From owner-freebsd-jail@FreeBSD.ORG Sun Jul 27 00:08:11 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CBFD86B9 for ; Sun, 27 Jul 2014 00:08:11 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CCE02F3F for ; Sun, 27 Jul 2014 00:08:11 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6R089js091876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 26 Jul 2014 18:08:09 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6R089NX091873; Sat, 26 Jul 2014 18:08:09 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sat, 26 Jul 2014 18:08:09 -0600 (MDT) From: Warren Block To: Alexander Leidinger Subject: Re: Additional devfs rulesets In-Reply-To: Message-ID: References: <20140726194437.00000ee4@Leidinger.net> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sat, 26 Jul 2014 18:08:09 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2014 00:08:11 -0000 On Sat, 26 Jul 2014, Warren Block wrote: > If devfs accepted an optional file parameter, additional rulesets could be > defined with for each jail. There might be security implications with that. Actually, it looks like that can be done. devfs_rulesets_from_file() in /etc/rc.subr has a parser, and evaluates all files defined in $devfs_rulesets. By default, that is just /etc/defaults/devfs.rules and /etc/devfs.rules. ezjail could just append a third file there, maybe /usr/local/etc/ezjail/jailname-devfs.rules. Or even more elegantly, a here-doc from inside the ezjail/jailname file. From owner-freebsd-jail@FreeBSD.ORG Tue Jul 29 21:44:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 04023DF for ; Tue, 29 Jul 2014 21:44:47 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A7F13295F for ; Tue, 29 Jul 2014 21:44:46 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6TLiiDr059427 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 29 Jul 2014 15:44:44 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6TLiiqv059424 for ; Tue, 29 Jul 2014 15:44:44 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Tue, 29 Jul 2014 15:44:44 -0600 (MDT) From: Warren Block To: freebsd-jail@FreeBSD.org Subject: ezjail and mergemaster Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Tue, 29 Jul 2014 15:44:44 -0600 (MDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 21:44:47 -0000 This is tangential to my earlier changes to mergemaster. I'm working on an ezjail addition for the Handbook. The update section shows both source and binary updates. For source, ezjail-admin update -b on the host does a buildworld;installworld on the basejail. For binary, ezjail-admin update -r on the host uses freebsd-update to update the basejail. mergemaster is used after either on a real machine. By default, the ezjail basejail does not even have a copy of the source, making running mergemaster from inside the jail a bit difficult. What process for running mergemaster should I suggest? Maybe different ones for trusted and untrusted jails? The host can update trusted jails: mergmaster -U -D /usr/jails/jailname (It might not be safe to consider any jail "trusted".) The untrusted procedure is a lot fuzzier to me. Mount /usr/src on the basejail, then only run mergemaster from inside the jails? Is there a good way? Or a standard way? As with other things for the Handbook, we should be showing best practices. What is the best practice for mergemaster on any random jail, trying to conserve disk space as much as is safely possible? From owner-freebsd-jail@FreeBSD.ORG Tue Jul 29 22:22:23 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1118543C for ; Tue, 29 Jul 2014 22:22:23 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id DF8DB2ECE for ; Tue, 29 Jul 2014 22:22:22 +0000 (UTC) Received: from [192.168.1.2] (senat1-01.HML3.ScaleEngine.net [209.51.186.5]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 4C673306AE for ; Tue, 29 Jul 2014 22:16:23 +0000 (UTC) Message-ID: <53D81D43.6070503@freebsd.org> Date: Tue, 29 Jul 2014 18:16:35 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: ezjail and mergemaster References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="olte65bcI9LwiaEgJkUtJHWMok4EQNfOx" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 22:22:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --olte65bcI9LwiaEgJkUtJHWMok4EQNfOx Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-07-29 17:44, Warren Block wrote: > This is tangential to my earlier changes to mergemaster. >=20 > I'm working on an ezjail addition for the Handbook. The update section= > shows both source and binary updates. >=20 > For source, ezjail-admin update -b on the host does a > buildworld;installworld on the basejail. >=20 > For binary, ezjail-admin update -r on the host uses freebsd-update to > update the basejail. >=20 > mergemaster is used after either on a real machine. By default, the > ezjail basejail does not even have a copy of the source, making running= > mergemaster from inside the jail a bit difficult. >=20 > What process for running mergemaster should I suggest? Maybe different= > ones for trusted and untrusted jails? >=20 > The host can update trusted jails: > mergmaster -U -D /usr/jails/jailname >=20 > (It might not be safe to consider any jail "trusted".) >=20 > The untrusted procedure is a lot fuzzier to me. Mount /usr/src on the > basejail, then only run mergemaster from inside the jails? Is there a > good way? Or a standard way? >=20 > As with other things for the Handbook, we should be showing best > practices. What is the best practice for mergemaster on any random > jail, trying to conserve disk space as much as is safely possible? > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= This will mount /usr/src into the basejail read-only: mount -t nullfs -o ro /usr/src /usr/jails/basejail/usr/src --=20 Allan Jude --olte65bcI9LwiaEgJkUtJHWMok4EQNfOx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJT2B1FAAoJEJrBFpNRJZKfpKIQAJbWCqNLEfMX5avhOw4yk4Sy bRmmYQyUetskFWGDhIT5YujdKnLtECO3Yw1i7BH0KEQZDcT8Yi1r4kmcxS0gKNc6 CfpELDFo0s/hdA8w+LpJ3X5594WSNBNIjER5R3DRW0Mi5Z67Yc/cXkIuscxmI9lw wr2R86j6wwkCSLDjHk28TdCOMq8z0sjrBOk7CQ4YfyAsGJIZTdU0K1OUPUgcwekc wc4ekqUnFP3NzhfBLM9QCtJy6rRHnr1liYNeVH8SDFGyzB30Lgp4AKFXbJqEQ+t1 Q/poZ7yM7GMJRI2AHO4ZfSq2bVs5yvmXHP0f8al51AWcIfFgzAEAbFnhsoCU9HPF SZVtyaiPm7KNEhR9IA7ma6EF+rW1o+IqEen16gHG2DR1xIB1MWStmxfM0OfPS9a6 AZtaTihNHY78DSMAmN5QK0ybzilD46r+mlf85dEm4RE0q42j/47GLMULcdBYfPl8 RlZfO/a2j5FEpMhz6xPAM7+8DTJu78pBE2141JobsW1dMRtGWaKxLdjhsJr7Dc6V KbdwXtLKNZPDzTE5zi3BZqEEQmSqdD/vPy+vUzMcT/I3rda7ZBP2caAMUUf6jTta NkeIytNh5xcaQ1lXbTxzdJA6KGN/3l0rgmPPbNMfQAdDhZGzD6OUBZfJJxtXzpE/ KktP/0ZL11BWSiNXdgTD =Mah3 -----END PGP SIGNATURE----- --olte65bcI9LwiaEgJkUtJHWMok4EQNfOx--