have: | ||
| ---- | ||
| local_unbound_svcj_options=net_basic | ||
| local_unbound_svcj=YES | ||
| ---- | ||
|
|
||
| While this doesn't have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup while providing some of the security benefits of a jail like hiding other processes of the same user. | ||
| While this does not have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup, while providing some of the security benefits of a jail like hiding other processes of the same user. | ||
|
|
||
| The patches in the links are a rewrite of link:https://lists.freebsd.org/pipermail/freebsd-jail/2019-February/003710.html[what I presented in 2019]. | ||
| The main difference is that an ENV variable is used to do some more rational tracking and as such requires a change to man:service[8]. | ||
| The main difference is that an ENV variable is used to do more rational tracking and as such, requires a change to man:service[8]. | ||
|
|
||
| My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of 14-stable (which may have happened already when you read this). | ||
| I will not commit link:https://reviews.freebsd.org/D40370[D40370] and link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both would benefit of some more eyes looking at them. | ||
| My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of `stable/14`. | ||
| I will not commit link:https://reviews.freebsd.org/D40370[D40370] or link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both will benefit from more eyes. |