Date: Fri, 07 Jun 2024 13:42:32 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: ports@freebsd.org Subject: Re: Service for jails? Message-ID: <0ea46cdc27fdb7bec0aa4ce5f1c9a25a@Leidinger.net> In-Reply-To: <e5d7a2ce-ef65-483f-8a6d-807266a454fd@quip.cz> References: <25b6364e-39a4-4834-a250-ff7d94a758bf@freebsd.org> <e5d7a2ce-ef65-483f-8a6d-807266a454fd@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--=_bb39d2d594e08cea4fb9fe3752fd4575
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Am 2024-06-07 09:44, schrieb Miroslav Lachman:
> On 07/06/2024 08:20, Matthias Fechner wrote:
>> Dear all,
>>
>> I saw in some commit messages that the startup scripts are modified
>> like:
>>
>> BBB_svcj_options=${BBB_svcj_options:-"net_basic"}
>>
>> But I cannot find anything in the porters handbook about that new
>> parameter.
>>
>> Can maybe someone explain that a little bit more, what it is and why
>> it makes sense to add this?
Service jails run the start and stop commands in a jail. The jail uses
the complete filesystem of the host, but without any options it has no
network access or access to other stuff which is restricted in a jail.
The above config line gives access to the network of the host (IPv4 and
IPv6).
I've send out a lot of patches to some port maintainers to add this
config (mysql, postgresql, postfix, dovecot, php, nginx, apache, ...),
so that a simple "sysrc XXX_svcj=YES" makes this feature work out of the
box (some are committed, some are under review, some I have just send
out). An alternative is to set the XXX_svcj_options in rc.conf, but then
it means 2 lines of config instead of only 1 to enable it.
This does not make much sense when you run services in jails anyway (if
you enable subjails, it is supposed to work and spawn a jail inside the
jail), but for stuff which is run on the host itself, it is a very easy
way to add one more layer of security to the security onion (without the
need that you know how to setup jails or to maintain them separately). I
have e.g. syslogd jailed with this.
> It is for service jails where you can easily start "any" service in its
> own jail just by one line in rc.conf
>
> https://docs.freebsd.org/en/books/handbook/jails/#service-jails
>
> https://docs.freebsd.org/en/books/handbook/jails/#service-jails-config
>
> https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails
Does someone have an argument to add something to the porters handbook?
And if yes, what? Chapter "6.28. Starting and Stopping Services" is
pointing already to the rc-scripting article and the handbook (the later
with the issue of going to the first page of the handbook instead to the
correct chapter).
Bye,
Alexander.
--
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_bb39d2d594e08cea4fb9fe3752fd4575
Content-Type: application/pgp-signature;
name=signature.asc
Content-Disposition: attachment;
filename=signature.asc;
size=833
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmZi8jgACgkQEg2wmwP4
2IYs+A//ZS8BhnAwAmK4tHZR1S2DZ0VAd34Yu8pNPD29//R3tqp0cgmo3k9Nv3XC
Xbnp+CNU93AhceIw5lNyDPyw732rTA5F/HF1GeBvVfhTtDEXgc2qIverVnMBmQHN
s47ZKNCMQ1NcegGUtjRRi8uEXIfkTJCQdNYl2p5k+sUiPP4x5bEUfJRocc0l4zLI
YrsQhbpyk3PGAuusOBrghW+IcsHxdzQtzdo64PGxgI/wC1t6aSjn5/jVZJ800/Y6
pXg0UOYuTh1/CxmvukniOE8zTmIPbDFLcHAHiEeltGj6sR1uJOTpsAv9EByb9YsI
i9QiNCzGPFOT8KzfJyHnfyW5G3wWO6wRBnXZoaefaAu7gqyk+VL8pWa3Bg7CZEqN
jKn832xVl9WhAE5SHUE1T8k0Ezy3RbXYHDtQkS/z5zKgG1ZusJINjVojTgM3d4p2
TeXjwp1+G73y6pm3DmB5wW4LACF7GUw62uis+rtRJDMh45WJXnuNSqvly/d1PTjx
dVFti35JgP27TD/cmGLyk/zIfZzSZFFG/NoX5QPCI1xKa8wXvwdaj6Kaq9PRUcUG
pSlNF4J5yrxbpmeflHKfgJlClp8PyiBVvggbjaqnMssxZtf7pspkc80EGLwLCc4M
wB2UYdboBCHn/CL8/P1m31PSaJhT9HXRhFfTItkSd8kcsajl6Qw=
=sDo0
-----END PGP SIGNATURE-----
--=_bb39d2d594e08cea4fb9fe3752fd4575--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0ea46cdc27fdb7bec0aa4ce5f1c9a25a>