From nobody Fri Jun 07 11:42:32 2024 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VwfTr3Q8Gz5NMhd for ; Fri, 07 Jun 2024 11:43:28 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VwfTr0KdJz4NGt for ; Fri, 7 Jun 2024 11:43:28 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports@freebsd.org Sender: owner-freebsd-ports@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1717760602; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=AYigPgLGS+mtlJE6wBUO7uo2YDp8mhGB0c0a/u2hx3o=; b=cb15MtNoupeeRfHwlRl6TQCZfSxmkJwhmIFQBK8F2/LNcQ6LYIf+xc8I7nzV6icxyODMML XTBvPYe9Yfh48lXo7NNh0wiClSqrd3Z0ztT497pBaFd9kEYogdx2TlxiZ0LuBBehP8KB7e 3kGznLpUpjRiLmIIt63CfNSVQzyMLpzp3lU4soraIy7PxOY41Cy4JvgTEyujxcSCPp0NFq jrYQboJiJyVHd+QZpSx0JXSAXHiE4zsmRjxZ4l8FFjWI3QgqgFonItxicBwv0fNg1whct7 0kcXsoleex5qh4dPScJUcnVgjHPVE1yjJksjfYMjFRjZuva5PK32zgL2yf+g1w== Date: Fri, 07 Jun 2024 13:42:32 +0200 From: Alexander Leidinger To: Miroslav Lachman <000.fbsd@quip.cz> Cc: ports@freebsd.org Subject: Re: Service for jails? In-Reply-To: References: <25b6364e-39a4-4834-a250-ff7d94a758bf@freebsd.org> Message-ID: <0ea46cdc27fdb7bec0aa4ce5f1c9a25a@Leidinger.net> Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_bb39d2d594e08cea4fb9fe3752fd4575"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE] X-Rspamd-Queue-Id: 4VwfTr0KdJz4NGt This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_bb39d2d594e08cea4fb9fe3752fd4575 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2024-06-07 09:44, schrieb Miroslav Lachman: > On 07/06/2024 08:20, Matthias Fechner wrote: >> Dear all, >> >> I saw in some commit messages that the startup scripts are modified >> like: >> >> BBB_svcj_options=${BBB_svcj_options:-"net_basic"} >> >> But I cannot find anything in the porters handbook about that new >> parameter. >> >> Can maybe someone explain that a little bit more, what it is and why >> it makes sense to add this? Service jails run the start and stop commands in a jail. The jail uses the complete filesystem of the host, but without any options it has no network access or access to other stuff which is restricted in a jail. The above config line gives access to the network of the host (IPv4 and IPv6). I've send out a lot of patches to some port maintainers to add this config (mysql, postgresql, postfix, dovecot, php, nginx, apache, ...), so that a simple "sysrc XXX_svcj=YES" makes this feature work out of the box (some are committed, some are under review, some I have just send out). An alternative is to set the XXX_svcj_options in rc.conf, but then it means 2 lines of config instead of only 1 to enable it. This does not make much sense when you run services in jails anyway (if you enable subjails, it is supposed to work and spawn a jail inside the jail), but for stuff which is run on the host itself, it is a very easy way to add one more layer of security to the security onion (without the need that you know how to setup jails or to maintain them separately). I have e.g. syslogd jailed with this. > It is for service jails where you can easily start "any" service in its > own jail just by one line in rc.conf > > https://docs.freebsd.org/en/books/handbook/jails/#service-jails > > https://docs.freebsd.org/en/books/handbook/jails/#service-jails-config > > https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails Does someone have an argument to add something to the porters handbook? And if yes, what? Chapter "6.28. Starting and Stopping Services" is pointing already to the rc-scripting article and the handbook (the later with the issue of going to the first page of the handbook instead to the correct chapter). Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_bb39d2d594e08cea4fb9fe3752fd4575 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmZi8jgACgkQEg2wmwP4 2IYs+A//ZS8BhnAwAmK4tHZR1S2DZ0VAd34Yu8pNPD29//R3tqp0cgmo3k9Nv3XC Xbnp+CNU93AhceIw5lNyDPyw732rTA5F/HF1GeBvVfhTtDEXgc2qIverVnMBmQHN s47ZKNCMQ1NcegGUtjRRi8uEXIfkTJCQdNYl2p5k+sUiPP4x5bEUfJRocc0l4zLI YrsQhbpyk3PGAuusOBrghW+IcsHxdzQtzdo64PGxgI/wC1t6aSjn5/jVZJ800/Y6 pXg0UOYuTh1/CxmvukniOE8zTmIPbDFLcHAHiEeltGj6sR1uJOTpsAv9EByb9YsI i9QiNCzGPFOT8KzfJyHnfyW5G3wWO6wRBnXZoaefaAu7gqyk+VL8pWa3Bg7CZEqN jKn832xVl9WhAE5SHUE1T8k0Ezy3RbXYHDtQkS/z5zKgG1ZusJINjVojTgM3d4p2 TeXjwp1+G73y6pm3DmB5wW4LACF7GUw62uis+rtRJDMh45WJXnuNSqvly/d1PTjx dVFti35JgP27TD/cmGLyk/zIfZzSZFFG/NoX5QPCI1xKa8wXvwdaj6Kaq9PRUcUG pSlNF4J5yrxbpmeflHKfgJlClp8PyiBVvggbjaqnMssxZtf7pspkc80EGLwLCc4M wB2UYdboBCHn/CL8/P1m31PSaJhT9HXRhFfTItkSd8kcsajl6Qw= =sDo0 -----END PGP SIGNATURE----- --=_bb39d2d594e08cea4fb9fe3752fd4575--