From owner-freebsd-current@FreeBSD.ORG Fri Mar 5 08:37:06 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5193D16A4D0; Fri, 5 Mar 2004 08:37:06 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E36DD43D1D; Fri, 5 Mar 2004 08:37:05 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i25GZmDL069108; Fri, 5 Mar 2004 11:35:48 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i25GZm46069105; Fri, 5 Mar 2004 11:35:48 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 5 Mar 2004 11:35:48 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Pawel Jakub Dawidek In-Reply-To: <20040305102543.GJ10864@darkness.comp.waw.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: current@FreeBSD.org Subject: Re: HEADS UP: rcNG scripts inside a jail. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2004 16:37:06 -0000 On Fri, 5 Mar 2004, Pawel Jakub Dawidek wrote: > I'm going to mark scripts below as not usable inside jail. > If anyone is using one of those scripts inside a jail and it works, > now is the right time to start screaming. > > abi This one has some function in jail, but not complete function. Specifically: (1) It can't load the kernel modules (2) It can do the ldconfig Maybe this should be split into two scripts, or otherwise indiciated. > devd Technically speaking, this could be run in a jail, but I agree it currently is unlikely to (and since devd can't run multiple instances, it would cause suffering if it tried). > And here is the list of scripts that I've no idea if they should be > available inside a jail or not: > > bootparams > kdc > kerberos > keyserv > kpasswdd > mrouted > rarpd > route6d > routed > rpcbind > rwho I've never tried running Kerberos in a jail, but assuming it didn't mind the IP address munging, I see no reason not to allow it. In fact, you might argue that that could be a desirable configuration. By default, we don't expose BPF in jail, so rarpd, et al, probably won't run happily. However, it's something we might want to consider at some point. mrouted can't run in a jail because it can't manipulate the kernel routing state. rpcbind probably is useful since there's no reason we couldn't run userspace RPC applications in a jail. The other routed pieces (4 and 6) we can do without. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research