Page MenuHomeFreeBSD
Differential D40370

Infrastructure for automatic jailing of rc.d-services
ClosedPublic
Actions

Authored by netchild on Jun 1 2023, 8:53 AM.
Tags
Referenced Files
Unknown Object (File)
Sat, Nov 2, 10:16 AM
Unknown Object (File)
Thu, Oct 24, 2:59 AM
Unknown Object (File)
Thu, Oct 17, 10:12 PM
Unknown Object (File)
Tue, Oct 15, 12:43 AM
Unknown Object (File)
Oct 1 2024, 7:46 AM
Unknown Object (File)
Oct 1 2024, 7:18 AM
Unknown Object (File)
Oct 1 2024, 7:16 AM
Unknown Object (File)
Oct 1 2024, 5:40 AM
View All Files
Subscribers
bcr
guest-patmaddox
imp
mateusz_serveraptor.com

Details

Reviewers
bcr
Commits
rG2efbd480f1d3: rc: add service jails framework
Summary

The man-page contains a reference to behavior of auto-jailing of sshd which requires a change which is not in this patch (but is in another review).

---This implementation depends upon a change for /usr/bin/service which is in https://reviews.freebsd.org/D40369--- committed

This takes a rc.d-service and starts it in a jail which shares the same root-path as the host (or parent jail) and may inherit the network from the host (or parent jail). Per service there is the possibility to specify some arguments which gives more permissions (e.g. netv4, netv6, sysvipc...).

See the included man page update for more info about the functionality.

Do we want to print "Starting svcj-name." instead of "Starting name." when starting services as a svcj, and similar for stop?

Test Plan

I did very light testing of hierarchic jails (auto-jailing inside a jail). For hierarchic jails you need to specify the children.max parameter for the non-automatic jails, as the default doesn't allow it.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

netchild requested review of this revision.Jun 1 2023, 8:53 AM
netchild created this revision.
netchild mentioned this in D40371: automatic service jails: some setup for full functionality of the services in automatic service jails.Jun 1 2023, 9:00 AM
mateusz_serveraptor.com added a subscriber: mateusz_serveraptor.com.Jun 1 2023, 11:19 AM
ihor_antonovs.family added a project: Jails.Jun 5 2023, 2:55 PM
netchild added a project: rc.Jun 6 2023, 8:30 AM
netchild added inline comments.Jun 9 2023, 8:25 AM
libexec/rc/rc.subr
1333

This is not indended correctly as I had this as some kind of debugging info initially. My question here would be if we want to have it as some kind of information (with some other wording, as the execution is not skipped, but done on the host and not inside the service-jail), or if I shall write in the man-page that non-standard commands (e.g. configtest for apache/nginx/postfic/...) will be executed outside of the service-jail and remove this information here?

netchild added inline comments.Jun 15 2023, 7:46 AM
libexec/rc/rc.subr
532

Note to myself: typo "svj-jail"

bcr added a subscriber: bcr.Oct 5 2023, 10:20 AM

Two fixes for the man page.

share/man/man5/rc.conf.5
409

s/explicitely/explicitly/

4965

You need to do a line break after a sentence stop.

netchild updated this revision to Diff 129937.Nov 10 2023, 11:34 AM
netchild set the repository for this revision to rG FreeBSD src repository.

Change what was noticed in comments. Add a feature to enable the execution of extra commands inside the service jail.

Herald added a subscriber: imp. · View Herald TranscriptNov 10 2023, 11:34 AM
netchild marked 2 inline comments as done.Nov 10 2023, 11:36 AM
netchild updated this revision to Diff 130200.Nov 16 2023, 10:09 AM
netchild edited the summary of this revision. (Show Details)

Add support for nfs. Sort the options.

netchild mentioned this in D42779: Handbook / rc-article update for Service Jails.Nov 27 2023, 12:36 PM
netchild edited the summary of this revision. (Show Details)Nov 28 2023, 7:44 PM
guest-patmaddox added a subscriber: guest-patmaddox.Dec 13 2023, 10:00 PM
netchild updated this revision to Diff 132603.Jan 11 2024, 11:11 AM

Make jls quiet.

bcr accepted this revision.Jan 11 2024, 1:20 PM

OK for the man page change. Make sure to bump the .Dd when you commit it for this content change.
Thanks for working on this, it's appreciated!

This revision is now accepted and ready to land.Jan 11 2024, 1:20 PM
Closed by commit rG2efbd480f1d3: rc: add service jails framework (authored by netchild). · Explain WhyMay 22 2024, 1:42 PM
This revision was automatically updated to reflect the committed changes.
netchild added a commit: rG2efbd480f1d3: rc: add service jails framework.

Revision Contents
Changeset List

PathSize
libexec/
rc/
155 lines
share/
man/
man5/
112 lines

Diff 138913

View Options

libexec/rc/rc.subr

Loading...
View Options

share/man/man5/rc.conf.5

Loading...