Date: Tue, 16 Dec 2014 13:06:59 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <CAN6yY1sjT0Ja4bP=dkWX8wTGzWXboTui=3ZuPm1=v81N0MMQvA@mail.gmail.com> In-Reply-To: <20141216092259.GF89148@droso.dk> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <e209e27f9eb42850326f5a4df458722b@ultimatedns.net> <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com> <20141216092259.GF89148@droso.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 16, 2014 at 1:22 AM, Erwin Lansing <erwin@freebsd.org> wrote: > On Mon, Dec 15, 2014 at 10:12:45PM -0800, Kevin Oberman wrote: > > > > Please don't conflate issues. Moving BIND out of the base system is > > something long overdue. I know that the longtime BIND maintainer, Doug B, > > had long felt it should be removed. This has exactly NOTHING to do with > > removing the default chroot installation. The ports were, by default > > installed chrooted. Jailed would have been better, but it was not > something > > that could be done in a port unless the jail had already been set up. > > chroot is still vastly superior to not chrooted and I was very distressed > > to see it go from the ports. > > > > While I don't want to get dragged down into this discussion that can go > on forever without any consensus, I just want to point out that there is > a slight twist to the above description. Due to implementational > details, the ports' chroot was actually inside the base system parts of > BIND. Removing the one, removed the other. > > I did try my hand at a reimplentation self-contained in the port, but > that proved less trivial than thought and I never reached a satisfactory > solution. If anyone want to try their hands at it as well and convince > the new port maintainer, please do so, but trust me when I say that. > e.g. an ezjail solution, is much easier to set up and maintain than > reverting to the old functionality. In they end, I'd rather see a > more general solution that can chroot, or jail, an arbitrary daemon from > ports rather than special treatment of a single port. If BIND, why not > also NSD, unbound, or apache for arguments sake? > Erwin, Thanks for this explanation! In the prior discussion of this issue back when BIND was removed from the base, I never saw this and it explains a great deal.I hope that this will quiet some of the complaints. While it is still a regression, it's one worth making. Getting BIND out of the base system really was urgently required. Thanks for your efforts on this. Warren, Nice write-up on jailing BIND. The instructions are easy to follow, but they are still pretty complex and getting everything right without a tutorial like this was very tricky. For me it involved a fair amount of trial and error and before ez-jail it was really, really hard. (Not sure that I ever got it right.) -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1sjT0Ja4bP=dkWX8wTGzWXboTui=3ZuPm1=v81N0MMQvA>