From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 16:08:44 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16AB6106567B for ; Wed, 25 Jun 2008 16:08:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id D9C098FC13 for ; Wed, 25 Jun 2008 16:08:43 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 1AB7D46B2A; Wed, 25 Jun 2008 11:50:58 -0400 (EDT) Date: Wed, 25 Jun 2008 16:50:58 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alexander Leidinger In-Reply-To: <20080625173401.116369ceeiewif40@webmail.leidinger.net> Message-ID: <20080625164434.J87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 16:08:44 -0000 On Wed, 25 Jun 2008, Alexander Leidinger wrote: >> ... nfs seems not to be jail friendly. Here is the question at subject. >> Thanks! > > Correct. If you are not afraid to patch the system: zfs has the JAIL flag > set, you just need to do the same with nfs. > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and change > it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > I suggest to not do this with tmpfs if you do shared hosting (you don't want > that strangers eat up all your physical RAM). The security implications of doing this are rather non-trivial, and should be carefully taken carefully into account. This is not a configuration I would recommend for most sites on the basis that they might not be well-equipped to reason about the indirect security consequences. There are also some potentially tricky technical elements here -- for example, some versions of FreeBSD are known to have TCP implementations that are not entirely happy with NFS running in a jail. Likewise, some of the associated services of NFS, such as rpc.statd and rpc.lockd, will not work properly with virtualization prior to 8.x (and possibly after) as they both have interesting security requirements and rely on things like each IP address being associated with at most one client. Robert N M Watson Computer Laboratory University of Cambridge