Bug 248029 - Allow ability to use socket option SO_REUSEPORT_LB in jail
Summary: Allow ability to use socket option SO_REUSEPORT_LB in jail
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.0-STABLE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-jail (Nobody)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2020-07-16 21:25 UTC by Dmitry Wagin
Modified: 2020-07-23 14:42 UTC (History)
3 users (show)

See Also:


Attachments
SO_REUSEPORT_LB.diff (733 bytes, patch)
2020-07-16 21:25 UTC, Dmitry Wagin
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Wagin 2020-07-16 21:25:05 UTC
Created attachment 216500 [details]
SO_REUSEPORT_LB.diff

Now socket option SO_REUSEPORT_LB in jail does not work as intended
Comment 1 Andrey V. Elsukov freebsd_committer 2020-07-17 08:09:09 UTC
Can you explain the reason you want this feature?

It seems to me that this was explicitly disallowed for security reason.
E.g. You have host that provides jails and some load-balanced service, and jailed user can not run some bad service to join to load-balanced service. With your patch this seems possible.
Comment 2 Dmitry Wagin 2020-07-17 08:25:36 UTC
(In reply to Andrey V. Elsukov from comment #1)

without this it is impossible:
* running load-balanced service in single jail
* running load-balanced service in multiple jails

plus tasks to minimize downtime during upgrades services running in jail
Comment 3 Dmitry Wagin 2020-07-17 11:04:59 UTC
(In reply to Andrey V. Elsukov from comment #1)
> E.g. You have host that provides jails and some load-balanced service, and
> jailed user can not run some bad service to join to load-balanced service.
> With your patch this seems possible.

VNET should solve this problem?