Glad it's working for you!
>A significant reduction in complexity. However, and the reason for my
>delay in replying. Magic happened! I was now transmitting data which
>crossed jail barriers (from b3 "named" to b2 "named logging"). I needed
>to consult with one of the FreeBSD developers to ensure that a security
>hole wasn't occurring. :)
Well, that's also what you were doing with your former
b3:named2 and b3:named-log2, except you were transmitting the data via
a named pipe created in your run script explicitly instead of an
anonymous pipe created by s6-rc implicitly. The integrated pipe
feature does not touch your security model at all; if you were to
consult with a FreeBSD developer, you needed to do it before making
the change. :)
>It appears (and I'm assuming) that s6 uses pseudo terminal sub-system to
>communicate. In this specific case below, per pts/3
No, s6 does not use pseudo-terminals at all; all it does is let
processes inherit fds from their parent. In your case, /dev/pts/3 seems
to be s6-svscan's stdout and stderr; if you don't want to have
pseudo-terminals, you should check the script that launches your
supervision tree, and redirect s6-svscan's outputs accordingly.
--
Laurent
Received on Tue Oct 06 2020 - 10:29:04 UTC