Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Dec 2025 07:01:01 +0100
From:      Andrea Cocito <andrea@cocito.eu>
To:        Vadim Goncharov <vadimnuclight@gmail.com>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Retrieving the kid/jailname of connected peer for a unix socket
Message-ID:  <A1153F5F-6071-4D73-B63F-8D6CCC11C3D6@cocito.eu>
In-Reply-To: <20251223235145.33f8cf3d@nuclight.lan>
References:  <7878EFBC-2BCF-42ED-9BFC-D96DC0DDC23A@cocito.eu> <20251223235145.33f8cf3d@nuclight.lan>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On 23 Dec 2025, at 21:51, Vadim Goncharov <vadimnuclight@gmail.com> wrote:
> What about trusted per-jail proxy which has separate socket in each jail?
> Or even just per-jail sockets without null mounts.

Hi,

I initially discarded this option to avoid having a whole “web server” running for each jail (they could be dozens), and because each of these servers need to keep an open http channel with the central controller; as long as it’s http3/quic it’s bearable, but with thousands of appliances (each running dozens of modules/jails) the fallback to https2/tcp hurts at the level of the central controller.

A minimal “proxy” that just listens on the socket and forwards the requests to the local “server” through another socket, while adding an header like “X-Originating-Prison:”, might be an option, actually.

Thanks for making me think again in this direction.

A.



[-- Attachment #2 --]
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">On 23 Dec 2025, at 21:51, Vadim Goncharov &lt;vadimnuclight@gmail.com&gt; wrote:<br><div><blockquote type="cite"><div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">What about trusted per-jail proxy which has separate socket in each jail?</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Or even just per-jail sockets without null mounts.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"></div></blockquote></div><br><div>Hi,</div><div><br></div><div>I initially discarded this option to avoid having a whole “web server” running for each jail (they could be dozens), and because each of these servers need to keep an open http channel with the central controller; as long as it’s http3/quic it’s bearable, but with thousands of appliances (each running dozens of modules/jails) the fallback to https2/tcp hurts at the level of the central controller.</div><div><br></div><div>A minimal “proxy” that just listens on the socket and forwards the requests to the local “server” through another socket, while adding an header like “X-Originating-Prison:”, might be an option, actually.</div><div><br></div><div>Thanks for making me think again in this direction.</div><div><br></div><div>A.</div><div><br></div><div><br></div></body></html>
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A1153F5F-6071-4D73-B63F-8D6CCC11C3D6>