Date: Thu, 26 Jul 2018 07:17:03 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@pdx.rh.CN85.dnsmgr.net> To: Kyle Evans <kevans@freebsd.org> Cc: "Rodney W. Grimes" <rgrimes@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, src-committers <src-committers@freebsd.org>, svn-src-projects@freebsd.org Subject: Re: svn commit: r336731 - projects/bectl/sbin/bectl Message-ID: <201807261417.w6QEH37R046032@pdx.rh.CN85.dnsmgr.net> In-Reply-To: <CACNAnaGxqtr8P8_oway7OpTqh5O90zC79gE9WsACmd1PZP8FrQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Jul 26, 2018 at 8:32 AM, Rodney W. Grimes > <freebsd@pdx.rh.cn85.dnsmgr.net> wrote: > > -- Start of PGP signed section. > >> On Thu, Jul 26, 2018 at 04:07:37AM +0000, Kyle Evans wrote: > >> > Author: kevans > >> > Date: Thu Jul 26 04:07:36 2018 > >> > New Revision: 336731 > >> > URL: https://svnweb.freebsd.org/changeset/base/336731 > >> > > >> > Log: > >> > bectl(8): Redo jail using jail(3) API > >> > > >> > The jail is created with allow.mount, allow.mount.devfs, and > >> > enforce_statfs=1. Upon creation, we immediately attach, chdir to "/", and > >> > drop the user into a shell inside the jail. > >> > > >> > The default IP for this is arbitrarily 10.20.30.40. > >> > >> It seems this would only allow working in a single jailed BE at a > >> time, correct? > > > > Also it is just bad practice to use arbitrary IP's from > > rfc1918 space. IMHO it would be better to pick a > > rfc3927 link local address, or one of the rfc5737 test > > network addresses. > > > > Please see RFC5735 page 6, table in section 4, no > > place in FreeBSD base system should we be shipping > > stuff that uses rfc1918, that is private space that > > does not belong to the OS. > > > > Right on both accounts (Shawn + Rod)... I changed it from an arbitrary > IP in 192.168/16 space that was conflicting with my local network > (heh... that was fun) with the intent of later changing it to just be > configurable rather than hard-coding an IP [1] because I think that no > matter what choice I try to go with, someone's going to want something > else. I'd rather not make such choices at all and force you to instead > specify an IP every time, a la "bectl jail testenv 10.8.0.100". > > The default remains 10.20.30.40 until that time, though, and it seemed > that anyone wanting to test this should be aware. Can you make it just unconfigured instead? I really am strongly pressing the point that we should never ever commit rfc1918 addresses to the repository. Some address in 192.168/16 conflicted with your network, some address in 10/8 conflicts with my network, and probably others. If you do anything stick a 169.254 on it. That is after all what link locals are for. > [1] see the "XXX TODO" I dropped in the area, which mentions the > former and meant to hint at the latter > -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807261417.w6QEH37R046032>