Re: Service for jails?

In reply to: Miroslav Lachman : "Re: Service for jails?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Alexander Leidinger <Alexander_at_Leidinger.net>
Date: Fri, 07 Jun 2024 11:42:32 UTC
Am 2024-06-07 09:44, schrieb Miroslav Lachman:
> On 07/06/2024 08:20, Matthias Fechner wrote:
>> Dear all,
>> 
>> I saw in some commit messages that the startup scripts are modified 
>> like:
>> 
>> BBB_svcj_options=${BBB_svcj_options:-"net_basic"}
>> 
>> But I cannot find anything in the porters handbook about that new 
>> parameter.
>> 
>> Can maybe someone explain that a little bit more, what it is and why 
>> it makes sense to add this?

Service jails run the start and stop commands in a jail. The jail uses 
the complete filesystem of the host, but without any options it has no 
network access or access to other stuff which is restricted in a jail. 
The above config line gives access to the network of the host (IPv4 and 
IPv6).

I've send out a lot of patches to some port maintainers to add this 
config (mysql, postgresql, postfix, dovecot, php, nginx, apache, ...), 
so that a simple "sysrc XXX_svcj=YES" makes this feature work out of the 
box (some are committed, some are under review, some I have just send 
out). An alternative is to set the XXX_svcj_options in rc.conf, but then 
it means 2 lines of config instead of only 1 to enable it.

This does not make much sense when you run services in jails anyway (if 
you enable subjails, it is supposed to work and spawn a jail inside the 
jail), but for stuff which is run on the host itself, it is a very easy 
way to add one more layer of security to the security onion (without the 
need that you know how to setup jails or to maintain them separately). I 
have e.g. syslogd jailed with this.

> It is for service jails where you can easily start "any" service in its 
> own jail just by one line in rc.conf
> 
> https://docs.freebsd.org/en/books/handbook/jails/#service-jails
> 
> https://docs.freebsd.org/en/books/handbook/jails/#service-jails-config
> 
> https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails

Does someone have an argument to add something to the porters handbook? 
And if yes, what? Chapter "6.28. Starting and Stopping Services" is 
pointing already to the rc-scripting article and the handbook (the later 
with the issue of going to the first page of the handbook instead to the 
correct chapter).

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF