From owner-svn-src-projects@freebsd.org Thu Jul 26 14:17:07 2018 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4702310509A6 for ; Thu, 26 Jul 2018 14:17:07 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A76F59135E; Thu, 26 Jul 2018 14:17:06 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w6QEH3XY046033; Thu, 26 Jul 2018 07:17:03 -0700 (PDT) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w6QEH37R046032; Thu, 26 Jul 2018 07:17:03 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201807261417.w6QEH37R046032@pdx.rh.CN85.dnsmgr.net> Subject: Re: svn commit: r336731 - projects/bectl/sbin/bectl In-Reply-To: To: Kyle Evans Date: Thu, 26 Jul 2018 07:17:03 -0700 (PDT) CC: "Rodney W. Grimes" , Shawn Webb , src-committers , svn-src-projects@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2018 14:17:07 -0000 > On Thu, Jul 26, 2018 at 8:32 AM, Rodney W. Grimes > wrote: > > -- Start of PGP signed section. > >> On Thu, Jul 26, 2018 at 04:07:37AM +0000, Kyle Evans wrote: > >> > Author: kevans > >> > Date: Thu Jul 26 04:07:36 2018 > >> > New Revision: 336731 > >> > URL: https://svnweb.freebsd.org/changeset/base/336731 > >> > > >> > Log: > >> > bectl(8): Redo jail using jail(3) API > >> > > >> > The jail is created with allow.mount, allow.mount.devfs, and > >> > enforce_statfs=1. Upon creation, we immediately attach, chdir to "/", and > >> > drop the user into a shell inside the jail. > >> > > >> > The default IP for this is arbitrarily 10.20.30.40. > >> > >> It seems this would only allow working in a single jailed BE at a > >> time, correct? > > > > Also it is just bad practice to use arbitrary IP's from > > rfc1918 space. IMHO it would be better to pick a > > rfc3927 link local address, or one of the rfc5737 test > > network addresses. > > > > Please see RFC5735 page 6, table in section 4, no > > place in FreeBSD base system should we be shipping > > stuff that uses rfc1918, that is private space that > > does not belong to the OS. > > > > Right on both accounts (Shawn + Rod)... I changed it from an arbitrary > IP in 192.168/16 space that was conflicting with my local network > (heh... that was fun) with the intent of later changing it to just be > configurable rather than hard-coding an IP [1] because I think that no > matter what choice I try to go with, someone's going to want something > else. I'd rather not make such choices at all and force you to instead > specify an IP every time, a la "bectl jail testenv 10.8.0.100". > > The default remains 10.20.30.40 until that time, though, and it seemed > that anyone wanting to test this should be aware. Can you make it just unconfigured instead? I really am strongly pressing the point that we should never ever commit rfc1918 addresses to the repository. Some address in 192.168/16 conflicted with your network, some address in 10/8 conflicts with my network, and probably others. If you do anything stick a 169.254 on it. That is after all what link locals are for. > [1] see the "XXX TODO" I dropped in the area, which mentions the > former and meant to hint at the latter > -- Rod Grimes rgrimes@freebsd.org