lw @lw@mastodon.bsd.cafe
Public

now you can run net/chrony in a FreeBSD service jail: github.com/freebsd/freebsd-src

unfortunately it doesn't work with ntpd[0], for non-trivial reasons that i'm not really inclined to investigate since i don't use ntpd... but it seems like rc.d/ntpd sets some environment variables in its precmd that it expects to be available later in ntpd_start, but when svcj is enabled, that assumption doesn't hold, so ntpd ends up running without any command-line arguments.

but service jails seem pretty neat in general. i like that every service now has its own 'console' (stdout) log file under /var/log/svcj_${svcname}_console.log. hopefully in the future we can get some more fine-grained restrictions on services, like removing read/write filesystem access.

next task: get BIRD running with svcj. i suspect this might require some changes to permit a jail to modify the routing table. or at least, net_all doesn't say that it permits that.

[0] tested using this non-functional patch: github.com/llfw/freebsd-src/co

<svc>_svcj_options="settime" enables the jail allow.settime privilege, which allows to set and slew the system clock. this allows NTP daemons to run in a service jail. the second ...

rc.subr: add 'settime' to svcj options by llfw · Pull Request #1619 · freebsd/freebsd-src

<svc>_svcj_options="settime" enables the jail allow.settime privilege, which allows to set and slew the system clock. this allows NTP daemons to run in a service jail. the second ...

github.com · GitHub

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.bsd.cafe/users/lw/statuses/114195993840858760 on your instance and quote it. (Note that quoting is not supported in Mastodon.)