From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 12:37:02 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2789106567F for ; Thu, 26 Jun 2008 12:37:02 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 5FA718FC16 for ; Thu, 26 Jun 2008 12:37:02 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1KBqij-000HnO-4o; Thu, 26 Jun 2008 16:37:01 +0400 To: Robert Watson References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625164434.J87282@fledge.watson.org> From: Boris Samorodov Date: Thu, 26 Jun 2008 16:36:51 +0400 In-Reply-To: <20080625164434.J87282@fledge.watson.org> (Robert Watson's message of "Wed\, 25 Jun 2008 16\:50\:58 +0100 \(BST\)") Message-ID: <16441660@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Alexander Leidinger , freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 12:37:02 -0000 On Wed, 25 Jun 2008 16:50:58 +0100 (BST) Robert Watson wrote: > On Wed, 25 Jun 2008, Alexander Leidinger wrote: > >> ... nfs seems not to be jail friendly. Here is the question at > >> subject. Thanks! > > > > Correct. If you are not afraid to patch the system: zfs has the JAIL > > flag set, you just need to do the same with nfs. > > > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > > change it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > > > I suggest to not do this with tmpfs if you do shared hosting (you > > don't want that strangers eat up all your physical RAM). > The security implications of doing this are rather non-trivial, and > should be carefully taken carefully into account. This is not a > configuration I would recommend for most sites on the basis that they > might not be well-equipped to reason about the indirect security > consequences. > There are also some potentially tricky technical elements here -- for > example, some versions of FreeBSD are known to have TCP > implementations that are not entirely happy with NFS running in a > jail. Likewise, some of the associated services of NFS, such as > rpc.statd and rpc.lockd, will not work properly with virtualization > prior to 8.x (and possibly after) as they both have interesting > security requirements and rely on things like each IP address being > associated with at most one client. Thanks, Robert. Security issues are surely should be taken into consideration here. I'll check if the task may be changed towards static mounts (i.e. outside the jail). WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve