From owner-freebsd-questions@freebsd.org  Thu Dec 24 21:33:28 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28D604D1D57
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 24 Dec 2020 21:33:28 +0000 (UTC)
 (envelope-from ihor@antonovs.family)
Received: from mail.antonovs.family (mail.antonovs.family [100.25.240.195])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.antonovs.family",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D23Gb3QRmz3M2F
 for <freebsd-questions@freebsd.org>; Thu, 24 Dec 2020 21:33:27 +0000 (UTC)
 (envelope-from ihor@antonovs.family)
Received: by mail.antonovs.family (OpenSMTPD) with ESMTPSA id 696b88aa
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO)
 for <freebsd-questions@freebsd.org>;
 Thu, 24 Dec 2020 21:33:18 +0000 (UTC)
Subject: Re: Network namespaces in FreeBSD
To: freebsd-questions@freebsd.org
References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com>
 <SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com>
 <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org>
 <A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org>
 <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family>
 <e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org>
 <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family>
 <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org>
 <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family>
 <1687992626.3246491.1608839712067@mail.yahoo.com>
 <20201224201945.c8ce7c55c1ce68d729805a64@sohara.org>
From: Ihor Antonov <ihor@antonovs.family>
Message-ID: <5b36e28e-d546-665a-1e89-6fa2323502e7@antonovs.family>
Date: Thu, 24 Dec 2020 13:32:10 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <20201224201945.c8ce7c55c1ce68d729805a64@sohara.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4D23Gb3QRmz3M2F
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=pass (policy=none) header.from=antonovs.family;
 spf=pass (mx1.freebsd.org: domain of ihor@antonovs.family designates
 100.25.240.195 as permitted sender) smtp.mailfrom=ihor@antonovs.family
X-Spamd-Result: default: False [-3.80 / 15.00]; RCVD_TLS_ALL(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[100.25.240.195:from];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[100.25.240.195:from:127.0.2.255];
 ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 DMARC_POLICY_ALLOW(-0.50)[antonovs.family,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:14618, ipnet:100.24.0.0/13, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2020 21:33:28 -0000

On 12/24/20 12:19 PM, Steve O'Hara-Smith wrote:
> On Thu, 24 Dec 2020 19:55:12 +0000 (UTC)
> Ameya Deshpande via freebsd-questions <freebsd-questions@freebsd.org> wrote:
> 
>> - we can't null-mount a single file (useful to inject configs or
>> sockets; linux has mount --bind for that)
>> - combining with jail's root on / it would be nice to be able to make
>> some parts of the tree read-only for the jail (or even hide them)
> 
> 	There's a half formed idea which keeps coming back to me not really
> well enough formed to do anything with - imagine being able to do something
> like this:
> 
> pkg jail nginx --jail webserver-3 --ip4addr ...
> 
> 	and obtain a jail with just enough in it to run nginx (or whatever
> package you choose) and nothing else - by that I mean not a base system
> with the necessary packages but a system stripped of everything but the
> dependencies of the application - if the application doesn't need ls then
> ls isn't there.
> 
Yes, that too.

In linux world there is such a ting [1] and it is quite interesting, 
until you need to debug something remotely in such environment.
But this feature actually doesn't need any new kernel features, its just 
work to build the app with minimal dependency footprint (golang/rust 
apps as example are quite well suited for that) and then put it into the 
jail.

There will be some fiddling if with logging and process supervision, but 
nothing new or impossible.


[1] https://github.com/GoogleContainerTools/distroless