From owner-freebsd-stable@FreeBSD.ORG  Tue Dec 16 21:07:00 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id EBA17359
 for <freebsd-stable@freebsd.org>; Tue, 16 Dec 2014 21:07:00 +0000 (UTC)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com
 [IPv6:2607:f8b0:4001:c03::236])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AC286FC
 for <freebsd-stable@freebsd.org>; Tue, 16 Dec 2014 21:07:00 +0000 (UTC)
Received: by mail-ie0-f182.google.com with SMTP id x19so13678434ier.27
 for <freebsd-stable@freebsd.org>; Tue, 16 Dec 2014 13:07:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:content-type;
 bh=i6XbZh5baiqNmkKjSz4v/DEEUR1ZIeDBhVMmdsq/FU4=;
 b=QMd04yPakXEsabHjeYnuWprXmiXhVnfbx0f9esHvTJRoJjlukc9Yv45l2CScK5Mga+
 i1ocX/rS1pmlVW04BzVPX2jNI/BgNE0Y4o5ci20QoyaYHRnU7E8o0s/UzC5CeeEr0KwA
 XkBtDYMsQgXhjc0bPX82uGw65KBQtjWWHSTEIXmvkNauY/+3XymIElF9XrqfrI+5uABs
 ro+aCrSGPyeCyWb9KnIPDoZCEUvQYnqlffszlpKrsBE6/2cVI3NrNul4yVwoWpDnRyET
 SmeerwjmtFl3BfvaKhzFLxQy/3j3MXvoqvlQ9VAE8xzNey42DDU3KlfB0/jl6W6c6xZa
 8fvQ==
MIME-Version: 1.0
X-Received: by 10.42.4.201 with SMTP id 9mr34095395ict.23.1418764019953; Tue,
 16 Dec 2014 13:06:59 -0800 (PST)
Sender: kob6558@gmail.com
Received: by 10.107.52.19 with HTTP; Tue, 16 Dec 2014 13:06:59 -0800 (PST)
In-Reply-To: <20141216092259.GF89148@droso.dk>
References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com>
 <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org>
 <20131203.223612.74719903.sthaug@nethelp.no>
 <20141215.082038.41648681.sthaug@nethelp.no>
 <e209e27f9eb42850326f5a4df458722b@ultimatedns.net>
 <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU++n5CKBqyg@mail.gmail.com>
 <20141216092259.GF89148@droso.dk>
Date: Tue, 16 Dec 2014 13:06:59 -0800
X-Google-Sender-Auth: 2P5zj8LvUZyUDNH2I-ik--1vo-E
Message-ID: <CAN6yY1sjT0Ja4bP=dkWX8wTGzWXboTui=3ZuPm1=v81N0MMQvA@mail.gmail.com>
Subject: Re: BIND chroot environment in 10-RELEASE...gone?
From: Kevin Oberman <rkoberman@gmail.com>
To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 21:07:01 -0000

On Tue, Dec 16, 2014 at 1:22 AM, Erwin Lansing <erwin@freebsd.org> wrote:

> On Mon, Dec 15, 2014 at 10:12:45PM -0800, Kevin Oberman wrote:
> >
> > Please don't conflate issues. Moving BIND out of the base system is
> > something long overdue. I know that the longtime BIND maintainer, Doug B,
> > had long felt it should be removed. This has exactly NOTHING to do with
> > removing the default chroot installation. The ports were, by default
> > installed chrooted. Jailed would have been better, but it was not
> something
> > that could be done in a port unless the jail had already been set up.
> > chroot is still vastly superior to not chrooted and I was very distressed
> > to see it go from the ports.
> >
>
> While I don't want to get dragged down into this discussion that can go
> on forever without any consensus, I just want to point out that there is
> a slight twist to the above description.  Due to implementational
> details, the ports' chroot was actually inside the base system parts of
> BIND.  Removing the one, removed the other.
>
> I did try my hand at a reimplentation self-contained in the port, but
> that proved less trivial than thought and I never reached a satisfactory
> solution.  If anyone want to try their hands at it as well and convince
> the new port maintainer, please do so, but trust me when I say that.
> e.g. an ezjail solution, is much easier to set up and maintain than
> reverting to the old functionality.  In they end, I'd rather see a
> more general solution that can chroot, or jail, an arbitrary daemon from
> ports rather than special treatment of a single port.  If BIND, why not
> also NSD, unbound, or apache for arguments sake?
>

Erwin,

Thanks for this explanation! In the prior discussion of  this issue back
when BIND was removed from the base, I never saw this and it explains a
great deal.I hope that this will quiet some of the complaints. While it is
still a regression, it's one worth making. Getting BIND out of the base
system really was urgently required.

Thanks for your efforts on this.

Warren,

Nice write-up on jailing BIND. The instructions are easy to follow, but
they are still pretty complex and getting everything right without a
tutorial like this was very tricky. For me it involved a fair amount of
trial and error and before ez-jail it was really, really hard. (Not sure
that I ever got it right.)
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman@gmail.com