From owner-svn-src-projects@freebsd.org  Thu Jul 26 14:32:07 2018
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2FF21050FAB
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Thu, 26 Jul 2018 14:32:07 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id CEB3191FF1;
 Thu, 26 Jul 2018 14:32:05 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com
 [209.85.208.180])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 (Authenticated sender: kevans)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 6A3BB2689A;
 Thu, 26 Jul 2018 14:32:03 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: by mail-lj1-f180.google.com with SMTP id l15-v6so1701788lji.6;
 Thu, 26 Jul 2018 07:32:03 -0700 (PDT)
X-Gm-Message-State: AOUpUlFzBPdLcFMEhTI+/ZXgJo7WknWOayk2h7ulWN66uJ3Jk944vL1H
 VBGD4O4BFLCZhU0KT3602M00PophpjMStrrIOa4=
X-Google-Smtp-Source: AAOMgpe40HH8Bo52Yy2tGn7W9Fzd7YeID/e6KLcbSkTtvq616Ns6Gy2wuUd/uVJv8YG8BfI607inBMCfxVOhi9Us7xY=
X-Received: by 2002:a2e:8616:: with SMTP id
 a22-v6mr2035719lji.43.1532615521679; 
 Thu, 26 Jul 2018 07:32:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:5742:0:0:0:0:0 with HTTP; Thu, 26 Jul 2018 07:31:40
 -0700 (PDT)
In-Reply-To: <20180726140749.k2zgrtbrmquawbhs@mutt-hbsd>
References: <20180726131959.qplqj62fkjzcfyid@mutt-hbsd>
 <201807261332.w6QDWdQI045745@pdx.rh.CN85.dnsmgr.net>
 <CACNAnaGxqtr8P8_oway7OpTqh5O90zC79gE9WsACmd1PZP8FrQ@mail.gmail.com>
 <20180726140749.k2zgrtbrmquawbhs@mutt-hbsd>
From: Kyle Evans <kevans@freebsd.org>
Date: Thu, 26 Jul 2018 09:31:40 -0500
X-Gmail-Original-Message-ID: <CACNAnaH9OABb5RTHZ+ejWJ_Xib=HkUVB-VxtE8v6dK40sJc4kQ@mail.gmail.com>
Message-ID: <CACNAnaH9OABb5RTHZ+ejWJ_Xib=HkUVB-VxtE8v6dK40sJc4kQ@mail.gmail.com>
Subject: Re: svn commit: r336731 - projects/bectl/sbin/bectl
To: Shawn Webb <shawn.webb@hardenedbsd.org>
Cc: "Rodney W. Grimes" <rgrimes@freebsd.org>,
 src-committers <src-committers@freebsd.org>, svn-src-projects@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 14:32:08 -0000

On Thu, Jul 26, 2018 at 9:07 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
> On Thu, Jul 26, 2018 at 08:47:30AM -0500, Kyle Evans wrote:
>> On Thu, Jul 26, 2018 at 8:32 AM, Rodney W. Grimes
>> <freebsd@pdx.rh.cn85.dnsmgr.net> wrote:
>> > -- Start of PGP signed section.
>> >> On Thu, Jul 26, 2018 at 04:07:37AM +0000, Kyle Evans wrote:
>> >> > Author: kevans
>> >> > Date: Thu Jul 26 04:07:36 2018
>> >> > New Revision: 336731
>> >> > URL: https://svnweb.freebsd.org/changeset/base/336731
>> >> >
>> >> > Log:
>> >> >   bectl(8): Redo jail using jail(3) API
>> >> >
>> >> >   The jail is created with allow.mount, allow.mount.devfs, and
>> >> >   enforce_statfs=1. Upon creation, we immediately attach, chdir to "/", and
>> >> >   drop the user into a shell inside the jail.
>> >> >
>> >> >   The default IP for this is arbitrarily 10.20.30.40.
>> >>
>> >> It seems this would only allow working in a single jailed BE at a
>> >> time, correct?
>> >
>> > Also it is just bad practice to use arbitrary IP's from
>> > rfc1918 space.   IMHO it would be better to pick a
>> > rfc3927 link local address, or one of the rfc5737 test
>> > network addresses.
>> >
>> > Please see RFC5735 page 6, table in section 4, no
>> > place in FreeBSD base system should we be shipping
>> > stuff that uses rfc1918, that is private space that
>> > does not belong to the OS.
>> >
>>
>> Right on both accounts (Shawn + Rod)... I changed it from an arbitrary
>> IP in 192.168/16 space that was conflicting with my local network
>> (heh... that was fun) with the intent of later changing it to just be
>> configurable rather than hard-coding an IP [1] because I think that no
>> matter what choice I try to go with, someone's going to want something
>> else. I'd rather not make such choices at all and force you to instead
>> specify an IP every time, a la "bectl jail testenv 10.8.0.100".
>
> Or perhaps to jail the BE without an IP at all. Sometimes all I want
> to do before rebooting into a new BE is just set an rc.conf value
> (disable a service, for example).
>
> Also, as we look forward to IPv6, it would be nice if IPv6 was
> supported as well.
>

As I said in the e-mail you guys are replying to, I plan on getting
out of the IP game because this game sucks. =) If it's useful, `bectl
jail` could grow the ability to specify jail parameters via -o, e.g.
`bectl jail -o ip4.addr=... -o ip6.addr=... -o allow.mount=false
testenv ...`