From nobody Wed Jun 19 09:45:33 2024
X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W3zJF5n7Mz5PJFc
	for <dev-commits-doc-all@mlmmj.nyi.freebsd.org>; Wed, 19 Jun 2024 09:45:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4W3zJF563Xz4H9H;
	Wed, 19 Jun 2024 09:45:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1718790333;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KsUG3hrLJf2itPkMdXeNUrPsg5hm6oL9901cOYGJhpw=;
	b=R2+6j+XF0HBZ3hfXwASXqITmVg9gXuCULKVITcPFdFhAU33A89yW8CtRvz5fLlGv93hh8V
	siBVAUPp0+KHRf0I73ZJWe8bQwG4ke7Hxpp0K2Wo1GFesHFt71KT3sSG7aD6i5MnopZvnk
	SiBDxA2ex44mCYOVqCBzamr0qHWtwVutVDQtQBMURK5D42lUHgDbpv7r9SuURzREmwO2CU
	CJc8fboB6U8UJsWajoR9yGC8qQIeAKbKgtld7ShKUcZ1TltIcFdQnlA3hXO/VT25E6DysB
	IsUWV20WkF/Wc5pkFUBX6uBI3PrjR7j5gF5fr24jWvZW7VQI83w6/RuCONpYLA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718790333; a=rsa-sha256; cv=none;
	b=hzRDdp6HavHbuIP5mdi9x9PJU6PEJnS1tfvuPqAe+pPCtj0QC/Zv3cikS5I2z8kZ8XMTht
	N08CwrWGojLkkKpNQ4TKNb+MlEOUI4ZZrUhVPTbyH8283zMqXCM4+dhg7BVl3mua4VEaGf
	cY3iI01GRyQHUkY5x8euNahlqxxqAUUradj0B1yeeiWTSLygtCboWVEiI5R5zK1gEsPx/u
	rQ30vhqHwq5VCk0ZduClIIkRJjIfnaFxWCGKQXjHmVmnsOZdDqcdQwOyIWNxecuyR0FWqD
	cmiA6EJDTieXsv9E4QtU6gKYYSEBl7FG8kuvfxE3ZpfQ1foZbWkGSyYirbqQOw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1718790333;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KsUG3hrLJf2itPkMdXeNUrPsg5hm6oL9901cOYGJhpw=;
	b=RFtQBF3TU5h+Nz3GVjv9J5U47sNSd3T0q2lFnGKkrgSYyUBsDBOXeUascQJ/3d7Dcf8G6p
	dci1yom2uLrb7GwzbWaQfYN4wYFQoyzeAam7bnRAAWJvt9DQSjYsY8UjPpc9TDRB3cC3eA
	kKX/Y+T9W37/bflWsEe/0XJzI6lwgjRDFYamFLg605zS72WTjb4/2E2aMNlWdlDT7OWz/z
	HcDKHdDFuQMgBKP/eqvGoaq/vQEIi7a6V1VRujnCyyzjlk7pcRaZHbA4l0LLLfdeCU/U1j
	efdT4P4FULvr3YZ5AXz0d3T5p4dO+iQAAG4e0reEsoQ50OK3C00l4um0yEf5mA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W3zJF4jL0zcx7;
	Wed, 19 Jun 2024 09:45:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45J9jXMt096957;
	Wed, 19 Jun 2024 09:45:33 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45J9jXlO096954;
	Wed, 19 Jun 2024 09:45:33 GMT
	(envelope-from git)
Date: Wed, 19 Jun 2024 09:45:33 GMT
Message-Id: <202406190945.45J9jXlO096954@gitrepo.freebsd.org>
To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org
From: Lorenzo Salvadore <salvadore@FreeBSD.org>
Subject: git: d5c23e47d8 - main - Status/2024Q2/service-jails.adoc:
  Add report
List-Id: Commit messages for all branches of the doc repository <dev-commits-doc-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all
List-Help: <mailto:dev-commits-doc-all+help@freebsd.org>
List-Post: <mailto:dev-commits-doc-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-doc-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-doc-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-doc-all@freebsd.org
Sender: owner-dev-commits-doc-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: salvadore
X-Git-Repository: doc
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d5c23e47d838798e2c8b44450b38456019c09ae0
Auto-Submitted: auto-generated

The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=d5c23e47d838798e2c8b44450b38456019c09ae0

commit d5c23e47d838798e2c8b44450b38456019c09ae0
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2024-06-19 09:43:23 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2024-06-19 09:44:42 +0000

    Status/2024Q2/service-jails.adoc: Add report
    
    Reviewed by:    status (Pau Amma <pauamma@gundo.com>)
---
 .../report-2024-04-2024-06/service-jails.adoc      | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/website/content/en/status/report-2024-04-2024-06/service-jails.adoc b/website/content/en/status/report-2024-04-2024-06/service-jails.adoc
new file mode 100644
index 0000000000..0fec2ab32f
--- /dev/null
+++ b/website/content/en/status/report-2024-04-2024-06/service-jails.adoc
@@ -0,0 +1,23 @@
+=== Service jails -- Automatic jailing of rc.d services
+
+Links: +
+link:https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails[rc-article part for Service Jails] URL: link:https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails[]
+
+Contact: Alexander Leidinger <netchild@FreeBSD.org>
+
+Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services.
+A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default.
+Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]).
+
+The base system infrastructure and the basesystem rc.d services are committed to 15-current, and the handbook / rc article updates are committed to the documentation.
+Next steps are to extend services in the ports collection to be able to make use of it.
+
+If you want to put e.g. nginx into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have:
+----
+nginx_svcj_options=net_basic
+nginx_svcj=YES
+----
+
+While this does not have the same security benefits as a manual jail setup with a separate filesystem and IP/VNET, it is much easier to set up, while providing some of the security benefits of a jail like hiding other processes of the same user.
+
+Any testing and feedback (even as simple as "service X works in a service jail") is welcome.