Date: Thu, 24 Dec 2020 19:55:12 +0000 (UTC) From: Ameya Deshpande <ameyanrd@yahoo.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Ihor Antonov <ihor@antonovs.family> Subject: Re: Network namespaces in FreeBSD Message-ID: <1687992626.3246491.1608839712067@mail.yahoo.com> In-Reply-To: <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family> References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org> <A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org> <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family> <e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org> <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family> <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org> <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi to all,
Thanks a lot. I have learnt a lot. It seems VNET jailswas something I was looking for my work. I'll keepinvestigating further.
Thanks,Ameya Deshpande
On Thursday, 24 December, 2020, 10:22:46 pm IST, Ihor Antonov <ihor@antonovs.family> wrote:
On 12/24/20 8:22 AM, Arthur Chance wrote:
>>> Wouldn't a VNET jail rooted at / effectively be that?
>>>
>>
>> Last time I played with jails setting jail's root to '/' was not allowed
>> for some reason. I don't remember exact error message though.
>
> I think that must have changed. Using a jail rooted at / used to be the
> recommended way of preventing rpcbind's wildcard listen from being a
> security loophole.
You have inspired in me a desire to play again
> I do remember that you can't nullfs mount / under itself.
>
>> I remember that I ended up null-mounting every directory in / (like bin,
>> sbin, etc,) to jail's root directory, and that was quite painful to do
>> manually.
>
> I'm increasingly thinking that the file system layout needs a rethink to
> be able to handle jails and minimal app style devices like firewalls.
> Sadly inertia (and standards) will prevent that from happening.
Yes, there are some pain points with Jails, especially if we try to
simulate some nice features from Linux world. Here are some of my pain
points:
- we can't null-mount a single file (useful to inject configs or
sockets; linux has mount --bind for that)
- combining with jail's root on / it would be nice to be able to make
some parts of the tree read-only for the jail (or even hide them)
Fixing things like these would make it a lot easier and attractive to
build container orchestration systems on FreeBSD, or get better security
to run applications that need root.
But I think it is not too much, it can be fixed. I feel that dynamics of
FreeBSD development is shifting a bit lately, so I stay hopeful.
I'd say that we need to collect all the use-cases where people feel pain
using jails and write it down somewhere on wiki. It would be a nice
starting point.
Ihor
_______________________________________________
freebsd-questions@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
From owner-freebsd-questions@freebsd.org Thu Dec 24 20:19:57 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9A9894CFD9F
for <freebsd-questions@mailman.nyi.freebsd.org>;
Thu, 24 Dec 2020 20:19:57 +0000 (UTC) (envelope-from
4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com)
Received: from s1-b0c6.socketlabs.email-od.com
(s1-b0c6.socketlabs.email-od.com [142.0.176.198])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4D21dm1bnyz3FfH
for <freebsd-questions@freebsd.org>; Thu, 24 Dec 2020 20:19:55 +0000 (UTC)
(envelope-from
4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com)
DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim;
c=relaxed/relaxed; q=dns/txt; t=1608841196; x=1611433196;
h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:cc:to:from:date:x-thread-info;
bh=zm17ZQmmXrQGjuEXlShHOveHi5S8nyxVtHCbfIVWPGA=;
b=etduMwPU5Hgzf+J9VNMoNGQmLQzf3S1jg4L9kG7IoBRrSBkbiE9TbziMEgMeb5TJ/E9Y3qHKsgnVtSCKYIK2dSanhGXDHk3oX/ddHWu9j2bmlxQkkfI3nXX3G9LETFerAj0ohVjzfa9TYH2CBXCehJduKcn4Z07ueObECnmvPJs=
X-Thread-Info: NDI1MC45Mi4xZDRjNzAwMDE3Y2VkMTQuZnJlZWJzZC1xdWVzdGlvbnM9ZnJlZWJzZC5vcmc=
Received: from r3.sg.in.socketlabs.com (r3.sg.in.socketlabs.com
[142.0.179.13]) by mxsg2.email-od.com
with ESMTP; Thu, 24 Dec 2020 15:19:48 -0500
Received: from smtp.lan.sohara.org (EMTPY [185.202.17.215]) by
r3.sg.in.socketlabs.com
with ESMTP(version=Tls12 cipher=Aes256 bits=256);
Thu, 24 Dec 2020 15:19:47 -0500
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
by smtp.lan.sohara.org with smtp (Exim 4.94 (FreeBSD))
(envelope-from <steve@sohara.org>)
id 1ksX5O-0007f7-0Y; Thu, 24 Dec 2020 20:19:46 +0000
Date: Thu, 24 Dec 2020 20:19:45 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: freebsd-questions@freebsd.org
Cc: Ameya Deshpande <ameyanrd@yahoo.com>
Subject: Re: Network namespaces in FreeBSD
Message-Id: <20201224201945.c8ce7c55c1ce68d729805a64@sohara.org>
In-Reply-To: <1687992626.3246491.1608839712067@mail.yahoo.com>
References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com>
<SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com>
<20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org>
<A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org>
<2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family>
<e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org>
<25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family>
<9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org>
<5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family>
<1687992626.3246491.1608839712067@mail.yahoo.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd12.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4D21dm1bnyz3FfH
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=email-od.com header.s=dkim header.b=etduMwPU;
dmarc=none; spf=pass (mx1.freebsd.org: domain of
4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com
designates 142.0.176.198 as permitted sender)
smtp.mailfrom=4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com
X-Spamd-Result: default: False [-2.70 / 15.00]; TO_DN_SOME(0.00)[];
MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20];
RWL_MAILSPIKE_GOOD(0.00)[142.0.176.198:from];
RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[email-od.com:+];
RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000];
FORGED_SENDER(0.30)[steve@sohara.org,4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com];
RCVD_TLS_LAST(0.00)[];
RBL_DBL_DONT_QUERY_IPS(0.00)[142.0.176.198:from];
ASN(0.00)[asn:7381, ipnet:142.0.176.0/22, country:US];
FROM_NEQ_ENVFROM(0.00)[steve@sohara.org,4250.82.1d4c700017ced14.6bd96fc18d3aad9691fe2ce71d637595@email-od.com];
MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
NEURAL_HAM_MEDIUM(-1.00)[-1.000];
R_DKIM_ALLOW(-0.20)[email-od.com:s=dkim]; FROM_HAS_DN(0.00)[];
NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain];
DMARC_NA(0.00)[sohara.org];
SPAMHAUS_ZRD(0.00)[142.0.176.198:from:127.0.2.255];
MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[];
RCVD_IN_DNSWL_NONE(0.00)[142.0.176.198:from];
FREEMAIL_CC(0.00)[yahoo.com];
MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>,
<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>;
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2020 20:19:57 -0000
On Thu, 24 Dec 2020 19:55:12 +0000 (UTC)
Ameya Deshpande via freebsd-questions <freebsd-questions@freebsd.org> wrote:
> - we can't null-mount a single file (useful to inject configs or
> sockets; linux has mount --bind for that)
> - combining with jail's root on / it would be nice to be able to make
> some parts of the tree read-only for the jail (or even hide them)
There's a half formed idea which keeps coming back to me not really
well enough formed to do anything with - imagine being able to do something
like this:
pkg jail nginx --jail webserver-3 --ip4addr ...
and obtain a jail with just enough in it to run nginx (or whatever
package you choose) and nothing else - by that I mean not a base system
with the necessary packages but a system stripped of everything but the
dependencies of the application - if the application doesn't need ls then
ls isn't there.
--
Steve O'Hara-Smith <steve@sohara.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1687992626.3246491.1608839712067>