From owner-svn-src-projects@freebsd.org Thu Jul 26 14:08:38 2018 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84B611050593 for ; Thu, 26 Jul 2018 14:08:38 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EF4E790CAB for ; Thu, 26 Jul 2018 14:08:37 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x234.google.com with SMTP id h20-v6so2138573wmb.4 for ; Thu, 26 Jul 2018 07:08:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=N13WNqO9Em3RCzERE8lIaIXM7B49v4b696IoU16B73E=; b=FKzg/H/gPkVXl/ppSXD3NgJXucMNcDsoowWuIJrtNc38v6Lszw+XIh65F72dlTJbYf S7en3trE/v94B/VnVwbXc046EDA1NFAxUkOc8iAo75XKAu/ZWCjkX4/e0FA88Ikc/RJK fVWpuM2MWSDZATiqcIR1geeo4Uizc1SkrKN3E/WZjbIJ16REurhETye/Oz2dw0qbtDCy 7w1g/YPGVCQqy85jOc1J5Cf5s/W8SvMOVgplZ8AA3k4LbBYGn0s69pgwe3Xc62VFmgG7 Ee0jDf9AGmn5IcCE8Mj4xUhJ881mthmJJQOjSx1DHs6Lrzp96SCQXkGmBE/+szlPQutC Rvwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=N13WNqO9Em3RCzERE8lIaIXM7B49v4b696IoU16B73E=; b=CeaeWac3jaMrlp0VPyXjF48UiGjmJ94KvVsvwQvLlO1V9EyPBPQFlxACa5VacR3GzH TThKQT5XDL36H1rej7r92NRbZmfi4NQrrF3DqLAaWVs+cQSQnYOQmUTUT3ZEJ1B4Fg01 hKK1ZCeRupiEcwqRjKt/mbs5KyPGPMGgk/2y7JkYXXqsi1Fkw5I6ICzdnF6XdgrbAhRU Q5nMKpyq5PMFhwHMZGV6y97y1CDwSYu13TfJpi2u9JdzGSVAuMbL8waSSEafGUVcP4js zScWKlbtDqdK15u9phGmvynQEdpVh/55tuGsCARTsKyZrXXjenD6d1AD5cpgy3TFaP7D Mbaw== X-Gm-Message-State: AOUpUlEyUiNcPVd/7QUpK81ud4BQR7qONPZvqHr6FC1z5/7aae6GyN8A qStU3B8Q/o01td5MAnzES1GwsItHJy/7eA== X-Google-Smtp-Source: AAOMgpcmVvK3ENmuuwcc04gr0WI1ryDMsIIVioV3bI8aBqU2mhyD8qXzq+2uMF4bsIfC3N4BXhfD8Q== X-Received: by 2002:a1c:dc41:: with SMTP id t62-v6mr1719715wmg.42.1532614116756; Thu, 26 Jul 2018 07:08:36 -0700 (PDT) Received: from mutt-hbsd (politkovskaja.torservers.net. [77.247.181.165]) by smtp.gmail.com with ESMTPSA id l15-v6sm934170wrt.67.2018.07.26.07.08.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 07:08:35 -0700 (PDT) Date: Thu, 26 Jul 2018 10:07:49 -0400 From: Shawn Webb To: Kyle Evans Cc: "Rodney W. Grimes" , src-committers , svn-src-projects@freebsd.org Subject: Re: svn commit: r336731 - projects/bectl/sbin/bectl Message-ID: <20180726140749.k2zgrtbrmquawbhs@mutt-hbsd> References: <20180726131959.qplqj62fkjzcfyid@mutt-hbsd> <201807261332.w6QDWdQI045745@pdx.rh.CN85.dnsmgr.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jif36glxs4hrvwr2" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180622 X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2018 14:08:38 -0000 --jif36glxs4hrvwr2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2018 at 08:47:30AM -0500, Kyle Evans wrote: > On Thu, Jul 26, 2018 at 8:32 AM, Rodney W. Grimes > wrote: > > -- Start of PGP signed section. > >> On Thu, Jul 26, 2018 at 04:07:37AM +0000, Kyle Evans wrote: > >> > Author: kevans > >> > Date: Thu Jul 26 04:07:36 2018 > >> > New Revision: 336731 > >> > URL: https://svnweb.freebsd.org/changeset/base/336731 > >> > > >> > Log: > >> > bectl(8): Redo jail using jail(3) API > >> > > >> > The jail is created with allow.mount, allow.mount.devfs, and > >> > enforce_statfs=3D1. Upon creation, we immediately attach, chdir to= "/", and > >> > drop the user into a shell inside the jail. > >> > > >> > The default IP for this is arbitrarily 10.20.30.40. > >> > >> It seems this would only allow working in a single jailed BE at a > >> time, correct? > > > > Also it is just bad practice to use arbitrary IP's from > > rfc1918 space. IMHO it would be better to pick a > > rfc3927 link local address, or one of the rfc5737 test > > network addresses. > > > > Please see RFC5735 page 6, table in section 4, no > > place in FreeBSD base system should we be shipping > > stuff that uses rfc1918, that is private space that > > does not belong to the OS. > > >=20 > Right on both accounts (Shawn + Rod)... I changed it from an arbitrary > IP in 192.168/16 space that was conflicting with my local network > (heh... that was fun) with the intent of later changing it to just be > configurable rather than hard-coding an IP [1] because I think that no > matter what choice I try to go with, someone's going to want something > else. I'd rather not make such choices at all and force you to instead > specify an IP every time, a la "bectl jail testenv 10.8.0.100". Or perhaps to jail the BE without an IP at all. Sometimes all I want to do before rebooting into a new BE is just set an rc.conf value (disable a service, for example). Also, as we look forward to IPv6, it would be nice if IPv6 was supported as well. >=20 > The default remains 10.20.30.40 until that time, though, and it seemed > that anyone wanting to test this should be aware. >=20 > [1] see the "XXX TODO" I dropped in the area, which mentions the > former and meant to hint at the latter --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --jif36glxs4hrvwr2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAltZ1bEACgkQaoRlj1JF bu5ITA//XNtk3CdXUk5wGKN/8F9fKYtyuF5TWAwL1l6ucWk6GdZVcXWFe+sgnKaX 0HRJC0Hg1+ixCWcdp7J/2RFx1dfLloDpkvq5gfGF0R6o2fLyE31cLlxYHTrRK6kZ BFvmI4Im4j6vkOOpxgZZioBC9zGBdlM8lsYWXp51Gb3aMCN5Ir9U2VHtZ06bHgs1 c8WUhfut8XyjfKMRlFLfFQ/nvzBNdWWlvrVX4jHA+8l/uq0WnZwVS8XGwVTGhSiH lOaz+as+RE34wowMuiIOwCpQjMtjvT9G9xa1iUI2Rkr9Aq6w4VYuJQ2eXOlBbEw7 +YNLbuEHs7H1UjGXjvTUBewBcuMwQsmBMDrJo0rQv5hGN+vRUys2TGuNFcarddFx vUtL5igV/uKCoZYBKxqz+VL2XPO9/mapgkdZvknAu3ZnlVyNFv1N/ikSomZbqAO+ GwANx5IX1ImQ943rKsTZsr9BTFQTJT2HrLdiJZxloN5sFVgbzxKf+PbwT8FGqLUq 6cFPYgsThQeUUC+xLTzII3zU4OdK5oIA6PDjclXehQIVrxjFA0dL+ZR1ufgau0m1 40gS1owS9AEDSpcjTfyeXUjowpvh1niZVTcu0EDy5b631EA41V+Nz7PeavKsyrYJ de8nWEIdGYgghM876eVZDV78dWL1U10AeHigEr5gjLW3Vh4txLQ= =870x -----END PGP SIGNATURE----- --jif36glxs4hrvwr2--