Date: Mon, 25 Aug 2014 11:44:36 -0400 From: John Baldwin <jhb@freebsd.org> To: Warren Block <wblock@wonkity.com> Cc: freebsd-doc@freebsd.org Subject: Re: ezjail Handbook section Message-ID: <1494646.V9dtS3rr7D@ralph.baldwin.cx> In-Reply-To: <alpine.BSF.2.11.1408201720480.93287@wonkity.com> References: <alpine.BSF.2.11.1408041633520.34818@wonkity.com> <alpine.BSF.2.11.1408201206460.56309@wonkity.com> <alpine.BSF.2.11.1408201720480.93287@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, August 20, 2014 05:30:12 PM Warren Block wrote: > On Wed, 20 Aug 2014, Warren Block wrote: > > On Wed, 20 Aug 2014, John Baldwin wrote: > >> On Tuesday, August 19, 2014 6:01:54 pm Warren Block wrote: > >>> On Mon, 4 Aug 2014, Warren Block wrote: > >>>> Draft version of an ezjail section for the Handbook Jails chapter: > >>>> http://www.wonkity.com/~wblock/jails/jails-ezjail.html > >>>> > >>>> This includes a complete setup at the end for running BIND in a jail. > >>>> In addition to a complete jail example, it can also serve as an example > >>>> of > >>>> how to set up BIND now that the old chroot configuration is no more. > >>> > >>> Asking for review again of the final version at the link above. If > >>> there are no major complaints in the next few days, it will be > >>> committed. > >> > >> It's not clear to me if you need lo1? If you are using aliases on an > >> external > >> interface as you would with a traditional jail then I think you don't > >> need > >> the > >> lo1 interface? > > > > It's there to keep jails from being involved with lo0 on the host. But I > > admit the explanation is fuzzy, and will seek clarification. > > Updated. It now says: > > To keep jail loopback traffic off the host's loopback network > interface lo0, a second loopback interface is created by adding > an entry to /etc/rc.conf:... I guess my question was more "why?" This isn't ezjail-specific, and neither of the other two jail tutorials in this chapter mention lo1. If having lo1 is important, then we should explain why and probably do so in the first jail example and then apply it consistently in all the jail examples. They "why" should detail if this is an optional "nice to have" or if this is "critical to security and apps can break out of jails otherwise". My assumption is the former, but seeing it documented as a mandatory step in the ezjail config implies the latter to me. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1494646.V9dtS3rr7D>