From owner-freebsd-jail@freebsd.org Wed Dec 14 18:33:17 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 86CB6C769C0 for ; Wed, 14 Dec 2016 18:33:17 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 59D13AF2; Wed, 14 Dec 2016 18:33:16 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id EA9A520768; Wed, 14 Dec 2016 13:33:15 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute1.internal (MEProxy); Wed, 14 Dec 2016 13:33:15 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= blackskyresearch.net; h=cc:content-transfer-encoding :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=5X80oSAcpTBoOa5LmHnCSq+Rub8=; b=k27mCN i5Y8xeP+oB7fNGHnTucFLGyvnHNe9cA7B1GgOgFcnTcIcXyK3a3A+ZZTirdglMT+ 1DCQrFmTh5nWCdEw0oB+FNSyE1tUn0z8+EPzlnUETnLGhGVgJHFTYDX/l5IgATbq 13FfbcjmRmHw3c+MivlElzxIDCnk3u2U5WxnM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= smtpout; bh=5X80oSAcpTBoOa5LmHnCSq+Rub8=; b=RR0ZTbADQYlGgvB7o4Bz wVRcDHC/mferLBSbrFwq28lkc1lsjfifJlUOEECePv9ODzAKycfmIdE8o9HhbgTn yCKzutd55tqBPQJwlAVEQqZURNyH4HFsLz6EaNgCyoWG+NbBpM+OeiVoAGP7Fqzt KQ8GueVRoZ1VTr0vLEfXMAY= X-ME-Sender: X-Sasl-enc: EaCsxGOT+SFPg8mTYWLZP24Wj40PfVPt0KXHr3U3EEkD 1481740395 Received: from [192.168.0.11] (cpe-24-90-224-248.nyc.res.rr.com [24.90.224.248]) by mail.messagingengine.com (Postfix) with ESMTPA id 9B3AC7F02F; Wed, 14 Dec 2016 13:33:15 -0500 (EST) Subject: Re: multiple interfaces for jail.conf(1) and jail_set(2) Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: text/plain; charset=utf-8 From: "Isaac (.ike) Levy" X-Priority: 3 (Normal) In-Reply-To: <27934.128.135.52.6.1481728934.squirrel@cosmo.uchicago.edu> Date: Wed, 14 Dec 2016 13:33:14 -0500 Cc: Allan Jude , freebsd-jail@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <0ED7F403-F14E-4A72-8E54-AF74AAE15061@blackskyresearch.net> <11488.128.135.52.6.1481666606.squirrel@cosmo.uchicago.edu> <02b85a36-007b-605d-7ab0-c9e56495d86e@freebsd.org> <27934.128.135.52.6.1481728934.squirrel@cosmo.uchicago.edu> To: galtsev@kicp.uchicago.edu X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2016 18:33:17 -0000 >> In ezjail I can just do this: >>=20 >=20 > Of course, it is great to learn that some tools can do this or that. > However, this only is helpful to those who are just choosing what to = use > for the future. Once your choice is made, you (at least I) kind of = avoid > jumping over to doing something using different tools, especially what = is > already done some specific way on your production machine. >=20 > I guess, what I'm trying to say is: don't be surprised if OP finds = your > effort to help him ultimately useless. >=20 > Incidentally, I for one set up jails "by the book", not by using some = tool > which does it all for me behind the scenes. So, reference to any tools = are > kind of set me off (hence this my reply ;-) >=20 > Just my $0.02. >=20 > Valeri Sorry to drag this out further, but Valeri is spot on here. Sorry to indulge and repeat in my own words- after using jail(8) heavily = since 1999, and even helping run one of the earliest jail based ISP=E2=80=99= s, I am a bit taken back to see such a propensity toward suggesting 3rd = party tooling on this list- particularly as it does not answer my = original question. Has everyone been using so many 3rd party tools for jailing for so long = that we=E2=80=99ve forgotten how jail(8) works, to the point that my = original question can=E2=80=99t even be recognized? A question not = worth answering, but certainly worth pondering! I=E2=80=99m not arguing = against the use of nice 3rd party tools, but I do want to make it very = clear that they are not required for heavy or even light jailing. The strength of jail(8) and jail(2), even before important features like = multiple IP=E2=80=99s and per-jail securelevels etc, was always that = it=E2=80=99s just another small piece of the the UNIX ecosystem- jail(8) = was strong because the *entire* base system made it strong. For example: before multiple jail IP=E2=80=99s, we=E2=80=99d often = simply NAT addresses on the jailing host itself, a bit of scripting = ifconfig(8) made it simple for our environment. Before base provided = per-jail devfs rulesets, (and even before devfs), we=E2=80=99d simply = make and delete packs of =E2=80=98/dev=E2=80=99 tarballs for various = jails- removing the devices which were inappropriate for our applied = need. I could go on forever, but nearly everything one could need in a = jailed system can always be set up using other base tools- and the UNIX = philosophy. Even today, jail(8) is still trivially scriptable for starting/stopping = and managing many jails. For my use, just using the base system is = preferable over 3rd party tooling because I know exactly what I want to = do, and with common UNIX knowledge I can manage hundreds and thousands = of jails across multiple hardware hosts, with nothing but the base = system. 3rd party tools can be wonderful, but over the 17+ years I=E2=80=99= ve been using FreeBSD jail(8), many 3rd party tools have come and gone, = and changed a great deal- but the base UNIX system has not fundamentally = changed. I mean, even many jail related scripts I wrote in 1999 are = still completely functional and relevant. Best, .ike