Re: Automatic service jails - review request

In reply to: Gleb Popov : "Re: Automatic service jails - review request"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Alexander Leidinger <Alexander_at_leidinger.net>
Date: Fri, 02 Jun 2023 09:29:30 UTC

Quoting Gleb Popov <arrowd@freebsd.org> (from Thu, 1 Jun 2023 14:35:46 +0300):

> On Thu, Jun 1, 2023 at 1:25 PM Alexander Leidinger
> <Alexander@leidinger.net> wrote:
>>
>> Hi,
>>
>> I implemented a functionality which allows to automatically put rc.d
>> services into jails.
>
> THis is highly related to what I did in
> https://github.com/freebsd/freebsd-ports/tree/main/ports-mgmt/rc-subr-jail
> although my approach isn't automatic in any way.

When you committed that I had a very quick look. I understand it as follows:
  - my stuff: low security, higher security than no jail, very easy to setup
  - your stuff: medium security, higher than what I do (due to a  
separate FS), more work required to setup
  - one service per vnet-jail, manual setup required: full security,  
much more setup work

And I think our stuff is complementary. As I understand it by a quick  
look, your code would be used inside a rc.d script to setup a jail  
tailored to the service, whereas my code doesn't need any change to  
rc.d scripts in the most easy case, and could life with only rc.conf  
entries for the service, but 1 config change to the rc.d service would  
make it self-contained.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF