git: 2fbddacdc8 - main - Status/2023Q2/service-jails.adoc: Fixes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 24 Jul 2023 14:35:49 UTC
The branch main has been updated by salvadore:
URL: https://cgit.FreeBSD.org/doc/commit/?id=2fbddacdc83421f6f92de7396dfdb05ade5549f5
commit 2fbddacdc83421f6f92de7396dfdb05ade5549f5
Author: Graham Perrin <grahamperrin@FreeBSD.org>
AuthorDate: 2023-07-24 14:28:40 +0000
Commit: Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2023-07-24 14:35:12 +0000
Status/2023Q2/service-jails.adoc: Fixes
Approved by: carlavilla (mentor, implicit)
Pull Request: https://github.com/freebsd/freebsd-doc/pull/211
---
.../status/report-2023-04-2023-06/service-jails.adoc | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
index efb58e7163..5a66d24a20 100644
--- a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
+++ b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
@@ -1,27 +1,26 @@
-=== Service Jails - automatic jailing of rc.d services
+=== Service Jails -- automatic jailing of rc.d services
Links: +
-
link:https://reviews.freebsd.org/D40369[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:https://reviews.freebsd.org/D40369[] +
link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] +
link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[]
Contact: Alexander Leidinger <netchild@FreeBSD.org>
-Service Jails are an extension to the rc system which allows automatic jailing of rc.d services.
-Service jails inherit the filesystem of the parent host or jail, but use all the other limits of a jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default.
-Additional configuration allows to inherit the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]).
+Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services.
+A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default.
+Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]).
-If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, you simply have to change rc.conf to have
+If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have:
----
local_unbound_svcj_options=net_basic
local_unbound_svcj=YES
----
-While this doesn't have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup while providing some of the security benefits of a jail like hiding other processes of the same user.
+While this does not have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup, while providing some of the security benefits of a jail like hiding other processes of the same user.
The patches in the links are a rewrite of link:https://lists.freebsd.org/pipermail/freebsd-jail/2019-February/003710.html[what I presented in 2019].
-The main difference is that an ENV variable is used to do some more rational tracking and as such requires a change to man:service[8].
+The main difference is that an ENV variable is used to do more rational tracking and as such, requires a change to man:service[8].
-My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of 14-stable (which may have happened already when you read this).
-I will not commit link:https://reviews.freebsd.org/D40370[D40370] and link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both would benefit of some more eyes looking at them.
+My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of `stable/14`.
+I will not commit link:https://reviews.freebsd.org/D40370[D40370] or link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both will benefit from more eyes.