Date: Thu, 24 Dec 2020 13:32:10 -0800 From: Ihor Antonov <ihor@antonovs.family> To: freebsd-questions@freebsd.org Subject: Re: Network namespaces in FreeBSD Message-ID: <5b36e28e-d546-665a-1e89-6fa2323502e7@antonovs.family> In-Reply-To: <20201224201945.c8ce7c55c1ce68d729805a64@sohara.org> References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org> <A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org> <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family> <e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org> <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family> <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org> <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family> <1687992626.3246491.1608839712067@mail.yahoo.com> <20201224201945.c8ce7c55c1ce68d729805a64@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/24/20 12:19 PM, Steve O'Hara-Smith wrote: > On Thu, 24 Dec 2020 19:55:12 +0000 (UTC) > Ameya Deshpande via freebsd-questions <freebsd-questions@freebsd.org> wrote: > >> - we can't null-mount a single file (useful to inject configs or >> sockets; linux has mount --bind for that) >> - combining with jail's root on / it would be nice to be able to make >> some parts of the tree read-only for the jail (or even hide them) > > There's a half formed idea which keeps coming back to me not really > well enough formed to do anything with - imagine being able to do something > like this: > > pkg jail nginx --jail webserver-3 --ip4addr ... > > and obtain a jail with just enough in it to run nginx (or whatever > package you choose) and nothing else - by that I mean not a base system > with the necessary packages but a system stripped of everything but the > dependencies of the application - if the application doesn't need ls then > ls isn't there. > Yes, that too. In linux world there is such a ting [1] and it is quite interesting, until you need to debug something remotely in such environment. But this feature actually doesn't need any new kernel features, its just work to build the app with minimal dependency footprint (golang/rust apps as example are quite well suited for that) and then put it into the jail. There will be some fiddling if with logging and process supervision, but nothing new or impossible. [1] https://github.com/GoogleContainerTools/distroless
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5b36e28e-d546-665a-1e89-6fa2323502e7>