From nobody Mon Jul 24 14:35:49 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R8jPx3kbNz4npp6 for ; Mon, 24 Jul 2023 14:35:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R8jPx2Yb1z4XMZ; Mon, 24 Jul 2023 14:35:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690209349; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=y/yCbtVTPErl+hSJmWSjhvhDgNskdWnIpHAACdaMBS8=; b=h5VDzihZqNUcqR4nqHt1zt0dQDJCy2U4rtgW9226cFNjy9io6upn9uqj+KVSFM1ugkIAcH iBKKO9685X7InYMF1EyZ61Ir4B+ptm8fR4d3oa9cmZq1jggj+/4LWc7Mn5x/NGjuGJRePv 7Xx+qmu3HAChRYBTrd9Gu53Nwkx3kAYfY8D4mtezlzIcDj4nkICzTPRLooHfg17G7shZ7O YK9Sunl3SkrWHRF22SOsN4EEfecBaJKRQCg1YO5LGgylKOW7TdZKHl4AdxTmtySmkkFgqN AkcR1q0vBCdr74M60WkCECQ+R8IkZRmdnYD8mamphMGXxOtJ+H1D8c5SJgU4Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690209349; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=y/yCbtVTPErl+hSJmWSjhvhDgNskdWnIpHAACdaMBS8=; b=V4yo92gwW4p0aN5bP78rXNk4+xfA1Z2SLJyA9H5fx6TUZXhAKS6ASybbTBlBUCm4l8hei3 FudCXNilxqtblBSJMbNZUagN7L2vl53XW7AlYr74HhfsUpY5nGGlcPZPfR8pqgFkqH9PJ0 NUHUiaPmGXu2pLJzc21qcxQctqS0kzX0klaYp4BVyvCRw0JlVbdYTrzNkl+BDzjnNXj4Ns YcRHWlkF3Zzr4uau5bBH6cHfpY052eId25k53BXMn9VxzG23Bm9WZRnA9/tzG44TXfnY84 2wIjpVaXFUlQkLXUI0v1sbnK4xnIFD8yjMCPXnXBqJzS8eE37ivG0JvJ5nygIw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690209349; a=rsa-sha256; cv=none; b=nhD8vgyvR19Ma+9t1rM9oL5dPI/OhkmTR2GVGWB7m3QeYc5Rm4X2omF4tRWmcWOa1TiThL lSZWnnaPNKC72sgtrqpVrWKvIY3gJHic/1s8XDSMsdGmPFQ6BNdEMdyQloo2905fcJMxE/ 3MFs9mGkWyEP3Qtv6ulnhTkIo8BGr8UUakLubOcGaJkdGVfh5Jq8IwSKUbbuwqQs7WctmC PYG5VJq8CmHVPX5AZDq0q5G78eD9OIgVQ30LbqMuhmMvsguB06udwFhjGp0gLQTyk2xT8P 7uG8SAys7hrEA0i9esb68boDEEDhDMBrdTFpLFWteUD7SIkvIuyPBEiU9VFoQQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R8jPx1fz6zM1R; Mon, 24 Jul 2023 14:35:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36OEZnSd063655; Mon, 24 Jul 2023 14:35:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36OEZnh9063654; Mon, 24 Jul 2023 14:35:49 GMT (envelope-from git) Date: Mon, 24 Jul 2023 14:35:49 GMT Message-Id: <202307241435.36OEZnh9063654@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: 2fbddacdc8 - main - Status/2023Q2/service-jails.adoc: Fixes List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2fbddacdc83421f6f92de7396dfdb05ade5549f5 Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=2fbddacdc83421f6f92de7396dfdb05ade5549f5 commit 2fbddacdc83421f6f92de7396dfdb05ade5549f5 Author: Graham Perrin AuthorDate: 2023-07-24 14:28:40 +0000 Commit: Lorenzo Salvadore CommitDate: 2023-07-24 14:35:12 +0000 Status/2023Q2/service-jails.adoc: Fixes Approved by: carlavilla (mentor, implicit) Pull Request: https://github.com/freebsd/freebsd-doc/pull/211 --- .../status/report-2023-04-2023-06/service-jails.adoc | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc index efb58e7163..5a66d24a20 100644 --- a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc +++ b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc @@ -1,27 +1,26 @@ -=== Service Jails - automatic jailing of rc.d services +=== Service Jails -- automatic jailing of rc.d services Links: + - link:https://reviews.freebsd.org/D40369[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:https://reviews.freebsd.org/D40369[] + link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] + link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[] Contact: Alexander Leidinger -Service Jails are an extension to the rc system which allows automatic jailing of rc.d services. -Service jails inherit the filesystem of the parent host or jail, but use all the other limits of a jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. -Additional configuration allows to inherit the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). +Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services. +A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. +Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). -If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, you simply have to change rc.conf to have +If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have: ---- local_unbound_svcj_options=net_basic local_unbound_svcj=YES ---- -While this doesn't have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup while providing some of the security benefits of a jail like hiding other processes of the same user. +While this does not have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup, while providing some of the security benefits of a jail like hiding other processes of the same user. The patches in the links are a rewrite of link:https://lists.freebsd.org/pipermail/freebsd-jail/2019-February/003710.html[what I presented in 2019]. -The main difference is that an ENV variable is used to do some more rational tracking and as such requires a change to man:service[8]. +The main difference is that an ENV variable is used to do more rational tracking and as such, requires a change to man:service[8]. -My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of 14-stable (which may have happened already when you read this). -I will not commit link:https://reviews.freebsd.org/D40370[D40370] and link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both would benefit of some more eyes looking at them. +My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of `stable/14`. +I will not commit link:https://reviews.freebsd.org/D40370[D40370] or link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both will benefit from more eyes.