From nobody Sat Jan  4 17:21:18 2025
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YQS0N1DmVz5j3Yc
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 04 Jan 2025 17:21:24 +0000 (UTC)
	(envelope-from sl-pub-lists@honeyguide.de)
Received: from mlx.honeyguide.net (mlx.honeyguide.net [197.155.21.76])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YQS0M0rZGz4mgp
	for <freebsd-jail@freebsd.org>; Sat,  4 Jan 2025 17:21:23 +0000 (UTC)
	(envelope-from sl-pub-lists@honeyguide.de)
Authentication-Results: mx1.freebsd.org;
	dkim=fail ("headers rsa verify failed") header.d=honeyguide.de header.s=default header.b=R5F7G7GQ;
	spf=pass (mx1.freebsd.org: domain of sl-pub-lists@honeyguide.de designates 197.155.21.76 as permitted sender) smtp.mailfrom=sl-pub-lists@honeyguide.de;
	dmarc=pass (policy=none) header.from=honeyguide.de
Received: from pcf00002.honeyguide.net (aftr-62-216-210-0.dynamic.mnet-online.de [62.216.210.0])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mlx.honeyguide.net (Postfix) with ESMTPSA id 4744418C5A;
	Sat, 04 Jan 2025 17:21:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=honeyguide.de;
	s=default; t=1736011281;
	bh=dLLLv2B/sT70zBLogwKc4dPQtQI+NGmqBWAKUkme7Uk=;
	h=From:To:Subject:In-Reply-To:References:Date;
	b=R5F7G7GQL6S2kmn9Wo1gxVrKgyniZq3HoBgZZeZk9z7dvmnjslXzfUljZFlNpYSo1
	 x8/RDjqXpiEI2fTtpdnRkrhUZxpGhifzpgrHwXci3L6SL84W6QpAsO0maims5EaIyj
	 9E6F81GCmDi4JnscL0btE1lzvmrHC2BUqKWyzXx8=
From: Stephan Lichtenauer <sl-pub-lists@honeyguide.de>
To: "Dave Cottlehuber" <dch@skunkwerks.at>, "JH Foo" <jhfoo@kungfoo.info>,
  freebsd-jail <freebsd-jail@freebsd.org>
Subject: Re: jail services in podman
In-Reply-To: <0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com> (Dave
	Cottlehuber's message of "Sat, 04 Jan 2025 00:16:44 +0000")
Organization: Honeyguide
References: <9efebe67-e4e4-4919-bfdf-b7e29f4f0079@kungfoo.info>
	<b8abb79e-f552-41c0-9832-cc90687b804c@app.fastmail.com>
	<d64da8bd-e276-4287-9a66-e396c821bbf7@kungfoo.info>
	<0bea1d7c-7cf7-4faa-9b19-7fcc93ecb333@app.fastmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Sat, 04 Jan 2025 18:21:18 +0100
Message-ID: <86v7uuijg1.fsf@pcf00002.honeyguide.net>
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Rspamd-Queue-Id: 4YQS0M0rZGz4mgp
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.47 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	NEURAL_SPAM_MEDIUM(0.22)[0.224];
	R_SPF_ALLOW(-0.20)[+mx:c];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	RCVD_COUNT_ONE(0.00)[1];
	HAS_ORG_HEADER(0.00)[];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:37199, ipnet:197.155.16.0/21, country:ZA];
	RCVD_TLS_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	R_DKIM_REJECT(0.00)[honeyguide.de:s=default];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	DMARC_POLICY_ALLOW(0.00)[honeyguide.de,none];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	TO_DN_ALL(0.00)[];
	DKIM_TRACE(0.00)[honeyguide.de:-]

"Dave Cottlehuber" <dch@skunkwerks.at> writes:

> On Fri, 3 Jan 2025, at 19:42, JH Foo wrote:
>> Can you elaborate how CMD helps to determine (quote) minimal 
>> dependencies are for each daemon or service? What happens if I 
>> were to
>
> If you run a normal startup with /etc/rc then that container 
> will
> expect all the freebsd goodies - syslog, utx, cron, mailer, etc.
> It will be more familiar but also fatter.
>
> If you manually trim down the dependencies, *and* your 
> application
> permits it, you can choose just to run your minimal app. It will
> require experimentation.
>
>> configure the container to run off jail /etc/rc.conf services?
>
> If you do that, no issues, *but* the container will exit as soon 
> as rc.conf
> startup finished (as the ENTRYPOINT or CMD has completed). OCI 
> containers
> are not the same as jails in this respect, by default.
>

Pot and Potluck has similar (even though not OCI compatible) 
capabilities.

You can look at the *-nomad images at 
https://github.com/bsdpot/potluck to get an idea how service jails 
without starting a fully fledged FreeBSD jail with rc can look 
like.

Stephan