From owner-svn-src-projects@freebsd.org Thu Jul 26 14:32:07 2018 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2FF21050FAB for ; Thu, 26 Jul 2018 14:32:07 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CEB3191FF1; Thu, 26 Jul 2018 14:32:05 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 6A3BB2689A; Thu, 26 Jul 2018 14:32:03 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-lj1-f180.google.com with SMTP id l15-v6so1701788lji.6; Thu, 26 Jul 2018 07:32:03 -0700 (PDT) X-Gm-Message-State: AOUpUlFzBPdLcFMEhTI+/ZXgJo7WknWOayk2h7ulWN66uJ3Jk944vL1H VBGD4O4BFLCZhU0KT3602M00PophpjMStrrIOa4= X-Google-Smtp-Source: AAOMgpe40HH8Bo52Yy2tGn7W9Fzd7YeID/e6KLcbSkTtvq616Ns6Gy2wuUd/uVJv8YG8BfI607inBMCfxVOhi9Us7xY= X-Received: by 2002:a2e:8616:: with SMTP id a22-v6mr2035719lji.43.1532615521679; Thu, 26 Jul 2018 07:32:01 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:5742:0:0:0:0:0 with HTTP; Thu, 26 Jul 2018 07:31:40 -0700 (PDT) In-Reply-To: <20180726140749.k2zgrtbrmquawbhs@mutt-hbsd> References: <20180726131959.qplqj62fkjzcfyid@mutt-hbsd> <201807261332.w6QDWdQI045745@pdx.rh.CN85.dnsmgr.net> <20180726140749.k2zgrtbrmquawbhs@mutt-hbsd> From: Kyle Evans Date: Thu, 26 Jul 2018 09:31:40 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r336731 - projects/bectl/sbin/bectl To: Shawn Webb Cc: "Rodney W. Grimes" , src-committers , svn-src-projects@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2018 14:32:08 -0000 On Thu, Jul 26, 2018 at 9:07 AM, Shawn Webb wrote: > On Thu, Jul 26, 2018 at 08:47:30AM -0500, Kyle Evans wrote: >> On Thu, Jul 26, 2018 at 8:32 AM, Rodney W. Grimes >> wrote: >> > -- Start of PGP signed section. >> >> On Thu, Jul 26, 2018 at 04:07:37AM +0000, Kyle Evans wrote: >> >> > Author: kevans >> >> > Date: Thu Jul 26 04:07:36 2018 >> >> > New Revision: 336731 >> >> > URL: https://svnweb.freebsd.org/changeset/base/336731 >> >> > >> >> > Log: >> >> > bectl(8): Redo jail using jail(3) API >> >> > >> >> > The jail is created with allow.mount, allow.mount.devfs, and >> >> > enforce_statfs=1. Upon creation, we immediately attach, chdir to "/", and >> >> > drop the user into a shell inside the jail. >> >> > >> >> > The default IP for this is arbitrarily 10.20.30.40. >> >> >> >> It seems this would only allow working in a single jailed BE at a >> >> time, correct? >> > >> > Also it is just bad practice to use arbitrary IP's from >> > rfc1918 space. IMHO it would be better to pick a >> > rfc3927 link local address, or one of the rfc5737 test >> > network addresses. >> > >> > Please see RFC5735 page 6, table in section 4, no >> > place in FreeBSD base system should we be shipping >> > stuff that uses rfc1918, that is private space that >> > does not belong to the OS. >> > >> >> Right on both accounts (Shawn + Rod)... I changed it from an arbitrary >> IP in 192.168/16 space that was conflicting with my local network >> (heh... that was fun) with the intent of later changing it to just be >> configurable rather than hard-coding an IP [1] because I think that no >> matter what choice I try to go with, someone's going to want something >> else. I'd rather not make such choices at all and force you to instead >> specify an IP every time, a la "bectl jail testenv 10.8.0.100". > > Or perhaps to jail the BE without an IP at all. Sometimes all I want > to do before rebooting into a new BE is just set an rc.conf value > (disable a service, for example). > > Also, as we look forward to IPv6, it would be nice if IPv6 was > supported as well. > As I said in the e-mail you guys are replying to, I plan on getting out of the IP game because this game sucks. =) If it's useful, `bectl jail` could grow the ability to specify jail parameters via -o, e.g. `bectl jail -o ip4.addr=... -o ip6.addr=... -o allow.mount=false testenv ...`