git: d5c23e47d8 - main - Status/2024Q2/service-jails.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Wed, 19 Jun 2024 09:45:33 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=d5c23e47d838798e2c8b44450b38456019c09ae0

commit d5c23e47d838798e2c8b44450b38456019c09ae0
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2024-06-19 09:43:23 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2024-06-19 09:44:42 +0000

    Status/2024Q2/service-jails.adoc: Add report
    
    Reviewed by:    status (Pau Amma <pauamma@gundo.com>)
---
 .../report-2024-04-2024-06/service-jails.adoc      | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/website/content/en/status/report-2024-04-2024-06/service-jails.adoc b/website/content/en/status/report-2024-04-2024-06/service-jails.adoc
new file mode 100644
index 0000000000..0fec2ab32f
--- /dev/null
+++ b/website/content/en/status/report-2024-04-2024-06/service-jails.adoc
@@ -0,0 +1,23 @@
+=== Service jails -- Automatic jailing of rc.d services
+
+Links: +
+link:https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails[rc-article part for Service Jails] URL: link:https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails[]
+
+Contact: Alexander Leidinger <netchild@FreeBSD.org>
+
+Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services.
+A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default.
+Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]).
+
+The base system infrastructure and the basesystem rc.d services are committed to 15-current, and the handbook / rc article updates are committed to the documentation.
+Next steps are to extend services in the ports collection to be able to make use of it.
+
+If you want to put e.g. nginx into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have:
+----
+nginx_svcj_options=net_basic
+nginx_svcj=YES
+----
+
+While this does not have the same security benefits as a manual jail setup with a separate filesystem and IP/VNET, it is much easier to set up, while providing some of the security benefits of a jail like hiding other processes of the same user.
+
+Any testing and feedback (even as simple as "service X works in a service jail") is welcome.