From nobody Tue Dec 12 09:19:01 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SqCjL3FFWz53h5X for ; Tue, 12 Dec 2023 09:19:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SqCjK61W2z3DSh; Tue, 12 Dec 2023 09:19:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702372741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7Fz89DlYG9//CYQlBTWdCx8871Cs6DUSpiZeC/xzvnU=; b=k5eUiuxEJm03m9tNe0bGwQkS1pVewlyyj5yXKgPFHpISrzU/CmCedqOCcY4+MIe1HPAKnD 7x44YQxhVC/u4Nr+7jo3HSk8RafKW4Lj+vdCkZ/WvW74aEgPkVNVtj4PlZNMwubnq1O615 E2DA+Ax0xnhU4aEvRfCJJMBdZuHs/Ex3NCTsrZ3pWK24Zf5sKIvwU5vMbEGQve/jiVhhQL dwFXIjX0QhLHcPCVCvaxCRZn2vGAQBObkGESjujecpLrOrqQQO06+mb41oauxqebXdvnZY 0UhAvHn9OglxyynMzLQ+fdZX15x0XskeZYpfOlgh79WLNyuCQQXlIfutsFjFDA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702372741; a=rsa-sha256; cv=none; b=PTMS8oiGTG7NvSViUj96bgVe+mwk+2ZZz23Dc8sLst9YbBGNt/qKv5tF6D+bAPYaDVhLma 1plE/z+uKLrTsofXgU/yzM3BalfM9bCq8+CMbqhlqAKoteujQNGP3aieauUJZ/1qmDfxn2 zuzYSIWs2+9j84KqUBUoGDmr5D/prrLK8GF5loYOSl3OYIk7clGiPH2pzXS9JWw7SbvX0i 0uJUtaULFzGSWIyC4nqc98kQYx5YMl+OplQ4i8QdpUF3f/XwiAbp22tqKHElYR6wOYvZAa YrCllH94Mp+pUMDfYZhodL/XJ0Syvzn2Gpjl7Qhxsxzn2bKPx/xbZNbE2CmJvg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702372741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7Fz89DlYG9//CYQlBTWdCx8871Cs6DUSpiZeC/xzvnU=; b=NAYqDXhDPZ0wsjdtbW4/I4Of1h9hZmL1rYce/XaD7qa4pk2yRgwhvSEBIvsgE1HghMx+6Z tVOJgApZ8dqbi0eLtupjqSCxFVPfL3bSMEhDEfK9lP9HNpBfQJNkV+xZF8df48eO2QC4co gjfE9ffn9NrSf/TCTcIl4Kwb0SrocQbzgzcgqIoY8MODUpUOTBUMf2HMJ7/swZQ2RznQBB 3YvkAsv8a/xCeeJdqT76mAnztHUWqKVqVoDBfB8uhGxQdbkzGbKP43yAYXfBJUfeFAxhJB vjqGNMCQAPqadxnfBU9UcGcMEThBw9pRWdd/Sfl1oYnwxBiJDno6R+flkMM7DA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SqCjK4chYz1890; Tue, 12 Dec 2023 09:19:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3BC9J1Oe082364; Tue, 12 Dec 2023 09:19:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3BC9J1nE082361; Tue, 12 Dec 2023 09:19:01 GMT (envelope-from git) Date: Tue, 12 Dec 2023 09:19:01 GMT Message-Id: <202312120919.3BC9J1nE082361@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: 0110d603c9 - main - Status/2023Q4: Add service-jails.adoc List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0110d603c91fd040cec7714b35870f3dc76404bc Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=0110d603c91fd040cec7714b35870f3dc76404bc commit 0110d603c91fd040cec7714b35870f3dc76404bc Author: Alexander Leidinger AuthorDate: 2023-12-12 09:16:19 +0000 Commit: Lorenzo Salvadore CommitDate: 2023-12-12 09:17:55 +0000 Status/2023Q4: Add service-jails.adoc Reviewed by: status (Pau Amma ) --- .../report-2023-10-2023-12/service-jails.adoc | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/website/content/en/status/report-2023-10-2023-12/service-jails.adoc b/website/content/en/status/report-2023-10-2023-12/service-jails.adoc new file mode 100644 index 0000000000..ce0d7fcb6c --- /dev/null +++ b/website/content/en/status/report-2023-10-2023-12/service-jails.adoc @@ -0,0 +1,33 @@ +=== Service jails -- Automatic jailing of rc.d services + +Links: + +link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] + +link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[] +link:https://reviews.freebsd.org/D42779[D42779: Handbook / rc-article update for Service Jails] URL: link:https://reviews.freebsd.org/D42779[] + +Contact: Alexander Leidinger + +Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services. +A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. +Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). + +If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have: +---- +local_unbound_svcj_options=net_basic +local_unbound_svcj=YES +---- +Note: all base system services are covered in the patches with either name_svcj_options or a hard-coded disabling of the service jails feature where it does not make sense (e.g. pure services which change the runtime configuration but do not start daemons, or where things are run which can not be run in a sensible way inside a jail). +As such the local_unbound_svcj_options line above is superfluous and serves just as an example about the amount of configuration needed in total. + +While this does not have the same security benefits as a manual jail setup with a separate filesystem and IP/VNET, it is much easier to set up, while providing some of the security benefits of a jail like hiding other processes of the same user. + +Since the link:../report-2023-04-2023-06/#_service_jailsautomatic_jailing_of_rc_d_services[previous service jails status report], the following were added: + +* support for NFS inside jails in the service jails framework (untested), +* the possibility of jailing other service commands than `start` and `stop`, +* service jails options / config for all base system services in the patch in D40371, +* a first step at documenting the service jails in the Handbook. + +Not all services are tested, but all services are covered with a config. + +Any testing and feedback (even as simple as "service X works in a service jail") is welcome.