From owner-freebsd-jail@freebsd.org Wed Jan 16 20:35:59 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F35B149476F for ; Wed, 16 Jan 2019 20:35:59 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id F238986415 for ; Wed, 16 Jan 2019 20:35:58 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: by mailman.ysv.freebsd.org (Postfix) id B2ECB149476E; Wed, 16 Jan 2019 20:35:58 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E144149476C for ; Wed, 16 Jan 2019 20:35:58 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [104.236.197.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2AA5F86414 for ; Wed, 16 Jan 2019 20:35:58 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.15.2/8.15.2) with ESMTP id x0GKZlCu054518 for ; Wed, 16 Jan 2019 15:35:47 -0500 (EST) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.15.2/8.15.2/Submit) id x0GKZlcI054517 for jail@freebsd.org; Wed, 16 Jan 2019 15:35:47 -0500 (EST) (envelope-from mwlucas) Date: Wed, 16 Jan 2019 15:35:47 -0500 From: "Michael W. Lucas" To: jail@freebsd.org Subject: jail-safe filesystems Message-ID: <20190116203547.GA54482@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (mail.michaelwlucas.com [127.0.0.1]); Wed, 16 Jan 2019 15:35:50 -0500 (EST) X-Rspamd-Queue-Id: 2AA5F86414 X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [4.62 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.87)[0.870,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[jail@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[cached: mail.michaelwlucas.com]; NEURAL_SPAM_LONG(1.00)[0.999,0]; DMARC_NA(0.00)[michaelwlucas.com]; NEURAL_SPAM_MEDIUM(1.00)[0.996,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[mwlucas@michaelwlucas.com,mwlucas@mail.michaelwlucas.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14061, ipnet:104.236.192.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[mwlucas@michaelwlucas.com,mwlucas@mail.michaelwlucas.com]; IP_SCORE(0.56)[asn: 14061(2.90), country: US(-0.08)] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jan 2019 20:35:59 -0000 Hi! I'm writing about filesystems and jails right now, and the docs have me wondering: Filesystems marked with "jail" in lsvfs(8) are safe to use inside jails. Cool. Is this an "absolutely do not use others within jails" statement, or is it "don't manage these from jails" rule? Can I leave enforce_statfs=2 but, say, have the host mount md0 as /tmp for the jail? I *think* it's an absolute prohibition, but want to be sure before I declare it to be so. It's the sort of thing I'll get complaints about if I'm wrong. Thanks, ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... From owner-freebsd-jail@freebsd.org Thu Jan 17 04:24:32 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B460414A6766 for ; Thu, 17 Jan 2019 04:24:32 +0000 (UTC) (envelope-from kib@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 53B8070D83 for ; Thu, 17 Jan 2019 04:24:32 +0000 (UTC) (envelope-from kib@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 1771C14A6765; Thu, 17 Jan 2019 04:24:32 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05F4714A6764 for ; Thu, 17 Jan 2019 04:24:32 +0000 (UTC) (envelope-from kib@freebsd.org) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D85C70D82 for ; Thu, 17 Jan 2019 04:24:31 +0000 (UTC) (envelope-from kib@freebsd.org) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id x0H4OMYR053559 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 17 Jan 2019 06:24:25 +0200 (EET) (envelope-from kib@freebsd.org) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua x0H4OMYR053559 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id x0H4OLnf053558; Thu, 17 Jan 2019 06:24:21 +0200 (EET) (envelope-from kib@freebsd.org) X-Authentication-Warning: tom.home: kostik set sender to kib@freebsd.org using -f Date: Thu, 17 Jan 2019 06:24:21 +0200 From: Konstantin Belousov To: "Michael W. Lucas" Cc: jail@freebsd.org Subject: Re: jail-safe filesystems Message-ID: <20190117042421.GK26174@kib.kiev.ua> References: <20190116203547.GA54482@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190116203547.GA54482@mail.michaelwlucas.com> User-Agent: Mutt/1.11.2 (2019-01-07) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2019 04:24:32 -0000 On Wed, Jan 16, 2019 at 03:35:47PM -0500, Michael W. Lucas wrote: > Hi! > > I'm writing about filesystems and jails right now, and the docs have > me wondering: > > Filesystems marked with "jail" in lsvfs(8) are safe to use inside > jails. Cool. > > Is this an "absolutely do not use others within jails" statement, or > is it "don't manage these from jails" rule? Can I leave > enforce_statfs=2 but, say, have the host mount md0 as /tmp for the jail? The mark 'safe to use inside jail' means that the mark author considered the marked filesystem robust enough to trust the mounting to untrusted jail root. For instance, the UFS metadata parsing is *not* robust enough to sustain trying to mount arbitrary bytes from a volume, or esp. a specially crafted malicious volumes. On the other hand, tmpfs is considered safe because it is synthetic and kernel manages all the (meta)data on its own, so the only thing that malicious jail root can do is a consumption of the host memory. That said, md0 is only a memory-disk device, which filesystem you put on it, is up to you. And, personally I recommend to use tmpfs for /tmp, not async UFS over swap-backed md(4). The advantage of the former is avoidance of double-copy and somewhat less locking overhead. > > I *think* it's an absolute prohibition, but want to be sure before I > declare it to be so. It's the sort of thing I'll get complaints about > if I'm wrong. > > Thanks, > ==ml > > -- > Michael W. Lucas https://mwl.io/ > author of: Absolute OpenBSD, SSH Mastery, git commit murder, > Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@freebsd.org Sat Jan 19 14:40:56 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2EED914AB967; Sat, 19 Jan 2019 14:40:56 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5A5D283F07; Sat, 19 Jan 2019 14:40:55 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from crayon2.yoonka.com (crayon2.yoonka.com [10.70.7.20]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id x0JEOSQO072499 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 19 Jan 2019 14:24:28 GMT (envelope-from list1@gjunka.com) To: freebsd-ports@freebsd.org, freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org From: Grzegorz Junka Subject: The status of docker Message-ID: <089e330d-2761-2440-3b7f-dd22e9088af5@gjunka.com> Date: Sat, 19 Jan 2019 14:24:28 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-Rspamd-Queue-Id: 5A5D283F07 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of list1@gjunka.com designates 88.98.225.149 as permitted sender) smtp.mailfrom=list1@gjunka.com X-Spamd-Result: default: False [-6.80 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:88.98.225.149]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[gjunka.com]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-3.64)[ip: (-9.53), ipnet: 88.98.192.0/18(-4.77), asn: 56478(-3.81), country: GB(-0.09)]; MX_GOOD(-0.01)[cached: gjunka.com]; NEURAL_HAM_SHORT(-0.85)[-0.851,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:56478, ipnet:88.98.192.0/18, country:GB]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jan 2019 14:40:56 -0000 Hello, does anyone know the current status of docker on FreeBSD? Wiki https://wiki.freebsd.org/Docker states it's experimental. The last commit in https://github.com/kvasdopil/docker/tree/freebsd-compat is also from 2015. There in fact are two ports, freebsd-docker (from 2015) and docker (18.06). What's the difference between them and which one should I use to run docker images on FreeBSD host? Has this project been completed and now only needs testing, or has it been abandoned, or maybe the approach has changed and I am looking in a wrong place? Thanks, GrzegorzJ