Network namespaces in FreeBSD
ihor at antonovs.family
Thu Dec 24 21:33:28 UTC 2020
On 12/24/20 12:19 PM, Steve O'Hara-Smith wrote:
> On Thu, 24 Dec 2020 19:55:12 +0000 (UTC)
> Ameya Deshpande via freebsd-questions <freebsd-questions at freebsd.org> wrote:
>> - we can't null-mount a single file (useful to inject configs or
>> sockets; linux has mount --bind for that)
>> - combining with jail's root on / it would be nice to be able to make
>> some parts of the tree read-only for the jail (or even hide them)
> There's a half formed idea which keeps coming back to me not really
> well enough formed to do anything with - imagine being able to do something
> like this:
> pkg jail nginx --jail webserver-3 --ip4addr ...
> and obtain a jail with just enough in it to run nginx (or whatever
> package you choose) and nothing else - by that I mean not a base system
> with the necessary packages but a system stripped of everything but the
> dependencies of the application - if the application doesn't need ls then
> ls isn't there.
Yes, that too.
In linux world there is such a ting  and it is quite interesting,
until you need to debug something remotely in such environment.
But this feature actually doesn't need any new kernel features, its just
work to build the app with minimal dependency footprint (golang/rust
apps as example are quite well suited for that) and then put it into the
There will be some fiddling if with logging and process supervision, but
nothing new or impossible.
More information about the freebsd-questions