Date: Thu, 24 Dec 2020 08:51:27 -0800 From: Ihor Antonov <ihor@antonovs.family> To: freebsd-questions@freebsd.org Subject: Re: Network namespaces in FreeBSD Message-ID: <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family> In-Reply-To: <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org> References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org> <A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org> <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family> <e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org> <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family> <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/24/20 8:22 AM, Arthur Chance wrote: >>> Wouldn't a VNET jail rooted at / effectively be that? >>> >> >> Last time I played with jails setting jail's root to '/' was not allowed >> for some reason. I don't remember exact error message though. > > I think that must have changed. Using a jail rooted at / used to be the > recommended way of preventing rpcbind's wildcard listen from being a > security loophole. You have inspired in me a desire to play again > I do remember that you can't nullfs mount / under itself. > >> I remember that I ended up null-mounting every directory in / (like bin, >> sbin, etc,) to jail's root directory, and that was quite painful to do >> manually. > > I'm increasingly thinking that the file system layout needs a rethink to > be able to handle jails and minimal app style devices like firewalls. > Sadly inertia (and standards) will prevent that from happening. Yes, there are some pain points with Jails, especially if we try to simulate some nice features from Linux world. Here are some of my pain points: - we can't null-mount a single file (useful to inject configs or sockets; linux has mount --bind for that) - combining with jail's root on / it would be nice to be able to make some parts of the tree read-only for the jail (or even hide them) Fixing things like these would make it a lot easier and attractive to build container orchestration systems on FreeBSD, or get better security to run applications that need root. But I think it is not too much, it can be fixed. I feel that dynamics of FreeBSD development is shifting a bit lately, so I stay hopeful. I'd say that we need to collect all the use-cases where people feel pain using jails and write it down somewhere on wiki. It would be a nice starting point. Ihor
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d38e65e-98e2-4c27-7ccb-37be93f868df>