Page MenuHomeFreeBSD
Differential D40370

Infrastructure for automatic jailing of rc.d-services
AcceptedPublic
Actions

Authored by netchild on Jun 1 2023, 8:53 AM.
Tags
Referenced Files
F81671768: D40370.diff
Fri, Apr 19, 5:51 PM
Unknown Object (File)
Thu, Apr 18, 4:47 PM
Unknown Object (File)
Sun, Apr 7, 12:28 PM
Unknown Object (File)
Tue, Apr 2, 10:15 AM
Unknown Object (File)
Mar 20 2024, 4:50 AM
Unknown Object (File)
Mar 6 2024, 4:58 AM
Unknown Object (File)
Mar 2 2024, 6:15 AM
Unknown Object (File)
Feb 17 2024, 2:15 AM
View All 52 Files
Subscribers
bcr
guest-patmaddox
imp
mateusz_serveraptor.com

Details

Reviewers
bcr
Summary

The man-page contains a reference to behavior of auto-jailing of sshd which requires a change which is not in this patch (but is in another review).

---This implementation depends upon a change for /usr/bin/service which is in https://reviews.freebsd.org/D40369--- committed

This takes a rc.d-service and starts it in a jail which shares the same root-path as the host (or parent jail) and may inherit the network from the host (or parent jail). Per service there is the possibility to specify some arguments which gives more permissions (e.g. netv4, netv6, sysvipc...).

See the included man page update for more info about the functionality.

Do we want to print "Starting svcj-name." instead of "Starting name." when starting services as a svcj, and similar for stop?

Test Plan

I did very light testing of hierarchic jails (auto-jailing inside a jail). For hierarchic jails you need to specify the children.max parameter for the non-automatic jails, as the default doesn't allow it.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

netchild requested review of this revision.Jun 1 2023, 8:53 AM
netchild created this revision.
netchild mentioned this in D40371: automatic service jails: some setup for full functionality of the services in automatic service jails.Jun 1 2023, 9:00 AM
mateusz_serveraptor.com added a subscriber: mateusz_serveraptor.com.Jun 1 2023, 11:19 AM
ihor_antonovs.family added a project: Jails.Jun 5 2023, 2:55 PM
netchild added a project: rc.Jun 6 2023, 8:30 AM
netchild added inline comments.Jun 9 2023, 8:25 AM
libexec/rc/rc.subr
1153

This is not indended correctly as I had this as some kind of debugging info initially. My question here would be if we want to have it as some kind of information (with some other wording, as the execution is not skipped, but done on the host and not inside the service-jail), or if I shall write in the man-page that non-standard commands (e.g. configtest for apache/nginx/postfic/...) will be executed outside of the service-jail and remove this information here?

netchild added inline comments.Jun 15 2023, 7:46 AM
libexec/rc/rc.subr
379

Note to myself: typo "svj-jail"

bcr added a subscriber: bcr.Oct 5 2023, 10:20 AM

Two fixes for the man page.

share/man/man5/rc.conf.5
402 ↗(On Diff #122693)

s/explicitely/explicitly/

4960 ↗(On Diff #122693)

You need to do a line break after a sentence stop.

netchild updated this revision to Diff 129937.Nov 10 2023, 11:34 AM
netchild set the repository for this revision to rG FreeBSD src repository.

Change what was noticed in comments. Add a feature to enable the execution of extra commands inside the service jail.

Herald added a subscriber: imp. · View Herald TranscriptNov 10 2023, 11:34 AM
netchild marked 2 inline comments as done.Nov 10 2023, 11:36 AM
netchild updated this revision to Diff 130200.Nov 16 2023, 10:09 AM
netchild edited the summary of this revision. (Show Details)

Add support for nfs. Sort the options.

netchild mentioned this in D42779: Handbook / rc-article update for Service Jails.Nov 27 2023, 12:36 PM
netchild edited the summary of this revision. (Show Details)Nov 28 2023, 7:44 PM
guest-patmaddox added a subscriber: guest-patmaddox.Dec 13 2023, 10:00 PM
netchild updated this revision to Diff 132603.Jan 11 2024, 11:11 AM

Make jls quiet.

bcr accepted this revision.Jan 11 2024, 1:20 PM

OK for the man page change. Make sure to bump the .Dd when you commit it for this content change.
Thanks for working on this, it's appreciated!

This revision is now accepted and ready to land.Jan 11 2024, 1:20 PM

Revision Contents
Changeset List

PathSize
libexec/
rc/
155 lines

Diff 132603

View Options

libexec/rc/rc.subr

Loading...