From nobody Wed Dec 24 06:01:01 2025
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dbh8K6jzlz6Lb7F
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 24 Dec 2025 06:01:21 +0000 (UTC)
	(envelope-from andrea@cocito.eu)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dbh8K2FGjz3xfs
	for <freebsd-hackers@freebsd.org>; Wed, 24 Dec 2025 06:01:20 +0000 (UTC)
	(envelope-from andrea@cocito.eu)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-42fbc544b09so4234847f8f.1
        for <freebsd-hackers@freebsd.org>; Tue, 23 Dec 2025 22:01:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cocito-eu.20230601.gappssmtp.com; s=20230601; t=1766556073; x=1767160873; darn=freebsd.org;
        h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=I0ZE1AEDXTzxO34DZW4UrvIMyFXNDOas9D4DCLAwcpU=;
        b=v4GpuiRAg46GmhHFFCaW4iZ6/WbmtAKNfqTtG6jCr6eEiAk1VkO+mr2me+KaYkYyZI
         cGkuJaYEjfNe0tojD64pelev0uDzDiKw0KN0yL21iRPJj1EezoMe28yoYbOw8BK+T9vn
         FHOFIUi+ImxrRXSU7qsf89JaiKLekgm6oI9LnM0u9RZTDgsUppTu+CrpRj1rFEuNlJJy
         bf3O0MSvD2YOVc9lXk6m4mn9CsO8OJOq2p6LBj8plbWhVTXcTy6am9yMA4mwMd0CgWYo
         v+Qig6r1fk4P3U1bRwG+fBk51WIya3M9sNzSG8Cis+FBKPIv9/UXuF1nT6CbjaToABsb
         Xhlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766556073; x=1767160873;
        h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=I0ZE1AEDXTzxO34DZW4UrvIMyFXNDOas9D4DCLAwcpU=;
        b=avw9yYcSO79dirTKjF4Kja60qAy9dsJfTzI6tWOprr7ujyIHusNUTEcZaNISfeQ+QC
         xHtonUKn4gZNgP7JGtSjdQ4YFEBZxTykG+fAErGDQBGL0gkm4NDIhhM+KN2IPVC5cr5/
         lsUuFmPNtNyKXnCCy8Om9+DBPd+IX5kUfyYvcODrmIPRL4C+Lpr+uM/ovPOViWqNMqiA
         q69LOPRX/1q2szhkBkUYCa0cDijrJMu7s1q3cRqQuLYbVXkSEG0ZtoqnbKNDghFpgmoR
         GDmSlw+N61KumaSB0a1nVqu/Ed/uknsrz0KYZPAuvN3Bte5VuHhskuDibGRyu7DY/LbF
         Casg==
X-Gm-Message-State: AOJu0Yyc2Oug5C40IGaPY+NiwF4+afJaIZTs4bnJNNw5YePsxE74sHfP
	0wfVIw1vIbGct0B/rZUSxwWhRTHPTKKLIUMo471INRVD4Bn7llExPZQIS80H6gMbMrc=
X-Gm-Gg: AY/fxX52G5bK2CW+hbxrhj/liQZ6M22QE1Uz3RQjdLXqCjuwmcy/7qp6sXjn2wB1aWb
	jhIlbkrJ+3nd+xREV9kYFDUxg6YCPABHyzc7gtCWXZ461LtAseEk8HiI2lPr18CJZy2itYA+rhU
	oGYW9lVhWhPM+MqM8yR4CieZPP7fQo42cEN+BYmupZRc+4wbragTG2Y2OX8SjNp5as8/ZisIJ5a
	jWa/0bdkeTJkASN6zFw6FYwKzRO1JZJf4TorLt+qeALVU4r4bLEwB0Nsk8GzBA4Cw/wK4Ge807u
	QLoJCYebV8Vs08EZnsz/aBVVj5VMy85o4PWAVZO0MJObozTmD7LppjxjvXQ+tXY39fHr9FnT3i+
	Fo1zq5erxIdfNo1yPpbGnxh66EsM/lgBe+VG6jrMNdnlcR7mTQYa+2ruqlwCTj4Lg/tsURZxXEf
	5neNv9SGTQURC9SfsOys3xHt0bXfx6w/ug
X-Google-Smtp-Source: AGHT+IE83+cEuDnb9cpYLQpgESKLKr8xclSh+Kng8ZiMQW8GlMf2/aoFatEP9F9UEq5H23tOa8Dzgg==
X-Received: by 2002:a05:6000:186a:b0:430:f301:3e6c with SMTP id ffacd0b85a97d-4324e4fdcd8mr15985427f8f.34.1766556072326;
        Tue, 23 Dec 2025 22:01:12 -0800 (PST)
Received: from smtpclient.apple ([185.8.198.100])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4325dbc522esm21100748f8f.11.2025.12.23.22.01.11
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 23 Dec 2025 22:01:11 -0800 (PST)
From: Andrea Cocito <andrea@cocito.eu>
Message-Id: <A1153F5F-6071-4D73-B63F-8D6CCC11C3D6@cocito.eu>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_5E9FA5C7-AAE1-4483-BEA5-EC2D1D152546"
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@FreeBSD.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81\))
Subject: Re: Retrieving the kid/jailname of connected peer for a unix socket
Date: Wed, 24 Dec 2025 07:01:01 +0100
In-Reply-To: <20251223235145.33f8cf3d@nuclight.lan>
Cc: freebsd-hackers@freebsd.org
To: Vadim Goncharov <vadimnuclight@gmail.com>
References: <7878EFBC-2BCF-42ED-9BFC-D96DC0DDC23A@cocito.eu>
 <20251223235145.33f8cf3d@nuclight.lan>
X-Mailer: Apple Mail (2.3826.700.81)
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4dbh8K2FGjz3xfs


--Apple-Mail=_5E9FA5C7-AAE1-4483-BEA5-EC2D1D152546
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

On 23 Dec 2025, at 21:51, Vadim Goncharov <vadimnuclight@gmail.com> =
wrote:
> What about trusted per-jail proxy which has separate socket in each =
jail?
> Or even just per-jail sockets without null mounts.

Hi,

I initially discarded this option to avoid having a whole =E2=80=9Cweb =
server=E2=80=9D running for each jail (they could be dozens), and =
because each of these servers need to keep an open http channel with the =
central controller; as long as it=E2=80=99s http3/quic it=E2=80=99s =
bearable, but with thousands of appliances (each running dozens of =
modules/jails) the fallback to https2/tcp hurts at the level of the =
central controller.

A minimal =E2=80=9Cproxy=E2=80=9D that just listens on the socket and =
forwards the requests to the local =E2=80=9Cserver=E2=80=9D through =
another socket, while adding an header like =E2=80=9CX-Originating-Prison:=
=E2=80=9D, might be an option, actually.

Thanks for making me think again in this direction.

A.



--Apple-Mail=_5E9FA5C7-AAE1-4483-BEA5-EC2D1D152546
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;">On 23 Dec =
2025, at 21:51, Vadim Goncharov &lt;vadimnuclight@gmail.com&gt; =
wrote:<br><div><blockquote type=3D"cite"><div><span style=3D"caret-color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: =
normal; font-variant-caps: normal; font-weight: 400; letter-spacing: =
normal; text-align: start; text-indent: 0px; text-transform: none; =
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none; float: none; display: inline !important;">What =
about trusted per-jail proxy which has separate socket in each =
jail?</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 24px; font-style: normal; font-variant-caps: =
normal; font-weight: 400; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: =
none;"><span style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 24px; font-style: normal; font-variant-caps: normal; =
font-weight: 400; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: =
none; float: none; display: inline !important;">Or even just per-jail =
sockets without null mounts.</span><br style=3D"caret-color: rgb(0, 0, =
0); font-family: Helvetica; font-size: 24px; font-style: normal; =
font-variant-caps: normal; font-weight: 400; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: =
none;"></div></blockquote></div><br><div>Hi,</div><div><br></div><div>I =
initially discarded this option to avoid having a whole =E2=80=9Cweb =
server=E2=80=9D running for each jail (they could be dozens), and =
because each of these servers need to keep an open http channel with the =
central controller; as long as it=E2=80=99s http3/quic it=E2=80=99s =
bearable, but with thousands of appliances (each running dozens of =
modules/jails) the fallback to https2/tcp hurts at the level of the =
central controller.</div><div><br></div><div>A minimal =E2=80=9Cproxy=E2=80=
=9D that just listens on the socket and forwards the requests to the =
local =E2=80=9Cserver=E2=80=9D through another socket, while adding an =
header like =E2=80=9CX-Originating-Prison:=E2=80=9D, might be an option, =
actually.</div><div><br></div><div>Thanks for making me think again in =
this =
direction.</div><div><br></div><div>A.</div><div><br></div><div><br></div>=
</body></html>=

--Apple-Mail=_5E9FA5C7-AAE1-4483-BEA5-EC2D1D152546--