| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by shatteredgate 1636 days ago
	A lot of the various security options in systemd: https://www.freedesktop.org/software/systemd/man/systemd.exe... The sandboxing and mount-related ones are implemented with namespaces, and the idea with them is to not make any of them mandatory so they can be slowly added to system services. That way you can get some of the benefits without needing to build a full rootfs/container for the service. I am not sure how any of those would be done with jails because jails require you to create a chroot and network interface, whereas in Linux the mount and network namespaces are just optional namespaces and you can still use the other namespaces without using them.

2 comments

philkrylov 1636 days ago

> jails require you to create a chroot and network interface,

They don't: you may chroot to /, share the host's network interface, or disable networking.

link

trasz 1636 days ago

It's literally a single command:

  trasz@v3:~ % doas jail / foo 127.0.0.1 /bin/sh
  # ps aux
  USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
  root 37975  0,0  0,0 13500 3056  3  SJ   09:11   0:00,01 /bin/sh
  root 37976  0,0  0,0 13624 2776  3  R+J  09:11   0:00,00 ps aux

link

kazen44 1636 days ago

also, with epairs you can do some really flexible networking stuff on freebsd between jails/jails and the host system and even jails and ipsec tunnels.

link

shatteredgate 1636 days ago

Side note: I suppose you could chroot to /.

link