Date: Sun, 24 Aug 2014 20:27:42 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: doug@safeport.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: updating ezjails with freebsd-update Message-ID: <alpine.BSF.2.11.1408241947250.2348@wonkity.com> In-Reply-To: <alpine.BSF.2.00.1408241740340.73111@bucksport.safeport.com> References: <alpine.BSF.2.00.1408240008220.65526@bucksport.safeport.com> <53FA18FD.1060309@a1poweruser.com> <alpine.BSF.2.00.1408241740340.73111@bucksport.safeport.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 24 Aug 2014, doug@safeport.com wrote: > On Sun, 24 Aug 2014, Fbsd8 wrote: > >> You can disregard most of that new handbook jail ezjail section. Thanks for your input. I can assure you that the document was reviewed by members of the freebsd-doc mailing list, on IRC, and in private email. Mistakes and omissions were found and corrected. It's not perfect, but serves the purpose of an overview of using ezjail. It also serves a second purpose, showing how to set up bind99 in a jail. This quick overview of a jailed BIND is useful for those wishing to improve BIND security now that the old chroot option is not available in the port. >> First of all the current version of ezjail uses the /etc/rc.d/jail script >> method. This method is depreciated in FreeBSD version 10.0 and scheduled to >> be removed in FreeBSD version 10.1 or 11.0. The section should have >> contained a red warning box informing the reader that this documentation >> only applies to Freebsd 10 and older releases. When that actually happens, a warning can be added. Or ezjail may be updated by then. For now, it is not needed. >> On the subject of a jails loopback interface. Jails don't have loopback >> interfaces or use them. Sure you can assign one but it's really a >> definition error which the jail(8) program does not issue a error message >> for. All reference to the loopback interface should be removed from this >> section as its very mis-leading to the reader and unnecessary. >> >> I installed bind99 in a jail(8) jail with out any lo1 or 127.0.0.1 ip >> address and it worked just fine. The loopback clone information was added on the advice of the FreeBSD cluster administrators. It keeps jail loopback traffic off the host interface, and I understand it was an approach they took due to actual problems. >> Adding a password to jails "root" user is a waste of time and effort. >> ezjail already requires the user to have "root" access on the host before >> the "ezjail-admin install" command will function. ezjail-admin is not the only way to access a jail. Many run sshd, for example. It is bad practice to have a root account with no password, and I always try to show best practices. >> Editing the jail's /etc/hosts file and changing the ip address to the jails >> ip address and adding the jailname to the localhost entries is totally >> unnecessary. Jails work fine using the default hosts file. Again, thanks for your input. >> How can the handbook recommend using a utility tool that has a incomplete >> manual which is missing details about the utilities sub-commands. If an incomplete manual was grounds for exclusion, the Handbook would be a much shorter document. ezjail is extremely popular, and not including it in the Handbook was an oversight that needed to be fixed. >> In my opinion this new section should have never been added to the handbook >> until after ezjail gets updated to use jail(8) and it's manual is updated >> to contain details about all it's sub-commands. Given that ezjail works on all supported releases of FreeBSD, this seems a bit extreme. If and when that situation changes, the section can be easily updated. > Thank you, most helpful Fbsd8 neglects to mention the history between ezjail and the qjail fork of it. A search on "ezjail and qjail" will help fill out the picture.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.11.1408241947250.2348>