From owner-freebsd-doc@FreeBSD.ORG Mon Aug 25 16:02:21 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 334E8AA for ; Mon, 25 Aug 2014 16:02:21 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 09EF43B37 for ; Mon, 25 Aug 2014 16:02:21 +0000 (UTC) Received: from ralph.baldwin.cx (pool-173-70-85-31.nwrknj.fios.verizon.net [173.70.85.31]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id C97FBB924; Mon, 25 Aug 2014 12:02:19 -0400 (EDT) From: John Baldwin To: Warren Block Subject: Re: ezjail Handbook section Date: Mon, 25 Aug 2014 11:44:36 -0400 Message-ID: <1494646.V9dtS3rr7D@ralph.baldwin.cx> User-Agent: KMail/4.10.5 (FreeBSD/10.0-STABLE; KDE/4.10.5; amd64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Mon, 25 Aug 2014 12:02:19 -0400 (EDT) Cc: freebsd-doc@freebsd.org X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2014 16:02:21 -0000 On Wednesday, August 20, 2014 05:30:12 PM Warren Block wrote: > On Wed, 20 Aug 2014, Warren Block wrote: > > On Wed, 20 Aug 2014, John Baldwin wrote: > >> On Tuesday, August 19, 2014 6:01:54 pm Warren Block wrote: > >>> On Mon, 4 Aug 2014, Warren Block wrote: > >>>> Draft version of an ezjail section for the Handbook Jails chapter: > >>>> http://www.wonkity.com/~wblock/jails/jails-ezjail.html > >>>> > >>>> This includes a complete setup at the end for running BIND in a jail. > >>>> In addition to a complete jail example, it can also serve as an example > >>>> of > >>>> how to set up BIND now that the old chroot configuration is no more. > >>> > >>> Asking for review again of the final version at the link above. If > >>> there are no major complaints in the next few days, it will be > >>> committed. > >> > >> It's not clear to me if you need lo1? If you are using aliases on an > >> external > >> interface as you would with a traditional jail then I think you don't > >> need > >> the > >> lo1 interface? > > > > It's there to keep jails from being involved with lo0 on the host. But I > > admit the explanation is fuzzy, and will seek clarification. > > Updated. It now says: > > To keep jail loopback traffic off the host's loopback network > interface lo0, a second loopback interface is created by adding > an entry to /etc/rc.conf:... I guess my question was more "why?" This isn't ezjail-specific, and neither of the other two jail tutorials in this chapter mention lo1. If having lo1 is important, then we should explain why and probably do so in the first jail example and then apply it consistently in all the jail examples. They "why" should detail if this is an optional "nice to have" or if this is "critical to security and apps can break out of jails otherwise". My assumption is the former, but seeing it documented as a mandatory step in the ezjail config implies the latter to me. -- John Baldwin