From owner-freebsd-questions@freebsd.org Thu Dec 24 19:55:21 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DB7EC4CF29B for ; Thu, 24 Dec 2020 19:55:21 +0000 (UTC) (envelope-from ameyanrd@yahoo.com) Received: from sonic312-20.consmr.mail.sg3.yahoo.com (sonic312-20.consmr.mail.sg3.yahoo.com [106.10.244.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D215M40sxz3Df0 for ; Thu, 24 Dec 2020 19:55:19 +0000 (UTC) (envelope-from ameyanrd@yahoo.com) X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1608839714; bh=caZ1xrPfNN00QaYHZXh2pV5EaTtiMfD1zKm+Rtm76OI=; h=Date:From:To:Subject:From:Subject; b=PuOpl91uia8x4lySo26KJIQTdI0WSdJJHf/t+HTH/qchwhytnubZRC4VN/OW+WT/AS/gYkvcTXseADochquaXsRpog80CmkNJtpeiu1lOd29Pb3X2nDuA0GOan4rPnY1K+9/f7O65e6U7EQHsvyIxMsCH3YX0KrrqrSNm2j26h9Nep8oybwajpUW1NeE/rPdE2C6oNjIpGQiBQR77bK9Z375ncoJPJmp+XGVxQAt1MFDXxmKLT0AYX2/WRYv62x7O/VzYsCIPDchzZcLj1Zu+GVRxM4Zh6qG07Rztiv0BhXt21cWNZ+ufMuGSvMznDtnUxYOa7c0jhjKQzgF3IzU5g== X-YMail-OSG: PEzqrlkVM1lRKtdPSyMGK6CNbU5IwEuL22saSs71tsHX1ipOtoAF9rKFmS_vnUD iCFwS9AVA5VjyATRHwi7QEwVLPcuaNDb1wqnM3p.Lx0C4d2uVJrMMUD_EyDtVpD8ovhQOkukEDff AbSn1lCWr0cgoylfDW5j2xuhIxubr14s3JPLyHW3YEn3QDlMdD2dDpZAceXJytT8slKYqcNVEhoc UgoOa2iemWf9sPCqRRqvI49hul4Es4FiA3n9snWvVvW7.1tPc6S5y7q8z5brg4M6iQKwI1Qmmhlv ExCRqoXIwi0u1fUQUpHQUatOLXQEEAmWqli6U6UIIsT.ssIiGZaE9gPjeJwrdOswsG_rxg95PvFB 7J3b_tlY0qQ_I.r0uEfNxs3Xmb9PfihJoAttM3P4eu0sGfefU3FoNZhIkB7bjbHk9brXXS9vUB0c NBLxGj.BBftVKzIMgBrIW8bGWjmVC5JkTwhI8fO7KUMexKWFG.FqD_twMoWJUJs3cNYBnYAhBov_ T2K3qn6FdB7x5z4XU26nBRJ97jBUVtXyhm_caX6_uwXFWEdCcq5yBdJEDq5_XOUkfXh17Np69Dfg AeVwQbbM9q2GE8FWs0J_m0DoDxtt8e3x0km9yB48yHJ86zsr49BZ29Jym.rRCnwor1nLWIAqptxi IYfGnQrP7B.qOxZ3QN6Lj_J5Kv2pimZ63POc3YfDPJIaxQBvjeZA2UWaOwcD9aezidRZvxA6Xt69 zTFFjOX5uigmrsvEW.G3xHkv_RJZ.nErEl0NeXC96g_VJUBdTrKCVY6Jf_EJvAQEjxsdYleM_qWi TyJkQ87R9elB96W6CxGpfkf1j.dyvoQdYu9AiCZc19Ma2eTGIx.k2AxuP6QZhJTwmff1WOZ.JBGX GiRTosq9mYhnDxM4rNSVIREQ82kcfjoyJySjsahiOAXZL90GmdagFRy_CXse8xVmbH529ufp7m0f _kYnmGSdD9egHdoFKZWeDZWDCSA6zc6GNng51ChEs836hZ2euasfEjwUYg.LQpoQiXcukp1utHig LZ2VNhquuAlOWEB7XGsVPOk5Ki80XHHxpICMk6Npg1kCqW_CmrVXIUMVWSO5eHQuVhwcxDs4DL2d A02zJJUW4OREXmRVKG_QgFmFZB5yG1vYsn3Kzm5WXBgeML5uvq3UbcOzEEFwDo045FETafVXOxEb gOhuWEdjXPqSfV3Q0B07YgWF4eNGJbPTD_4BVnP7VpoHTJEIILg8.L_lQ6qxXLaiWe4sesmnOXw8 TyUGWwry1SQN48WPzK9qimMWfyipgU0ScBvDsuzOTFJZC.ybuIgDQA5HlgQJNQL50SU7l9s25cfC mr6Xh3t6jMB3.e1y1B1HdbZIyI5HBYVVHtz.fd7Hv0h.vZNIRHrxrpxSeYQ1FAzmmO8hNupSY1Gh 305ZLLBOOy.H7fTxBx4VPW8q8XLElyydnn92UYCc7cxtqjgGS9OzuqDEi_d2WXT2x94dlqzdiorC wIg44PjfhkInwKfHI5ksRlFeArUWGnFmAW13eqhDx6l9wIF70205cgwKAz3MksFDdRfPoHTIkQi6 mfsK3_9Ftab0TfGOq5ezzaxbDpVz46d5G9SUBcsEqW5rjKKtKvxl.S5cgwtta_XthvSHvFIaaUqm SsPxyOyvi_5e0RW.WZOq1DFvF7EkH0jJmQdc6K7dkBSI.e7.MdgQGNoAIP4N67VThN.QGfCxeks. gUxq2yXnqqZOe_3sRBChGPMU8P3UkABcuB3AoI7V03b96sw_2dgAc9J96QTeCkp1sWXps0.RM8zy EeyikdgnLW7yHahtZvyjdIr7LAgHja2pLJJQmA_uzBRQxN8oU.rvrusnVPdm0z5eSwyBA3Z1FLB0 Du5L.rGHT1ZOEaGcZR0CjfX_guMAxhm4H1Uu7yhCzj1RnClTUL9MhjvzBDG1aLDInl6NOq7yoJSD vBNsel34igc4xsWr4OBuaxnVQRgGqhrM4M60bFwm30zUiFwqX.7JjHLSb6TxKkGK8bnisNAYyd5Z Qz7jX9JHyDoINac0_jhQm0hYHaYd1W0yxEm7PFEO31VdBVo4IRV824eOolXeyIBP4aEdfHgnmdMc dp90r9xuwdx3YMaTo8l3IcDEsAv3GO8PCE4q.0AQBdk37aypUKJtSy1u9jUBI8.YzpucKlM2Bll. lCNaG6WMXv1LWfCJfAEhdkUfacWceMf_MuzYmGLqH6ye1j_coEdKuOYse.l9OWAL9aLsiizDEn4W Pjju2t24K3ifGnkh1RDYtCYvSB3KgBe53iVQ74NTz.6qUCSHfQbTy3RNQgH6uh3XyX8nXbZ1HxWP mswqcTN1IJ8V7yctnz4_aMdGuIr6qSKqPd7.Y4Ki9PUWOP4RBe7VZUwurQY7IpyzKlvLTJ14YY5X 407okcY5UYEUjEsHRtGUL6iGBRT5uPFs2 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.sg3.yahoo.com with HTTP; Thu, 24 Dec 2020 19:55:14 +0000 Date: Thu, 24 Dec 2020 19:55:12 +0000 (UTC) From: Ameya Deshpande To: "freebsd-questions@freebsd.org" , Ihor Antonov Message-ID: <1687992626.3246491.1608839712067@mail.yahoo.com> In-Reply-To: <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family> References: <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org> <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family> <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family> <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org> <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family> Subject: Re: Network namespaces in FreeBSD MIME-Version: 1.0 X-Mailer: WebService/1.1.17278 YMailNorrin Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0 X-Rspamd-Queue-Id: 4D215M40sxz3Df0 X-Spamd-Bar: --- X-Spamd-Result: default: False [-4.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yahoo.com]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; DKIM_TRACE(0.00)[yahoo.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; NEURAL_HAM_SHORT(-1.00)[-0.995]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[106.10.244.210:from]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:56173, ipnet:106.10.224.0/19, country:SG]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SPAMHAUS_ZRD(0.00)[106.10.244.210:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[106.10.244.210:from]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2020 19:55:21 -0000 Hi to all, Thanks a lot. I have learnt a lot. It seems VNET jailswas something I was looking for my work. I'll keepinvestigating further. Thanks,Ameya Deshpande On Thursday, 24 December, 2020, 10:22:46 pm IST, Ihor Antonov wrote: On 12/24/20 8:22 AM, Arthur Chance wrote: >>> Wouldn't a VNET jail rooted at / effectively be that? >>> >> >> Last time I played with jails setting jail's root to '/' was not allowed >> for some reason. I don't remember exact error message though. > > I think that must have changed. Using a jail rooted at / used to be the > recommended way of preventing rpcbind's wildcard listen from being a > security loophole. You have inspired in me a desire to play again > I do remember that you can't nullfs mount / under itself. > >> I remember that I ended up null-mounting every directory in / (like bin, >> sbin, etc,) to jail's root directory, and that was quite painful to do >> manually. > > I'm increasingly thinking that the file system layout needs a rethink to > be able to handle jails and minimal app style devices like firewalls. > Sadly inertia (and standards) will prevent that from happening. Yes, there are some pain points with Jails, especially if we try to simulate some nice features from Linux world. Here are some of my pain points: - we can't null-mount a single file (useful to inject configs or sockets; linux has mount --bind for that) - combining with jail's root on / it would be nice to be able to make some parts of the tree read-only for the jail (or even hide them) Fixing things like these would make it a lot easier and attractive to build container orchestration systems on FreeBSD, or get better security to run applications that need root. But I think it is not too much, it can be fixed. I feel that dynamics of FreeBSD development is shifting a bit lately, so I stay hopeful. I'd say that we need to collect all the use-cases where people feel pain using jails and write it down somewhere on wiki. It would be a nice starting point. Ihor _______________________________________________ freebsd-questions@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" From owner-freebsd-questions@freebsd.org Thu Dec 24 20:19:57 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9A9894CFD9F for ; Thu, 24 Dec 2020 20:19:57 +0000 (UTC) (envelope-from 4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com) Received: from s1-b0c6.socketlabs.email-od.com (s1-b0c6.socketlabs.email-od.com [142.0.176.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D21dm1bnyz3FfH for ; Thu, 24 Dec 2020 20:19:55 +0000 (UTC) (envelope-from 4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com) DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim; c=relaxed/relaxed; q=dns/txt; t=1608841196; x=1611433196; h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:cc:to:from:date:x-thread-info; bh=zm17ZQmmXrQGjuEXlShHOveHi5S8nyxVtHCbfIVWPGA=; b=etduMwPU5Hgzf+J9VNMoNGQmLQzf3S1jg4L9kG7IoBRrSBkbiE9TbziMEgMeb5TJ/E9Y3qHKsgnVtSCKYIK2dSanhGXDHk3oX/ddHWu9j2bmlxQkkfI3nXX3G9LETFerAj0ohVjzfa9TYH2CBXCehJduKcn4Z07ueObECnmvPJs= X-Thread-Info: NDI1MC45Mi4xZDRjNzAwMDE3Y2VkMTQuZnJlZWJzZC1xdWVzdGlvbnM9ZnJlZWJzZC5vcmc= Received: from r3.sg.in.socketlabs.com (r3.sg.in.socketlabs.com [142.0.179.13]) by mxsg2.email-od.com with ESMTP; Thu, 24 Dec 2020 15:19:48 -0500 Received: from smtp.lan.sohara.org (EMTPY [185.202.17.215]) by r3.sg.in.socketlabs.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Thu, 24 Dec 2020 15:19:47 -0500 Received: from [192.168.63.1] (helo=steve.lan.sohara.org) by smtp.lan.sohara.org with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1ksX5O-0007f7-0Y; Thu, 24 Dec 2020 20:19:46 +0000 Date: Thu, 24 Dec 2020 20:19:45 +0000 From: Steve O'Hara-Smith To: freebsd-questions@freebsd.org Cc: Ameya Deshpande Subject: Re: Network namespaces in FreeBSD Message-Id: <20201224201945.c8ce7c55c1ce68d729805a64@sohara.org> In-Reply-To: <1687992626.3246491.1608839712067@mail.yahoo.com> References: <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org> <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family> <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family> <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org> <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family> <1687992626.3246491.1608839712067@mail.yahoo.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd12.1) X-Clacks-Overhead: "GNU Terry Pratchett" Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4D21dm1bnyz3FfH X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=email-od.com header.s=dkim header.b=etduMwPU; dmarc=none; spf=pass (mx1.freebsd.org: domain of 4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com designates 142.0.176.198 as permitted sender) smtp.mailfrom=4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com X-Spamd-Result: default: False [-2.70 / 15.00]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20]; RWL_MAILSPIKE_GOOD(0.00)[142.0.176.198:from]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[email-od.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[steve@sohara.org,4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[142.0.176.198:from]; ASN(0.00)[asn:7381, ipnet:142.0.176.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[steve@sohara.org,4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[email-od.com:s=dkim]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sohara.org]; SPAMHAUS_ZRD(0.00)[142.0.176.198:from:127.0.2.255]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[142.0.176.198:from]; FREEMAIL_CC(0.00)[yahoo.com]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2020 20:19:57 -0000 On Thu, 24 Dec 2020 19:55:12 +0000 (UTC) Ameya Deshpande via freebsd-questions wrote: > - we can't null-mount a single file (useful to inject configs or > sockets; linux has mount --bind for that) > - combining with jail's root on / it would be nice to be able to make > some parts of the tree read-only for the jail (or even hide them) There's a half formed idea which keeps coming back to me not really well enough formed to do anything with - imagine being able to do something like this: pkg jail nginx --jail webserver-3 --ip4addr ... and obtain a jail with just enough in it to run nginx (or whatever package you choose) and nothing else - by that I mean not a base system with the necessary packages but a system stripped of everything but the dependencies of the application - if the application doesn't need ls then ls isn't there. -- Steve O'Hara-Smith