Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 17 Feb 2014 11:53:42 -0700
From:      Ian Lepore <ian@FreeBSD.org>
To:        "A.J. 'Fonz' van Werven" <freebsd@skysmurf.nl>
Cc:        freebsd-stable@FreeBSD.org, Phil Regnauld <regnauld@x0.dk>
Subject:   Re: Should I use jail?
Message-ID:  <1392663222.1145.19.camel@revolution.hippie.lan>
In-Reply-To: <20140217183927.GA6886@spectrum.skysmurf.nl>
References:  <CAA_8tFq7JNw0=nqz5ByyfJs8cyEu%2B5z%2Bsry=NESViegUSZBJ0Q@mail.gmail.com> <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl> <20140216151257.GP71201@macbook.bluepipe.net> <20140217183927.GA6886@spectrum.skysmurf.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2014-02-17 at 19:39 +0100, A.J. 'Fonz' van Werven wrote:
> Phil Regnauld wrote:
> 
> >>> For what it's worth I never, ever run any service without running it in
> >>> a jail.
> >> 
> >> Smartass comment: if that includes ntpd or a master NIS server, would
> >> you care to divulge how you did that?
> > 
> > I don't know why the NIS server would be any different,
> 
> The problem with NIS (and by extension NFS) is rpcbind, which AFAIK cannot
> run in a jail.
> 
> For jails that are NIS clients(*) I currently have to use a workaround I
> found on the Forums, which is to add
> 
>   service rpcbind forcestop
> 
> to /etc/rc.d/ypbind because otherwise (yp)chsh, (yp)chfn and (yp)passwd
> won't work from the jails.
> 
> > but for services that require access to devices (say, ntpd talking to a
> > GPS over USB), you define new devfs rules to unhide the requisite /dev/
> > entries for the jails running the service. I do this for OpenDNSSEC
> > using a smartcard reader.
> > 
> > Here's a devfs.conf entry to make it possible to access BPF (for tcpdump
> > among other things - but beware of giving access to raw devices this
> > way) and ugen* devices under /dev/
> > 
> > [devfsrules_jail_bpf=5]
> > add include $devfsrules_jail
> > add path 'bpf*' unhide
> > add path 'ugen0.*' unhide
>  
> What do you know: what was intended as a smartass comment that I almost
> refrained from sending in the first place actually elicited a useful
> response. Thank you very much for the suggestion, I'll look into that.
> 
> The main question would be which /dev entry provides (write) access to the
> system clock, if that even goes through a /dev entry to begin with. A
> quick look through /usr/src/sys didn't turn up anything.

ntpd (or anything else running as root) steers the system clock using
the ntp_adjtime(2), defined in sys/timex.h.  There are no devices
involved unless ntpd is also processing a PPS signal, in which case it
uses /dev/pps#.

-- Ian





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1392663222.1145.19.camel>