BIND chroot environment in 10-RELEASE...gone?
Erwin Lansing
erwin at FreeBSD.org
Tue Dec 16 09:23:04 UTC 2014
On Mon, Dec 15, 2014 at 10:12:45PM -0800, Kevin Oberman wrote:
>
> Please don't conflate issues. Moving BIND out of the base system is
> something long overdue. I know that the longtime BIND maintainer, Doug B,
> had long felt it should be removed. This has exactly NOTHING to do with
> removing the default chroot installation. The ports were, by default
> installed chrooted. Jailed would have been better, but it was not something
> that could be done in a port unless the jail had already been set up.
> chroot is still vastly superior to not chrooted and I was very distressed
> to see it go from the ports.
>
While I don't want to get dragged down into this discussion that can go
on forever without any consensus, I just want to point out that there is
a slight twist to the above description. Due to implementational
details, the ports' chroot was actually inside the base system parts of
BIND. Removing the one, removed the other.
I did try my hand at a reimplentation self-contained in the port, but
that proved less trivial than thought and I never reached a satisfactory
solution. If anyone want to try their hands at it as well and convince
the new port maintainer, please do so, but trust me when I say that.
e.g. an ezjail solution, is much easier to set up and maintain than
reverting to the old functionality. In they end, I'd rather see a
more general solution that can chroot, or jail, an arbitrary daemon from
ports rather than special treatment of a single port. If BIND, why not
also NSD, unbound, or apache for arguments sake?
Erwin
--
Erwin Lansing http://droso.dk
erwin at FreeBSD.org http:// www.FreeBSD.org
More information about the freebsd-stable
mailing list