git: f243b7e5d6 - main - Status/2023Q2/service-jails.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Wed, 05 Jul 2023 15:36:38 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=f243b7e5d622fe00ee446f8705dcbdb54ef2c905

commit f243b7e5d622fe00ee446f8705dcbdb54ef2c905
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2023-07-05 12:20:15 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2023-07-05 15:34:24 +0000

    Status/2023Q2/service-jails.adoc: Add report
    
    Reviewed by:    status (Pau Amma <pauamma@gundo.com>)
    Approved by:    dbaio (mentor, implicit)
---
 .../report-2023-04-2023-06/service-jails.adoc      | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
new file mode 100644
index 0000000000..efb58e7163
--- /dev/null
+++ b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
@@ -0,0 +1,27 @@
+=== Service Jails - automatic jailing of rc.d services
+
+Links: +
+
+link:https://reviews.freebsd.org/D40369[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:https://reviews.freebsd.org/D40369[] +
+link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] +
+link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[]
+
+Contact: Alexander Leidinger <netchild@FreeBSD.org>
+
+Service Jails are an extension to the rc system which allows automatic jailing of rc.d services.
+Service jails inherit the filesystem of the parent host or jail, but use all the other limits of a jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default.
+Additional configuration allows to inherit the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]).
+
+If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, you simply have to change rc.conf to have
+----
+local_unbound_svcj_options=net_basic
+local_unbound_svcj=YES
+----
+
+While this doesn't have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup while providing some of the security benefits of a jail like hiding other processes of the same user.
+
+The patches in the links are a rewrite of link:https://lists.freebsd.org/pipermail/freebsd-jail/2019-February/003710.html[what I presented in 2019].
+The main difference is that an ENV variable is used to do some more rational tracking and as such requires a change to man:service[8].
+
+My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of 14-stable (which may have happened already when you read this).
+I will not commit link:https://reviews.freebsd.org/D40370[D40370] and link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both would benefit of some more eyes looking at them.