Re: NetBSD Jails

To: "Aaron B." <aaron%zadzmo.org@localhost>
Subject: Re: NetBSD Jails
From: Sad Clouds <cryintothebluesky%gmail.com@localhost>
Date: Thu, 21 May 2020 08:08:20 +0100

On Thu, 21 May 2020 00:17:27 -0400
"Aaron B." <aaron%zadzmo.org@localhost> wrote:

> There's still networking to worry about after that, but just isolating
> processes in a more useful way is a huge step forward.

You can probably do that. If you use chroot to emulate containers,
simply partition UID and GID assignment into blocks. Each chroot gets a
unique /etc/passwd and /etc/group where IDs are offset by some value.
You just need to make sure to rebuild binary databases. This way
multiple processes that use the same user name (e.g. sshd, postfix,
httpd, etc) and are started inside chroot, run under unique IDs and
cannot send signals to one another.

There is no isolation for networking. You can assign multiple aliased
IP addresses to a single interface, but they are all visible and
accessible inside chroot. You need to be really careful about which
listening sockets you create and avoid wildcard addresses. NetBSD has
kauth(9) framework which could be use for RBAC, so potentially you could
restrict process access to specific IP addresses, but someone has to
write kernel modules and user applications that implement RBAC.

Follow-Ups:
- Re: NetBSD Jails
  - From: Stephen Borrill

References:
- Re: NetBSD Jails
  - From: Greg A. Woods
- Re: NetBSD Jails
  - From: Sad Clouds
- Re: NetBSD Jails
  - From: Greg A. Woods
- Re: NetBSD Jails
  - From: Niels Dettenbach
- Re: NetBSD Jails
  - From: Greg A. Woods
- Re: NetBSD Jails
  - From: Aaron B.
- Re: NetBSD Jails
  - From: Greg A. Woods
- Re: NetBSD Jails
  - From: Aaron B.

Prev by Date: Re: NetBSD Jails
Next by Date: Re: NetBSD Jails
Previous by Thread: Re: NetBSD Jails
Next by Thread: Re: NetBSD Jails
Indexes:

Home | Main Index | Thread Index | Old Index