Hello,
I am trying to setup jails and of course I try to understand what I am doing, and how to do things.
But that is not so easy …. At this moment I try to understand the jail “Basic Propertied Screen”.
Below some settings / parameters I do not understand at all, hopefully someone can clarify those
devfs_ruleset
On https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports I read
^The rules, by default as configured by /etc/rc.conf, are loaded at boot via the devfs service(8). The rules can be reloaded by running the command^
However, I could not find any clue in: ^Host: rc.conf^ and ^also not in Jail: rc.conf^
The setting seems to refer to a ruleset …… but which one !!? and where are they described !!??
Jail user management
Jail applications / services should of cause not run from the jails root account (or even worse the host root account). So I wonder what roles ^exec_system_user^ and ^exec_jail_user^ are. And what the impact of these settings is ….
After switching to a jail shell with “jexec no csh”, “whoami” shows me that I am the jails root.
I noticed that:
Is this related to a jail defined user or a host defined user??
For what purpose?
What is the impact / where and for what is this setting used??
exec_jail_user
same questions
SYSV IPC
Shared Memory, Semaphores and Message Queues are collectively known as SYSV IPC. Shared Memory is used when sofware wants to share a chunk of memory between processes. Semaphores are used for interprocess communication. They are often used to check and manage allocation of resources such as shared memory. Message Queues will not be covered in this blogpost.
new: Creates a new separate SYSV namespace for this jail. This is what you want !! IMHO
So: sysvmsg, sysvsem, sysvmsg, sysvshm all seems unnecessary to me,
the more given the fact that the allow_sysvipc setting further on says "depreciated" !
vnet_interfaces
Not sure what the intention is, perhaps interfaces GENERATED by the jail !!?? What ever I am using a vnet interface to bind the jail to the outside world (despite the fact that the setting here is "none".
What ever it seems to be a network setting something you expect under network properties.
I would be glad if someone could clarify these points and/or could provide links to pages where the mentioned parameters, there usage and impact are described.
I am trying to setup jails and of course I try to understand what I am doing, and how to do things.
But that is not so easy …. At this moment I try to understand the jail “Basic Propertied Screen”.
Below some settings / parameters I do not understand at all, hopefully someone can clarify those
devfs_ruleset
On https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports I read
^The rules, by default as configured by /etc/rc.conf, are loaded at boot via the devfs service(8). The rules can be reloaded by running the command^
However, I could not find any clue in: ^Host: rc.conf^ and ^also not in Jail: rc.conf^
The setting seems to refer to a ruleset …… but which one !!? and where are they described !!??
Jail user management
Jail applications / services should of cause not run from the jails root account (or even worse the host root account). So I wonder what roles ^exec_system_user^ and ^exec_jail_user^ are. And what the impact of these settings is ….
After switching to a jail shell with “jexec no csh”, “whoami” shows me that I am the jails root.
I noticed that:
- To become jail:root, there is no password required ..... It is automatic
- ^ cut -d: -f1 /etc/passwd^ does neither show the ^exec_system_user^ not the ^exec_jail_user^
- And I can enter any username in the “Basic Propertied Screen”.
- I did define the users in the host account administration, but I have not the idea that there is any relation
- ps -aux only shows processes running either as root, mysql or www .... nothing related to
either ^exec_system_user^ or ^exec_jail_user^
Is this related to a jail defined user or a host defined user??
For what purpose?
What is the impact / where and for what is this setting used??
exec_jail_user
same questions
SYSV IPC
new: Creates a new separate SYSV namespace for this jail. This is what you want !! IMHO
So: sysvmsg, sysvsem, sysvmsg, sysvshm all seems unnecessary to me,
the more given the fact that the allow_sysvipc setting further on says "depreciated" !
vnet_interfaces
Not sure what the intention is, perhaps interfaces GENERATED by the jail !!?? What ever I am using a vnet interface to bind the jail to the outside world (despite the fact that the setting here is "none".
What ever it seems to be a network setting something you expect under network properties.
I would be glad if someone could clarify these points and/or could provide links to pages where the mentioned parameters, there usage and impact are described.
