updating ezjails with freebsd-update
Warren Block
wblock at wonkity.com
Mon Aug 25 02:27:51 UTC 2014
On Sun, 24 Aug 2014, doug at safeport.com wrote:
> On Sun, 24 Aug 2014, Fbsd8 wrote:
>
>> You can disregard most of that new handbook jail ezjail section.
Thanks for your input. I can assure you that the document was reviewed
by members of the freebsd-doc mailing list, on IRC, and in private
email. Mistakes and omissions were found and corrected. It's not
perfect, but serves the purpose of an overview of using ezjail. It also
serves a second purpose, showing how to set up bind99 in a jail. This
quick overview of a jailed BIND is useful for those wishing to improve
BIND security now that the old chroot option is not available in the
port.
>> First of all the current version of ezjail uses the /etc/rc.d/jail script
>> method. This method is depreciated in FreeBSD version 10.0 and scheduled to
>> be removed in FreeBSD version 10.1 or 11.0. The section should have
>> contained a red warning box informing the reader that this documentation
>> only applies to Freebsd 10 and older releases.
When that actually happens, a warning can be added. Or ezjail may be
updated by then. For now, it is not needed.
>> On the subject of a jails loopback interface. Jails don't have loopback
>> interfaces or use them. Sure you can assign one but it's really a
>> definition error which the jail(8) program does not issue a error message
>> for. All reference to the loopback interface should be removed from this
>> section as its very mis-leading to the reader and unnecessary.
>>
>> I installed bind99 in a jail(8) jail with out any lo1 or 127.0.0.1 ip
>> address and it worked just fine.
The loopback clone information was added on the advice of the FreeBSD
cluster administrators. It keeps jail loopback traffic off the host
interface, and I understand it was an approach they took due to actual
problems.
>> Adding a password to jails "root" user is a waste of time and effort.
>> ezjail already requires the user to have "root" access on the host before
>> the "ezjail-admin install" command will function.
ezjail-admin is not the only way to access a jail. Many run sshd, for
example. It is bad practice to have a root account with no password,
and I always try to show best practices.
>> Editing the jail's /etc/hosts file and changing the ip address to the jails
>> ip address and adding the jailname to the localhost entries is totally
>> unnecessary. Jails work fine using the default hosts file.
Again, thanks for your input.
>> How can the handbook recommend using a utility tool that has a incomplete
>> manual which is missing details about the utilities sub-commands.
If an incomplete manual was grounds for exclusion, the Handbook would be
a much shorter document. ezjail is extremely popular, and not including
it in the Handbook was an oversight that needed to be fixed.
>> In my opinion this new section should have never been added to the handbook
>> until after ezjail gets updated to use jail(8) and it's manual is updated
>> to contain details about all it's sub-commands.
Given that ezjail works on all supported releases of FreeBSD, this seems
a bit extreme. If and when that situation changes, the section can be
easily updated.
> Thank you, most helpful
Fbsd8 neglects to mention the history between ezjail and the qjail fork
of it. A search on "ezjail and qjail" will help fill out the picture.
More information about the freebsd-questions
mailing list