Am 2024-06-07 09:44, schrieb Miroslav Lachman:
On 07/06/2024 08:20, Matthias Fechner wrote:Dear all,I saw in some commit messages that the startup scripts are modified like:BBB_svcj_options=${BBB_svcj_options:-"net_basic"}But I cannot find anything in the porters handbook about that new parameter.Can maybe someone explain that a little bit more, what it is and why it makes sense to add this?
Service jails run the start and stop commands in a jail. The jail uses the complete filesystem of the host, but without any options it has no network access or access to other stuff which is restricted in a jail. The above config line gives access to the network of the host (IPv4 and IPv6).
I've send out a lot of patches to some port maintainers to add this config (mysql, postgresql, postfix, dovecot, php, nginx, apache, ...), so that a simple "sysrc XXX_svcj=YES" makes this feature work out of the box (some are committed, some are under review, some I have just send out). An alternative is to set the XXX_svcj_options in rc.conf, but then it means 2 lines of config instead of only 1 to enable it.
This does not make much sense when you run services in jails anyway (if you enable subjails, it is supposed to work and spawn a jail inside the jail), but for stuff which is run on the host itself, it is a very easy way to add one more layer of security to the security onion (without the need that you know how to setup jails or to maintain them separately). I have e.g. syslogd jailed with this.
It is for service jails where you can easily start "any" service in its own jail just by one line in rc.confhttps://docs.freebsd.org/en/books/handbook/jails/#service-jails https://docs.freebsd.org/en/books/handbook/jails/#service-jails-config https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails
Does someone have an argument to add something to the porters handbook? And if yes, what? Chapter "6.28. Starting and Stopping Services" is pointing already to the rc-scripting article and the handbook (the later with the issue of going to the first page of the handbook instead to the correct chapter).
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
