svn commit: r336731 - projects/bectl/sbin/bectl

Rodney W. Grimes freebsd at pdx.rh.CN85.dnsmgr.net
Thu Jul 26 14:17:07 UTC 2018 

> On Thu, Jul 26, 2018 at 8:32 AM, Rodney W. Grimes
> <freebsd at pdx.rh.cn85.dnsmgr.net> wrote:
> > -- Start of PGP signed section.
> >> On Thu, Jul 26, 2018 at 04:07:37AM +0000, Kyle Evans wrote:
> >> > Author: kevans
> >> > Date: Thu Jul 26 04:07:36 2018
> >> > New Revision: 336731
> >> > URL: https://svnweb.freebsd.org/changeset/base/336731
> >> >
> >> > Log:
> >> >   bectl(8): Redo jail using jail(3) API
> >> >
> >> >   The jail is created with allow.mount, allow.mount.devfs, and
> >> >   enforce_statfs=1. Upon creation, we immediately attach, chdir to "/", and
> >> >   drop the user into a shell inside the jail.
> >> >
> >> >   The default IP for this is arbitrarily 10.20.30.40.
> >>
> >> It seems this would only allow working in a single jailed BE at a
> >> time, correct?
> >
> > Also it is just bad practice to use arbitrary IP's from
> > rfc1918 space.   IMHO it would be better to pick a
> > rfc3927 link local address, or one of the rfc5737 test
> > network addresses.
> >
> > Please see RFC5735 page 6, table in section 4, no
> > place in FreeBSD base system should we be shipping
> > stuff that uses rfc1918, that is private space that
> > does not belong to the OS.
> >
> 
> Right on both accounts (Shawn + Rod)... I changed it from an arbitrary
> IP in 192.168/16 space that was conflicting with my local network
> (heh... that was fun) with the intent of later changing it to just be
> configurable rather than hard-coding an IP [1] because I think that no
> matter what choice I try to go with, someone's going to want something
> else. I'd rather not make such choices at all and force you to instead
> specify an IP every time, a la "bectl jail testenv 10.8.0.100".
> 
> The default remains 10.20.30.40 until that time, though, and it seemed
> that anyone wanting to test this should be aware.

Can you make it just unconfigured instead?  I really am strongly
pressing the point that we should never ever commit rfc1918 addresses
to the repository.

Some address in 192.168/16 conflicted with your network,
some address in 10/8 conflicts with my network, and probably others.

If you do anything stick a 169.254 on it.  That is after all what
link locals are for.

> [1] see the "XXX TODO" I dropped in the area, which mentions the
> former and meant to hint at the latter
> 

-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the svn-src-projects mailing list