Changeset View
Standalone View
documentation/content/en/books/handbook/jails/_index.adoc
| Context not available. | |||||
| * Dependency Conflicts: If multiple thin jails require different versions of the same libraries or software, managing dependencies can become complex. In some cases, this might require additional effort to ensure compatibility. | * Dependency Conflicts: If multiple thin jails require different versions of the same libraries or software, managing dependencies can become complex. In some cases, this might require additional effort to ensure compatibility. | ||||
| * Compatibility Challenges: Applications within a thin jail might encounter compatibility issues if they assume a certain base system environment that differs from the shared components provided by the template. | * Compatibility Challenges: Applications within a thin jail might encounter compatibility issues if they assume a certain base system environment that differs from the shared components provided by the template. | ||||
| [[service-jails]] | |||||
| === Service Jails | |||||
| A service jail shares the complete filesystem tree directly with the host (the jail root path is [.filename]#/#) and as such can access and modify any file on the host, and shares the same user accounts with the host. | |||||
bcr: s/Service/service/g | |||||
Done Inline ActionsI tried to match the style of the existing Thick Jails and Thin Jails above this new part. I may have not understood when to use the uppercase "Thick jail" vs. the "thick jail" part... Can you give me a hint before I blindly lowercase "Service" in the middle of a sentence? netchild: I tried to match the style of the existing Thick Jails and Thin Jails above this new part. I… | |||||
| By default it has no access to the network or other resources which are restricted in jails, but they can be configured to re-use the network of the host and to remove some of the jail-restrictions. | |||||
| The use case for service jails is automatic jailing of services/daemons without any knowledge which files they need with the least amount of configuration. | |||||
fernapeUnsubmitted Done Inline ActionsSomething to change the use of jailing as a verb (which is repetitive with regards to service jail): The use case for service jails is automatic jailing... --> The use case for service jails is automatic confinement of services/daemons inside a jail... The last part does not read very clear to me: with the least amount of configuration refers to the jail, but in the middle there is information about needed files... How about: The use case for service jails is automatic confinement of services/daemons inside a jail with minimal configuration, and without any knowledge of the files needed by such service/daemon. fernape: Something to change the use of `jailing` as a verb (which is repetitive with regards to… | |||||
| Service jails exist since XXX(special adoc tag?) FreeBSD 15. | |||||
| Advantages of Service Jails: | |||||
Done Inline ActionsIs this a section heading? bcr: Is this a section heading? | |||||
Done Inline ActionsNo. It is a list like for Thick Jails and Thin Jails in the existing text above. netchild: No. It is a list like for Thick Jails and Thin Jails in the existing text above. | |||||
| * Zero Administration: A service jail ready service needs only one config line in [.filename]#/etc/rc.conf#, a service which is not service jails ready needs two config lines. | |||||
fernapeUnsubmitted Done Inline ActionsThis list does not render properly. A blank line between the above line an the first bullet is needed (I did not test it). You can run make run and visit the local doc set to do some proofreading. fernape: This list does not render properly. A blank line between the above line an the first bullet is… | |||||
netchildAuthorUnsubmitted Done Inline ActionsI more or less copy&pasted what was above. There are no blank lines either. Do you have a reference to which ports/packages I need to install to be able to "make run". netchild: I more or less copy&pasted what was above. There are no blank lines either. Do you have a… | |||||
fernapeUnsubmitted Done Inline ActionsJust hugo. fernape: Just `hugo`. | |||||
| * Resource Efficiency: Service jails are more resource efficient than Thin jails, as they do not need any additional disk space or network resource. | |||||
fernapeUnsubmitted Done Inline ActionsService --> service and then Thin --> thin for consistency. fernape: //Service// --> //service// and then //Thin// --> //thin// for consistency. | |||||
netchildAuthorUnsubmitted Done Inline ActionsDone... but all the existing parts around it use uppercase versions of Thick/Thin... netchild: Done... but all the existing parts around it use uppercase versions of Thick/Thin... | |||||
| * Faster Deployment: Creating and launching service jails is generally faster compared to Thin jails if only distinct services/daemons shall be jailed and no parallel instances of the same service/daemon is needed. | |||||
| * Shared Resources: Service jails share all resources such as libraries and binaries with the host system. This can potentially lead to more efficient disk caching and improved performance for applications within the jail. | |||||
| * Process Isolation: Service jails isolate a particular service, it can not see processes which are not a child of the service jail, even if they run within the same user account. | |||||
| Disadvantages of Service Jails: | |||||
| * Reduced Isolation: The primary disadvantage of service jails is that they offer no filesystem isolation compared to Thick or Thin jails. | |||||
| * Security Concerns: The reduced isolation in service jails could pose security risks, as a compromise in one jail might have a greater potential to affect everything on the host system. | |||||
| Most of the configuration of jails which is discussed below is not needed for service jails. | |||||
| To understand how jails work, it is recommended to understand those configuration possibilities, but the details about what is needed to configure a service jail is in crossref:jails[service-jails-config, Configuring service jails]. | |||||
| [[vnet-jails]] | [[vnet-jails]] | ||||
| === VNET Jails | === VNET Jails | ||||
| Context not available. | |||||
| More information can be found in the chapter crossref:linuxemu[linuxemu,Linux Binary Compatibility]. | More information can be found in the chapter crossref:linuxemu[linuxemu,Linux Binary Compatibility]. | ||||
| [[service-jails-config]] | |||||
| === Configuring Service Jails | |||||
| A service jail is configured completely via [.filename]#/etc/rc.conf# or man:sysrc[8]. | |||||
| The base system services are service jails ready. | |||||
Done Inline Actionss/basesystem/base system/ here too. pauamma_gundo.com: s/basesystem/base system/ here too. | |||||
| They contain a config line which enables networking or lift other restrictions of jails. | |||||
| Base system services which do not make sense to run inside jails, e.g. every service which wants to mount or unmount someting in the start of stop method, or only configures something like a route, or firewall, or similar, are configured to not be started as a service jail, even if enabled in [.filename]#/etc/rc.conf#. | |||||
Done Inline Actionss/Basesystem/Base system/ bcr: s/Basesystem/Base system/ | |||||
fernapeUnsubmitted Done Inline ActionsVery long line with many examples in the middle of the sentence. How about: Base system services which do not make sense to run inside jails are configured to not be started as a service jail, even if enabled in [.filename]#/etc/rc.conf#. Also typo someting/ --> something// fernape: Very long line with many examples in the middle of the sentence. How about:
`Base system… | |||||
| 3rd party services may or may not be service jails ready. To check if a service is service jail ready, the following command can be used: | |||||
fernapeUnsubmitted Done Inline Actions3rd --> Third fernape: //3rd// --> //Third// | |||||
| [source,shell] | |||||
| .... | |||||
| # grep _svcj_options /path/to/rc.d/servicename | |||||
| .... | |||||
| If there is no output, the service is not service jail ready, or does not need any additional privileges like e.g. network access. | |||||
| If the service is not service jail ready, and needs network access, it can be made ready by adding the neccessary config to [.filename]#/etc/rc.conf#: | |||||
fernapeUnsubmitted Done Inline ActionsTypo neccessary --> necessary fernape: Typo //neccessary// --> //necessary// | |||||
| [source,shell] | |||||
| .... | |||||
| # sysrc servicename_svcj_options=net_basic | |||||
| .... | |||||
| For all possible _svcj_options see the man:rc.conf[5] man-page. | |||||
fernapeUnsubmitted Done Inline Actions_svcj_options --> _svcj_options (to signal this is "code" text and not "normal" text). fernape: //_svcj_options// --> //`_svcj_options`// (to signal this is "code" text and not "normal" text). | |||||
| To enable a service jail for a given service, the service needs to be stopped and the `servicename_svcj` variable needs to be set to YES. | |||||
| To put man:syslogd[8] into a service jail, use the following sequence of commands: | |||||
Done Inline Actionss/So// bcr: s/So//
s/can be used/Use the following sequence/ (active voice) | |||||
| [source,shell] | |||||
| .... | |||||
| # service syslogd stop | |||||
| # sysrc syslogd_svcj=YES | |||||
| # service syslogd start | |||||
| .... | |||||
| If you change the `servicename_svcj` variable, the service needs to be stopped. | |||||
fernapeUnsubmitted Done Inline ActionsTry to avoid the use of you. Use the passive voice here. fernape: Try to avoid the use of `you`. Use the passive voice here. | |||||
| If it is not stopped, the rc framework will not detect the correct state of the service and will not be able to do what is requested. | |||||
| Service jails are managed only via man:rc.conf[5]/man:sysrc[8] and the man:service[8] command. | |||||
| The jail utilities, like man:jls[8] as described in crossref:jail[jail-management,Jail Management] can be used to investigate the operation, but the man:jail[8] command is not supposed to be used to manage them. | |||||
fernapeUnsubmitted Done Inline ActionsThis crossref points to http://localhost:1313/en/books/handbook/jail/#jail-management while it should point to http://localhost:1313/en/books/handbook/jails/#jail-management (note the jail --> jails in the URL). These are easily caught with make run :-) fernape: This crossref points to http://localhost:1313/en/books/handbook/jail/#jail-management while it… | |||||
| [[jail-management]] | [[jail-management]] | ||||
| == Jail Management | == Jail Management | ||||
| Context not available. | |||||
s/Service/service/g