From nobody Tue Dec 31 16:16:23 2024
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YMylG1N7Sz5jhMD
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Tue, 31 Dec 2024 16:16:26 +0000 (UTC)
	(envelope-from jhfoo@kungfoo.info)
Received: from kovan.kungfoo.info (vps-d143d178.vps.ovh.ca [51.79.144.36])
	by mx1.freebsd.org (Postfix) with ESMTP id 4YMylD56syz4Tcw
	for <freebsd-jail@freebsd.org>; Tue, 31 Dec 2024 16:16:24 +0000 (UTC)
	(envelope-from jhfoo@kungfoo.info)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=neutral (mx1.freebsd.org: 51.79.144.36 is neither permitted nor denied by domain of jhfoo@kungfoo.info) smtp.mailfrom=jhfoo@kungfoo.info;
	dmarc=none
Received: from [192.168.108.89] (unknown [192.168.130.87])
	by kovan.kungfoo.info (Postfix) with ESMTP id 2C0F6D97E
	for <freebsd-jail@freebsd.org>; Tue, 31 Dec 2024 23:16:23 +0700 (+07)
Message-ID: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
Date: Tue, 31 Dec 2024 23:16:23 +0700
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: freebsd-jail@freebsd.org
Content-Language: en-US
From: JH Foo <jhfoo@kungfoo.info>
Subject: jail services in podman
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-2.74 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.85)[-0.846];
	RCVD_NO_TLS_LAST(0.10)[];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	XM_UA_NO_VERSION(0.01)[];
	RCPT_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:16276, ipnet:51.79.128.0/17, country:FR];
	R_SPF_NEUTRAL(0.00)[?all];
	RCVD_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DMARC_NA(0.00)[kungfoo.info];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org];
	ARC_NA(0.00)[]
X-Rspamd-Queue-Id: 4YMylD56syz4Tcw
X-Spamd-Bar: --

Not sure if this is a jail or podman thing: I'm learning about running 
apps in Podman, and the recommendation seems to be to include a CMD in 
Containerfile/Dockerfile. When the binary called by the CMD ends, the 
jail is stopped. In the example 
(https://gitlab.com/bergblume/podman-caddy-on-freebsd/-/blob/master/caddy.yml?ref_type=heads), 
Caddy is run daemonless using this technique.

My question is: in the world of sidecars is this still the right way to 
execute long-running (e.g. API) services? I'm using Bastille now and I 
set up Caddy (for example) as a service in /etc/rc.conf. Is this 
considered anti-pattern in Podman/OCI containers?



From nobody Thu Jan  2 18:56:47 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YPGCx60Rwz5jqLk
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Thu, 02 Jan 2025 18:57:17 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Received: from fout-a7-smtp.messagingengine.com (fout-a7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YPGCw2qP6z54NC
	for <freebsd-jail@freebsd.org>; Thu,  2 Jan 2025 18:57:16 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=W8y2ACcM;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=SWMfCfY1;
	spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 103.168.172.150 as permitted sender) smtp.mailfrom=dch@skunkwerks.at;
	dmarc=pass (policy=none) header.from=skunkwerks.at
Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42])
	by mailfout.phl.internal (Postfix) with ESMTP id 6557F1380228;
	Thu,  2 Jan 2025 13:57:15 -0500 (EST)
Received: from phl-imap-02 ([10.202.2.81])
  by phl-compute-02.internal (MEProxy); Thu, 02 Jan 2025 13:57:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
	 h=cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1735844235;
	 x=1735930635; bh=zXJwba42sSpd0E+szu6Gpts5C/7uS+VCiq6P48oetbc=; b=
	W8y2ACcMM4ItiuIHviJkdatPHyOM2FoI5JbaXrnrtVVWdif6WYsLvIGO2JwVqwtu
	MY+R3OEhW+p7vEqB9P/uU1L6oyEST8aHkNjUBsaxrfWILM/JBvxgliBzUT/hzm46
	3tVYn86IzopaeA5Rv8BEHJIFsURNUx5nHHPSKWF5v6X275G6ddyNpLqmwzxFRo68
	dvilnNpqIJq/fz48fjb00Vs+KhEvP+P5OhCeR0J1QSz/C6f+v5hrgmREDQ/h6854
	Oo3mUz0lj4BST1+tVIRz4XzydftMvbgNQ6hzwkp50wcURz73fDK/GnGMLEC0K6zb
	2rfIctOyyTu40Mtjx+wdDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1735844235; x=1735930635; bh=z
	XJwba42sSpd0E+szu6Gpts5C/7uS+VCiq6P48oetbc=; b=SWMfCfY1JGdoVSaa6
	iXWpt07r/N2N0tBqYTjCVEzjVxBgsYF83G7JGKskvwsWq+lp9m40UptV0sJEWEZb
	YyCsCjcvccdaR1M31b+T09DFQBffVlpHtja+LZMnFxlIgZPhI0RtUnwjdoSJznIW
	0rNTQTsdWPklR6hbS+fhe8fMxwfHzwopw4p5zeLf0cGH4I9+4heulG/Y4Ld13Zk3
	5Jb6rL01pnNStEPSM1ASxBXm7OxSib7KJZxGcCQ0S5NJGBKj+kCdHQi1LYJz/k0L
	I2aCYPRxF8xWYfDynJB/JfSjcms3MHF/OA3khhr6mFbpHdeo8kX74Ico4QYzxee+
	g/1oQ==
X-ME-Sender: <xms:iuF2Z1nAAXiN7z7Tago8XjC2acgesTnm_Pq1jfvp6sqUDi1XVCGAGQ>
    <xme:iuF2Zw34kHPgQkVreWrpTpmzlG6JNo8IB218zozO04UmCEstNg203aLKbA_oTdcG4
    ZQRmBo8Oq2YJGhvSA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudefvddguddvtdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg
    hnthhsucdlqddutddtmdenucfjughrpefoggffhffvkfgjfhfutgfgsehtqhertdertdej
    necuhfhrohhmpedfffgrvhgvucevohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunh
    hkfigvrhhkshdrrghtqeenucggtffrrghtthgvrhhnpeejtdevteeulefgheehledvvdet
    heffjeffvdelheeltddujeefffdtteduieelhfenucffohhmrghinhepghhithhlrggsrd
    gtohhmpdgtohhnfhdrihhsnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm
    rghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrthdpnhgspghrtghpthhtoh
    epvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepfhhrvggvsghsugdqjhgrihhl
    sehfrhgvvggsshgurdhorhhgpdhrtghpthhtohepjhhhfhhooheskhhunhhgfhhoohdrih
    hnfhho
X-ME-Proxy: <xmx:iuF2Z7qj8VySRMmp8C928Rhs2-mxn6hfGRl9OZ4vcQwB_q6iyEWh3Q>
    <xmx:iuF2Z1k-VyympHz0txN1FKDdULK6_dKasKMdvw7_LQC3NFuHZwIxBQ>
    <xmx:iuF2Zz1GeScy8fmRF1fW7HYdke3lZG5e7ZLzQMZnJrFxZANWLWKEmw>
    <xmx:iuF2Z0tS4Or7uedzHbLZ4LM9_g5ohQhELpPvNpa_ToVj31p2S_OISw>
    <xmx:i-F2Z89bLEzT1yzqhd6_sweKf-Wo-sbMdCIjjHzfYXmULqXbaBVME6oD>
Feedback-ID: ic0e84090:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id AE6A3B0006B; Thu,  2 Jan 2025 13:57:14 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
Date: Thu, 02 Jan 2025 19:56:47 +0100
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: "JH Foo" <jhfoo@kungfoo.info>, freebsd-jail <freebsd-jail@freebsd.org>
Message-Id: <b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
In-Reply-To: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
References: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
Subject: Re: jail services in podman
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4YPGCw2qP6z54NC
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.09 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	DMARC_POLICY_ALLOW(-0.50)[skunkwerks.at,none];
	R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm2];
	R_SPF_ALLOW(-0.20)[+ip4:103.168.172.128/27];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[103.168.172.150:from];
	XM_UA_NO_VERSION(0.01)[];
	DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US];
	FREEFALL_USER(0.00)[dch];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_TWO(0.00)[2];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_ALL(0.00)[];
	DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]

On Tue, 31 Dec 2024, at 17:16, JH Foo wrote:
> Not sure if this is a jail or podman thing: I'm learning about running=20
> apps in Podman, and the recommendation seems to be to include a CMD in=20
> Containerfile/Dockerfile. When the binary called by the CMD ends, the=20
> jail is stopped. In the example=20
> (https://gitlab.com/bergblume/podman-caddy-on-freebsd/-/blob/master/ca=
ddy.yml?ref_type=3Dheads),=20
> Caddy is run daemonless using this technique.
>
> My question is: in the world of sidecars is this still the right way t=
o=20
> execute long-running (e.g. API) services? I'm using Bastille now and I=20
> set up Caddy (for example) as a service in /etc/rc.conf. Is this=20
> considered anti-pattern in Podman/OCI containers?

Yes.=20
On FreeBSD we=E2=80=99ll need to figure out what the minimal dependencie=
s are for each daemon or service.

For example I=E2=80=99ve been experimenting with dnsdist which has a doc=
ker-style =E2=80=94supervised flag where it runs in foreground and spits=
 out logging info to stdout. This runs fine, others may require a wrappe=
r script to set the appropriate things up.

Alternatively add a rc.local that never returns? Then normal rc system c=
ould be used. Something like while true do sleep 99d; done?

A+
Dave

From nobody Thu Jan  2 19:01:32 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YPGKG5dMnz5jqMD
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Thu, 02 Jan 2025 19:01:54 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Received: from fout-a7-smtp.messagingengine.com (fout-a7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YPGKG3QLjz54Vn
	for <freebsd-jail@freebsd.org>; Thu,  2 Jan 2025 19:01:54 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=M6vsl2h4;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b="R AKxLh3";
	spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 103.168.172.150 as permitted sender) smtp.mailfrom=dch@skunkwerks.at;
	dmarc=pass (policy=none) header.from=skunkwerks.at
Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42])
	by mailfout.phl.internal (Postfix) with ESMTP id 5856A13800F4;
	Thu,  2 Jan 2025 14:01:54 -0500 (EST)
Received: from phl-imap-02 ([10.202.2.81])
  by phl-compute-02.internal (MEProxy); Thu, 02 Jan 2025 14:01:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
	 h=cc:cc:content-transfer-encoding:content-type:content-type
	:date:date:from:from:in-reply-to:in-reply-to:message-id
	:mime-version:references:reply-to:subject:subject:to:to; s=fm3;
	 t=1735844514; x=1735930914; bh=cUtNRJ7fqpBU8SeN3bfB29e5130IQuY9
	beVgaT3eIYs=; b=M6vsl2h4tAQ+FQyzTfon/+jH69AlbGxjtJREFPaxtDIkmvJH
	a5pk+QVXCq8whjde8JfATgf6wslg2vpZjbM9JLYgApz3WHm7MM7vQujN/vZObH6e
	FoyAp10h5glrDA0XmhWEr4P/4uSf7+mJFyJk/4zOsNzzcp5cVKdO+nUFATle6rUR
	qrqo5bZXe+HMuZ2XKwsUGSqx4flOz+2XaLKR4mePky/66BYWjKyFzi1G6r8edVrV
	DCbAC9+jIoBm2DWjW7tZzKJOBIilUDgER3vo/T8haViqkfuxVGfENfC2nxwZmHaT
	2lhsLTzmiwPmrkimgMtNjQhOnefJ8FDxWPFeDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1735844514; x=
	1735930914; bh=cUtNRJ7fqpBU8SeN3bfB29e5130IQuY9beVgaT3eIYs=; b=R
	AKxLh3mD/QLPEnike8yyZajMdCwkgyOI+U3+eI/v0ZWTV6dmmbWZZZ3bjSrd6oZz
	gTRLOuYXEUXZtDS/KA+U63sL0rUgN7l+adA3fLVMyPWSjHqlOaeMimriLyrY81Wl
	pOYt8aJJwfJFtKaqwSEzsfnWyhIHCIShmoKGroZfNUhHQmQ06yUXk7UBunD06YXt
	JLIWSCLYkQnZjIquo/xa98YhuHph+SUsh23ucox5Gm5Q6xtm5031PUipVW8bgIJu
	8MBs3qt9qXSSJ8cxN+8uVhJFrae+6NIaWPAoGOf0U9s3P4J42izL0DPqQllS/gk6
	Vqihw5S3R55lctP/QFI4Q==
X-ME-Sender: <xms:ouJ2Z6bz5WCeZHnxHD4D8etrfIgb9xR-YedHuiuOfMG1Uj4HquwLxQ>
    <xme:ouJ2Z9b9zbMvhfq0g1SNbFmZ0vfO2WTKC0-FaqniHdvrGDz2Ja60sO3Ur4U2dditb
    LYwKebG9NqEaqvqXQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudefvddguddvudcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepofggff
    fhvfevkfgjfhfutgfgsehtqhertdertdejnecuhfhrohhmpedfffgrvhgvucevohhtthhl
    vghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqeenucggtffrrghtth
    gvrhhnpedujedvkeelueefveegtdekhfeiueeuvdetvdekudelhfekhfelteeffedvheef
    ffenucffohhmrghinhepughotghkvghrrdhiohdpnhgvthgtrhgrvhgvrdhnvghtfihorh
    hknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepuggt
    hhesshhkuhhnkhifvghrkhhsrdgrthdpnhgspghrtghpthhtohepvddpmhhouggvpehsmh
    htphhouhhtpdhrtghpthhtohepfhhrvggvsghsugdqjhgrihhlsehfrhgvvggsshgurdho
    rhhgpdhrtghpthhtohepphgrihhgvgesphgrihhgvgdrsghioh
X-ME-Proxy: <xmx:ouJ2Z0-way1qZ9U1bm7W4TJVQrDF96B_W4nAJazyqgtV5exaGbTgqQ>
    <xmx:ouJ2Z8p3-GYC2vdC9lCv66pFShPZ27hOKD9RgqWLTjrVhzd6Sf_cQw>
    <xmx:ouJ2Z1pB5ulTD6gt9HMpFFXWSwB9-x9eb8XFVaupdSVCItZsRAo2kw>
    <xmx:ouJ2Z6RLn0E2qXoXlTSj9Lh9qxVQHLiHuNv2hFtnBCLYE1TVLgTa6Q>
    <xmx:ouJ2Z2Dy9nm4AXh7ZvyrUlV4DoB6-VIVOQo1OzYTTDXZSPkTcnMgUmYj>
Feedback-ID: ic0e84090:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id 0E00FB0006B; Thu,  2 Jan 2025 14:01:54 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
Date: Thu, 02 Jan 2025 20:01:32 +0100
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: paige@paige.bio
Cc: freebsd-jail <freebsd-jail@freebsd.org>
Message-Id: <df64cb33-9c0c-4402-b182-0bc51bcdce4b@app.fastmail.com>
In-Reply-To: <4B5A0D5C-A452-47FE-85ED-40BAC1B34CCE@paige.bio>
References: <4B5A0D5C-A452-47FE-85ED-40BAC1B34CCE@paige.bio>
Subject: Re: Podman jail support 
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4YPGKG3QLjz54Vn
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.58 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.991];
	DMARC_POLICY_ALLOW(-0.50)[skunkwerks.at,none];
	SUBJECT_ENDS_SPACES(0.50)[];
	R_SPF_ALLOW(-0.20)[+ip4:103.168.172.128/27:c];
	R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm2];
	RCVD_IN_DNSWL_LOW(-0.10)[103.168.172.150:from];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim];
	ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FREEFALL_USER(0.00)[dch];
	ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]



On Fri, 13 Dec 2024, at 03:41, paige@paige.bio wrote:
> Hi,=20
>
> I was just wondering if anybody knew anything about this error:=20
>
> =E2=9D=AF sudo podman run --rm docker.io/dougrabson/hello
> Error: OCI runtime error: ocijail: error calling jail_attach: Invalid =
argument
>
> Was wondering if theres a kernel option or something I=E2=80=99m missi=
ng ?=20
>
> FreeBSD stelleri.netcrave.network 14.1-RELEASE-p5 FreeBSD=20
> 14.1-RELEASE-p5 STELLERI amd64
>
>
> I can try to check with truss a little later..=20
>
> -Paige

Any luck on trussing?

I don=E2=80=99t have a 14.1-R to test on but this should largely work an=
ywhere on a 14.1 base system now I think.

How did you get started with podman here ie specific steps taken to get =
to this failure?

Dave

From nobody Fri Jan  3 19:42:17 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YPv9Y5g6sz5kM3G
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 03 Jan 2025 19:42:25 +0000 (UTC)
	(envelope-from jhfoo@kungfoo.info)
Received: from kovan.kungfoo.info (vps-d143d178.vps.ovh.ca [51.79.144.36])
	by mx1.freebsd.org (Postfix) with ESMTP id 4YPv9X2wwNz43Yj
	for <freebsd-jail@freebsd.org>; Fri,  3 Jan 2025 19:42:24 +0000 (UTC)
	(envelope-from jhfoo@kungfoo.info)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=neutral (mx1.freebsd.org: 51.79.144.36 is neither permitted nor denied by domain of jhfoo@kungfoo.info) smtp.mailfrom=jhfoo@kungfoo.info;
	dmarc=none
Received: from [192.168.108.89] (unknown [192.168.130.87])
	by kovan.kungfoo.info (Postfix) with ESMTP id C3A861BD87
	for <freebsd-jail@freebsd.org>; Sat, 04 Jan 2025 02:42:16 +0700 (+07)
Message-ID: <d64da8bd-e276-4287-9a66-e396c821bbf7@kungfoo.info>
Date: Sat, 4 Jan 2025 02:42:17 +0700
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: jail services in podman
To: freebsd-jail@freebsd.org
References: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
 <b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
Content-Language: en-US
From: JH Foo <jhfoo@kungfoo.info>
In-Reply-To: <b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4YPv9X2wwNz43Yj
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.41 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.95)[-0.952];
	NEURAL_HAM_SHORT(-0.57)[-0.568];
	RCVD_NO_TLS_LAST(0.10)[];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	XM_UA_NO_VERSION(0.01)[];
	RCPT_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:16276, ipnet:51.79.128.0/17, country:FR];
	R_SPF_NEUTRAL(0.00)[?all];
	RCVD_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DMARC_NA(0.00)[kungfoo.info];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org];
	ARC_NA(0.00)[]

Can you elaborate how CMD helps to determine (quote) minimal 
dependencies are for each daemon or service? What happens if I were to 
configure the container to run off jail /etc/rc.conf services?

On 1/3/2025 1:56 AM, Dave Cottlehuber wrote:
> On Tue, 31 Dec 2024, at 17:16, JH Foo wrote:
>> Not sure if this is a jail or podman thing: I'm learning about running
>> apps in Podman, and the recommendation seems to be to include a CMD in
>> Containerfile/Dockerfile. When the binary called by the CMD ends, the
>> jail is stopped. In the example
>> (https://gitlab.com/bergblume/podman-caddy-on-freebsd/-/blob/master/caddy.yml?ref_type=heads),
>> Caddy is run daemonless using this technique.
>>
>> My question is: in the world of sidecars is this still the right way to
>> execute long-running (e.g. API) services? I'm using Bastille now and I
>> set up Caddy (for example) as a service in /etc/rc.conf. Is this
>> considered anti-pattern in Podman/OCI containers?
> Yes.
> On FreeBSD we’ll need to figure out what the minimal dependencies are for each daemon or service.
>
> For example I’ve been experimenting with dnsdist which has a docker-style —supervised flag where it runs in foreground and spits out logging info to stdout. This runs fine, others may require a wrapper script to set the appropriate things up.
>
> Alternatively add a rc.local that never returns? Then normal rc system could be used. Something like while true do sleep 99d; done?
>
> A+
> Dave
>

From nobody Sat Jan  4 00:16:44 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YQ1GX4qyJz5kcxw
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 04 Jan 2025 00:17:08 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YQ1GX2hRbz4VC7
	for <freebsd-jail@freebsd.org>; Sat,  4 Jan 2025 00:17:08 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Authentication-Results: mx1.freebsd.org;
	none
Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42])
	by mailfhigh.phl.internal (Postfix) with ESMTP id A83C611401B2;
	Fri,  3 Jan 2025 19:17:06 -0500 (EST)
Received: from phl-imap-02 ([10.202.2.81])
  by phl-compute-02.internal (MEProxy); Fri, 03 Jan 2025 19:17:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
	 h=cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1735949826;
	 x=1736036226; bh=G4m6VHOwQgFn0Avd7Uw+ordcvMuMlf+10BLGPg2UTm8=; b=
	XkIRhTC561bqexXlbIc6c5DnZn3W0fzHbpteHnsdLUmGwtoe1lIlPryteZO6MgZI
	Zw2PQu4gpb/Kb0AZPSdVhgFq/4wEBt2tWPAgBbOLb12WZqh+USWo46S/2XsqrVcr
	XY2z5xh1E5qz7N6B5uBPep0Xe/qhnB/iJo+bHnjp1+M9V3FYN8TKQZIXXAW82hnL
	VzFEQ5wHPBmFLat29npTgevWURRKPpmuKIpPB15qtdstjcIkWTmlNX0YZFzYMUYh
	2JzemaJ10iUKN1N/EIfzwB7wcRPvrNcQEBzwFs4N1d8nNZ9LLoU5fiEWy2iKCOXC
	2MVE1N6VfeSiMKRuw7UQrA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1735949826; x=1736036226; bh=G
	4m6VHOwQgFn0Avd7Uw+ordcvMuMlf+10BLGPg2UTm8=; b=eZHnk1OZI5dMsHWM3
	UrvyO/lcyIfe9+uOsGK9p1NKaqlupgj0LaRo3fRmF0J/DqPQguBTDlxlTQdw3Jv6
	0uJGCgRSJkpoiWyXOcSeLttco/x1bpWWZw2sivyfDigPAatao1E9tkbUSBr49i8k
	lyqIbA6YkRabiTr7GXyZgKt6wCLQirgSl1mbuq9yIEMKYln1e/A2l8Q6icXE8yks
	IRH2ii4OPi2/Bn0CjSlnv4UOUCv875d7A82s/3zQeptrWAYnazYVa3w9CPI0eEvz
	kct8sLrU+dQ/lyhih4Se3p6W4Zij2lx7SxkE46cSVuABCUOOETQwkbU+/du4Urrz
	WwhZQ==
X-ME-Sender: <xms:An54Z78YPmfYQtcWJgho7I9sGQmzy-ft-sKXiSGiOrEf6vGeqizOWA>
    <xme:An54Z3s_tnk7IUezAF34pByPy4wUnkpB140Dh901motaou3mCSVP4u3O_a7mqYgYn
    dkKN1manxMOBlEk-w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudefhedgudelucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepofggfffhvffkjghfufgtgfesthejredtredttden
    ucfhrhhomhepfdffrghvvgcuvehothhtlhgvhhhusggvrhdfuceouggthhesshhkuhhnkh
    ifvghrkhhsrdgrtheqnecuggftrfgrthhtvghrnhepjedvjeelgeehvdfgtefhheeugeeu
    teduteeivdehhfelkeduveefuefgjeevueefnecuvehluhhsthgvrhfuihiivgeptdenuc
    frrghrrghmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrthdpnhgs
    pghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepfhhrvggvsg
    hsugdqjhgrihhlsehfrhgvvggsshgurdhorhhgpdhrtghpthhtohepjhhhfhhooheskhhu
    nhhgfhhoohdrihhnfhho
X-ME-Proxy: <xmx:An54Z5DhZbYeZ-3b07EpcghzYcVHkz2PfQlSr-Dke1fz-UFQnIJE8A>
    <xmx:An54Z3fWq0d158KAtXX2H_SUk6J8cT6gWP0XEGZGTb8rmU447w8_Ow>
    <xmx:An54ZwP_0ApxI-0C6mYRlSYn_SuhhX9o5fnC1iDkyWcIVCY0Ew-0Gg>
    <xmx:An54Z5niw5GKs4ZT5DhaQFv3x_3cc9irINan5cEq9WExQvVxzwzafA>
    <xmx:An54Z62Z5PrqFF438UqpOdc2G62i0bw_d6cc_iLZtUKD1gVR1dy-8h1g>
Feedback-ID: ic0e84090:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id 00918B0006A; Fri,  3 Jan 2025 19:17:05 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
Date: Sat, 04 Jan 2025 00:16:44 +0000
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: "JH Foo" <jhfoo@kungfoo.info>, freebsd-jail <freebsd-jail@freebsd.org>
Message-Id: <0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com>
In-Reply-To: <d64da8bd-e276-4287-9a66-e396c821bbf7@kungfoo.info>
References: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
 <b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
 <d64da8bd-e276-4287-9a66-e396c821bbf7@kungfoo.info>
Subject: Re: jail services in podman
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4YQ1GX2hRbz4VC7
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:151847, ipnet:103.168.172.0/24, country:AU]

On Fri, 3 Jan 2025, at 19:42, JH Foo wrote:
> Can you elaborate how CMD helps to determine (quote) minimal 
> dependencies are for each daemon or service? What happens if I were to

If you run a normal startup with /etc/rc then that container will
expect all the freebsd goodies - syslog, utx, cron, mailer, etc.
It will be more familiar but also fatter.

If you manually trim down the dependencies, *and* your application
permits it, you can choose just to run your minimal app. It will
require experimentation.

> configure the container to run off jail /etc/rc.conf services?

If you do that, no issues, *but* the container will exit as soon as rc.conf
startup finished (as the ENTRYPOINT or CMD has completed). OCI containers
are not the same as jails in this respect, by default.

A+
Dave

From nobody Sat Jan  4 17:20:47 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YQS0128lhz5j3PN
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 04 Jan 2025 17:21:05 +0000 (UTC)
	(envelope-from sl-pub-lists@honeyguide.de)
Received: from mlx.honeyguide.net (mlx.honeyguide.net [197.155.21.76])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YQRzz0lGLz4mCv
	for <freebsd-jail@freebsd.org>; Sat,  4 Jan 2025 17:21:03 +0000 (UTC)
	(envelope-from sl-pub-lists@honeyguide.de)
Authentication-Results: mx1.freebsd.org;
	dkim=fail ("headers rsa verify failed") header.d=honeyguide.de header.s=default header.b=Ejl6Cqb0;
	spf=pass (mx1.freebsd.org: domain of sl-pub-lists@honeyguide.de designates 197.155.21.76 as permitted sender) smtp.mailfrom=sl-pub-lists@honeyguide.de;
	dmarc=pass (policy=none) header.from=honeyguide.de
Received: from pcf00002.honeyguide.net (aftr-62-216-210-0.dynamic.mnet-online.de [62.216.210.0])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mlx.honeyguide.net (Postfix) with ESMTPSA id D37A218FE5;
	Sat, 04 Jan 2025 17:20:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=honeyguide.de;
	s=default; t=1736011253;
	bh=YG0CViurx+3gxmLYjBx4wBhfAjspg/2BHi08OlXBjUY=;
	h=From:To:Subject:In-Reply-To:References:Date;
	b=Ejl6Cqb0RkrU/szQfu0oXMMbDxFNjNfZ7/k8X7z7SBZRqJ9TXG8kW/pIWISwk20jk
	 GJMir/3fMzdYzlAEAtbSUYMe4c7l9W+7YwLrTulomhKFULTd9NnppBm5vOtsUfiTcY
	 XDLDLYK36Jv8pqoU/5qT5WkWrCr5cGqrpNhsHw7g=
From: Stephan Lichtenauer <sl-pub-lists@honeyguide.de>
To: "Dave Cottlehuber" <dch@skunkwerks.at>, "JH Foo" <jhfoo@kungfoo.info>,
  freebsd-jail <freebsd-jail@freebsd.org>
Subject: Re: jail services in podman
In-Reply-To: <0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com> (Dave
	Cottlehuber's message of "Sat, 04 Jan 2025 00:16:44 +0000")
Organization: Honeyguide
References: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
	<b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
	<d64da8bd-e276-4287-9a66-e396c821bbf7@kungfoo.info>
	<0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com>
Date: Sat, 04 Jan 2025 18:20:47 +0100
Message-ID: <86wmfaijgw.fsf@pcf00002.honeyguide.net>
User-Agent: Gnus/5.13 (Gnus v5.13)
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Rspamd-Queue-Id: 4YQRzz0lGLz4mCv
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.48 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	NEURAL_SPAM_MEDIUM(0.22)[0.222];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	ASN(0.00)[asn:37199, ipnet:197.155.16.0/21, country:ZA];
	ARC_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	HAS_ORG_HEADER(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	R_DKIM_REJECT(0.00)[honeyguide.de:s=default];
	DMARC_POLICY_ALLOW(0.00)[honeyguide.de,none];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	TO_DN_ALL(0.00)[];
	DKIM_TRACE(0.00)[honeyguide.de:-]

"Dave Cottlehuber" <dch@skunkwerks.at> writes:

> On Fri, 3 Jan 2025, at 19:42, JH Foo wrote:
>> Can you elaborate how CMD helps to determine (quote) minimal 
>> dependencies are for each daemon or service? What happens if I 
>> were to
>
> If you run a normal startup with /etc/rc then that container 
> will
> expect all the freebsd goodies - syslog, utx, cron, mailer, etc.
> It will be more familiar but also fatter.
>
> If you manually trim down the dependencies, *and* your 
> application
> permits it, you can choose just to run your minimal app. It will
> require experimentation.
>
>> configure the container to run off jail /etc/rc.conf services?
>
> If you do that, no issues, *but* the container will exit as soon 
> as rc.conf
> startup finished (as the ENTRYPOINT or CMD has completed). OCI 
> containers
> are not the same as jails in this respect, by default.
>

Pot and Potluck has similar (even though not OCI compatible) 
capabilities.

You can look at the *-nomad images at 
https://github.com/bsdpot/potluck to get an idea how jails without 
starting a fully fledged FreeBSD jail with rc can look like.

Stephan


From nobody Sat Jan  4 17:21:18 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YQS0N1DmVz5j3Yc
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 04 Jan 2025 17:21:24 +0000 (UTC)
	(envelope-from sl-pub-lists@honeyguide.de)
Received: from mlx.honeyguide.net (mlx.honeyguide.net [197.155.21.76])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YQS0M0rZGz4mgp
	for <freebsd-jail@freebsd.org>; Sat,  4 Jan 2025 17:21:23 +0000 (UTC)
	(envelope-from sl-pub-lists@honeyguide.de)
Authentication-Results: mx1.freebsd.org;
	dkim=fail ("headers rsa verify failed") header.d=honeyguide.de header.s=default header.b=R5F7G7GQ;
	spf=pass (mx1.freebsd.org: domain of sl-pub-lists@honeyguide.de designates 197.155.21.76 as permitted sender) smtp.mailfrom=sl-pub-lists@honeyguide.de;
	dmarc=pass (policy=none) header.from=honeyguide.de
Received: from pcf00002.honeyguide.net (aftr-62-216-210-0.dynamic.mnet-online.de [62.216.210.0])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mlx.honeyguide.net (Postfix) with ESMTPSA id 4744418C5A;
	Sat, 04 Jan 2025 17:21:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=honeyguide.de;
	s=default; t=1736011281;
	bh=dLLLv2B/sT70zBLogwKc4dPQtQI+NGmqBWAKUkme7Uk=;
	h=From:To:Subject:In-Reply-To:References:Date;
	b=R5F7G7GQL6S2kmn9Wo1gxVrKgyniZq3HoBgZZeZk9z7dvmnjslXzfUljZFlNpYSo1
	 x8/RDjqXpiEI2fTtpdnRkrhUZxpGhifzpgrHwXci3L6SL84W6QpAsO0maims5EaIyj
	 9E6F81GCmDi4JnscL0btE1lzvmrHC2BUqKWyzXx8=
From: Stephan Lichtenauer <sl-pub-lists@honeyguide.de>
To: "Dave Cottlehuber" <dch@skunkwerks.at>, "JH Foo" <jhfoo@kungfoo.info>,
  freebsd-jail <freebsd-jail@freebsd.org>
Subject: Re: jail services in podman
In-Reply-To: <0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com> (Dave
	Cottlehuber's message of "Sat, 04 Jan 2025 00:16:44 +0000")
Organization: Honeyguide
References: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
	<b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
	<d64da8bd-e276-4287-9a66-e396c821bbf7@kungfoo.info>
	<0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Sat, 04 Jan 2025 18:21:18 +0100
Message-ID: <86v7uuijg1.fsf@pcf00002.honeyguide.net>
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Rspamd-Queue-Id: 4YQS0M0rZGz4mgp
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.47 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	NEURAL_SPAM_MEDIUM(0.22)[0.224];
	R_SPF_ALLOW(-0.20)[+mx:c];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	RCVD_COUNT_ONE(0.00)[1];
	HAS_ORG_HEADER(0.00)[];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:37199, ipnet:197.155.16.0/21, country:ZA];
	RCVD_TLS_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	R_DKIM_REJECT(0.00)[honeyguide.de:s=default];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	DMARC_POLICY_ALLOW(0.00)[honeyguide.de,none];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	TO_DN_ALL(0.00)[];
	DKIM_TRACE(0.00)[honeyguide.de:-]

"Dave Cottlehuber" <dch@skunkwerks.at> writes:

> On Fri, 3 Jan 2025, at 19:42, JH Foo wrote:
>> Can you elaborate how CMD helps to determine (quote) minimal 
>> dependencies are for each daemon or service? What happens if I 
>> were to
>
> If you run a normal startup with /etc/rc then that container 
> will
> expect all the freebsd goodies - syslog, utx, cron, mailer, etc.
> It will be more familiar but also fatter.
>
> If you manually trim down the dependencies, *and* your 
> application
> permits it, you can choose just to run your minimal app. It will
> require experimentation.
>
>> configure the container to run off jail /etc/rc.conf services?
>
> If you do that, no issues, *but* the container will exit as soon 
> as rc.conf
> startup finished (as the ENTRYPOINT or CMD has completed). OCI 
> containers
> are not the same as jails in this respect, by default.
>

Pot and Potluck has similar (even though not OCI compatible) 
capabilities.

You can look at the *-nomad images at 
https://github.com/bsdpot/potluck to get an idea how service jails 
without starting a fully fledged FreeBSD jail with rc can look 
like.

Stephan


From nobody Sun Jan  5 13:34:58 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YQxX81YZXz5j79d
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sun, 05 Jan 2025 12:32:08 +0000 (UTC)
	(envelope-from mohammad@thelightbird.com)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YQxX72yccz4gyl
	for <freebsd-jail@freebsd.org>; Sun,  5 Jan 2025 12:32:07 +0000 (UTC)
	(envelope-from mohammad@thelightbird.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=thelightbird-com.20230601.gappssmtp.com header.s=20230601 header.b=lXUNLyGC;
	spf=fail (mx1.freebsd.org: domain of mohammad@thelightbird.com does not designate 2a00:1450:4864:20::135 as permitted sender) smtp.mailfrom=mohammad@thelightbird.com;
	dmarc=none
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-5401bd6cdb7so13967619e87.2
        for <freebsd-jail@freebsd.org>; Sun, 05 Jan 2025 04:32:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=thelightbird-com.20230601.gappssmtp.com; s=20230601; t=1736080324; x=1736685124; darn=freebsd.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=cpcd5Jx/tumtAmHjdrmhvsMp5uTbhLiQd966lO/I5Yk=;
        b=lXUNLyGC7GAmnNL4FN7e5PDjzYojg9Cn8/YGr4Vfh2NCMl7o8fuHT1TRfv+gPk7Tfd
         WUfgEuPG0LTjZgJyzjNNFYGHvAmijicKer6Pht648vzDxtpF6yeXLqsYrO97VZJDdhNS
         b1EdCNmPknouUjoVmJbzERoc5Fl49gkospgJKvr9J3ewWkMH+XGdPOghP/cLdKFvnFf8
         qxfABZWivqXfALgZvfirrQkCbVEGXRFHhnUcEi18YPWjsn5J/SWmLkZZ+/b3LkgZ3uzh
         W86lnZfOupqnPBHzO7P4qVUHJjkTYBplAjZMvbW7+s2UMpfxDEdahvKHdxiEoDEeExd4
         O5Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736080324; x=1736685124;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cpcd5Jx/tumtAmHjdrmhvsMp5uTbhLiQd966lO/I5Yk=;
        b=eZjOLsegVna/Dd4c5qeKwsUIjD012sY1UE6A1jQRaBBgBULZT3j+IKuIbnOYkotmiv
         Qt+omuEIsrh0Z90o+mEe73A/RoiGyL+G7Ab7P1VEL5u0zI5/YjtSpwHHjPg//HdZ/txw
         NwDr3B/rwzXsiaASv2R6c6fmXk5SeuFx8EpQ2IZF1E7CDwO9g+XEV3oe3wCi+ncRW7f9
         Gs8FR4JRnPMXiz7NUSmJsCdiuJ1QcvsR/dx3DRRg/bcTkM0X30stApHqom0EfO6Aeu8r
         lf/7lF9pdDZzKNlLTNrbkb4+9+2uKpiCnAoW8B3VrlvsOk3yquekhmIQiujLz1HGlwTO
         czFw==
X-Gm-Message-State: AOJu0Yw7BGD/ROthneQ/EsW4yczIvesujqR1Q2Lt1SlDLcEBuG5Z0MTe
	0HA3rXRmqmHJ0MPaRAqgtN1lKAfVCqngdxBsKP9fq7sk9wmx8O+K2h4buIbqLUOJP5EXEmxDN9z
	uU6yISIfyWnSWOYDJAz1aKQpcb2okYEu73RfugIAfw7VQg0NXDg==
X-Gm-Gg: ASbGnctnUYJ0cTJkkLOXMfPYdliTj0R9A/Qt042eCgJ/jWhrzOChoEcr8joRSSfVTSJ
	c1aSHCqJZ8zB19jR29vu2/Jo1K8Aqr97Rs/Oj
X-Google-Smtp-Source: AGHT+IF2dVCmKy2pLbpdFUAKjTdjQegzHo9d3XqJ9VNBdrsZ7U+4hN9kI+vr30M6ZqqsKOLpBYGhoLIZ19NfnlcBHVs=
X-Received: by 2002:a05:6512:334f:b0:542:2990:58c5 with SMTP id
 2adb3069b0e04-5422990593bmr11430624e87.26.1736080323586; Sun, 05 Jan 2025
 04:32:03 -0800 (PST)
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
References: <CAAQ96Dz8aJm6UX9-4g7o_KWFZtmOQ9=ufepik2=HqRv-Vq3tMw@mail.gmail.com>
 <71953A22-6B3D-42AA-9F6A-FE257C054D88@paige.bio> <CAAQ96DxTM8p-87fnLDKF600eLytD1j0942CadRGBwqM-pQBa6Q@mail.gmail.com>
In-Reply-To: <CAAQ96DxTM8p-87fnLDKF600eLytD1j0942CadRGBwqM-pQBa6Q@mail.gmail.com>
From: Mohammad Noureldin <mohammad@thelightbird.com>
Date: Sun, 5 Jan 2025 14:34:58 +0100
Message-ID: <CAAQ96Dwxu44U9LP4bfJB3aOpgzaf=OoGVd8nBmaVcK8zv6BdSA@mail.gmail.com>
Subject: Re: Podman jail support
To: paige@paige.bio
Cc: freebsd-jail@freebsd.org
Content-Type: multipart/alternative; boundary="000000000000fd46d1062af4b2c8"
X-Rspamd-Queue-Id: 4YQxX72yccz4gyl
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.30 / 15.00];
	R_SPF_FAIL(1.00)[-all];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	R_DKIM_ALLOW(-0.20)[thelightbird-com.20230601.gappssmtp.com:s=20230601];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	ARC_NA(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
	MISSING_XM_UA(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::135:from];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	DMARC_NA(0.00)[thelightbird.com];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org];
	RCVD_TLS_LAST(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	DKIM_TRACE(0.00)[thelightbird-com.20230601.gappssmtp.com:+]

--000000000000fd46d1062af4b2c8
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Paige!

I hope you had nice holidays and happy new year!

On Mon, Dec 16, 2024 at 6:21=E2=80=AFPM Mohammad Noureldin <
mohammad@thelightbird.com> wrote:

> Hi Paige!
>
> On Fri, Dec 13, 2024 at 8:22=E2=80=AFPM <paige@paige.bio> wrote:
>
>> Hey Mohammad,
>>
>> IIRC, that link you shared is the exact set of steps that I followed.
>>
>
> OK, I will try also from my side and come back to you on this as soon as =
I
> can.
>
> Thanks for sharing your findings so far =F0=9F=91=8D
>

I was helping in testing trying to find the root cause of [1] during which
I tested the FreeBSD Podman Installation instructions [2] on both FreeBSD
14.1-RELEASE-p6 and 14.2-RELEASE and both worked just fine.

Whenever you have time, would you please create a new issue in [3] and
include:
- Initial state and configuration of your FreeBSD setup
- What steps are taken that lead to the errors you face

Adding issues, questions and/or any wishes or requests in [3] helps to have
more eyes looking at

Thanks a lot in advance =F0=9F=91=8A

[1] https://github.com/oci-playground/freebsd-podman-testing/issues/28
[2] https://podman.io/docs/installation#installing-on-freebsd-140
[3] https://github.com/oci-playground/freebsd-podman-testing

--snip--

--=20
Thanks
- Mohammad Noureldin
--
"Life is like riding a bicycle. To keep your balance you must keep moving"
- Albert Einstein

--000000000000fd46d1062af4b2c8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Paige!<br></div><div><br></div><div>I hope you had=
 nice holidays and happy new year!<br></div><div><br></div><div class=3D"gm=
ail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On M=
on, Dec 16, 2024 at 6:21=E2=80=AFPM Mohammad Noureldin &lt;<a href=3D"mailt=
o:mohammad@thelightbird.com">mohammad@thelightbird.com</a>&gt; wrote:<br></=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div=
>Hi Paige!</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gm=
ail_attr">On Fri, Dec 13, 2024 at 8:22=E2=80=AFPM &lt;paige@paige.bio&gt; w=
rote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"auto"><span style=3D"background-color:rgb(255,255,255)">Hey Mohammad,</=
span><div><br></div><div>IIRC, that link you shared is the exact set of ste=
ps that I followed.</div></div></blockquote><div><br></div><div>OK, I will =
try also from my side and come back to you on this as soon as I can.</div><=
div><br></div><div>Thanks for sharing your findings so far=C2=A0=F0=9F=91=
=8D</div></div></div></blockquote><div><br></div><div>I was helping in test=
ing trying to find the root cause of [1] during which I tested the FreeBSD =
Podman Installation instructions [2] on both FreeBSD 14.1-RELEASE-p6 and 14=
.2-RELEASE and both worked just fine.</div><div><br></div><div>Whenever you=
 have time, would you please create a new issue in [3] and include:</div>- =
Initial state and configuration of your FreeBSD setup<br>- What steps are t=
aken that lead to the errors you face<br></div><div class=3D"gmail_quote gm=
ail_quote_container"><br></div><div class=3D"gmail_quote gmail_quote_contai=
ner">Adding issues, questions and/or any wishes or requests in [3] helps to=
 have more eyes looking at<br></div><div class=3D"gmail_quote gmail_quote_c=
ontainer"><br></div><div class=3D"gmail_quote gmail_quote_container">Thanks=
 a lot in advance =F0=9F=91=8A<br></div><div class=3D"gmail_quote gmail_quo=
te_container"><br><div>[1] <a href=3D"https://github.com/oci-playground/fre=
ebsd-podman-testing/issues/28">https://github.com/oci-playground/freebsd-po=
dman-testing/issues/28</a></div><div>[2] <a href=3D"https://podman.io/docs/=
installation#installing-on-freebsd-140">https://podman.io/docs/installation=
#installing-on-freebsd-140</a></div><div>[3] <a href=3D"https://github.com/=
oci-playground/freebsd-podman-testing">https://github.com/oci-playground/fr=
eebsd-podman-testing</a></div><div><br></div><div>--snip-- <br></div><div><=
br></div></div><span class=3D"gmail_signature_prefix">-- </span><br><div di=
r=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr" =
style=3D"color:rgb(136,136,136)">Thanks<br>- Mohammad Noureldin<br>--<br>&q=
uot;Life is like riding a bicycle. To keep your balance you must keep movin=
g&quot;<br>- Albert Einstein</div></div><div dir=3D"ltr" style=3D"color:rgb=
(136,136,136)"><br></div></div></div></div>

--000000000000fd46d1062af4b2c8--