Date: Wed, 25 Jun 2008 16:50:58 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? Message-ID: <20080625164434.J87282@fledge.watson.org> In-Reply-To: <20080625173401.116369ceeiewif40@webmail.leidinger.net> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Jun 2008, Alexander Leidinger wrote: >> ... nfs seems not to be jail friendly. Here is the question at subject. >> Thanks! > > Correct. If you are not afraid to patch the system: zfs has the JAIL flag > set, you just need to do the same with nfs. > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and change > it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > I suggest to not do this with tmpfs if you do shared hosting (you don't want > that strangers eat up all your physical RAM). The security implications of doing this are rather non-trivial, and should be carefully taken carefully into account. This is not a configuration I would recommend for most sites on the basis that they might not be well-equipped to reason about the indirect security consequences. There are also some potentially tricky technical elements here -- for example, some versions of FreeBSD are known to have TCP implementations that are not entirely happy with NFS running in a jail. Likewise, some of the associated services of NFS, such as rpc.statd and rpc.lockd, will not work properly with virtualization prior to 8.x (and possibly after) as they both have interesting security requirements and rely on things like each IP address being associated with at most one client. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080625164434.J87282>