Date: Wed, 17 May 2000 15:26:21 -0500 From: "Jacques A . Vidrine" <n@nectar.com> To: Robert Watson <rwatson@freebsd.org> Cc: security@freebsd.org Subject: Re: Jail: Problems? Proper Usage? Status? Practicality? Message-ID: <20000517152621.A48218@bone.nectar.com> In-Reply-To: <Pine.NEB.3.96L.1000517123129.20229D-100000@fledge.watson.org>; from rwatson@freebsd.org on Wed, May 17, 2000 at 12:41:49PM -0400 References: <20000517110758.C6884@bone.nectar.com> <Pine.NEB.3.96L.1000517123129.20229D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 17, 2000 at 12:41:49PM -0400, Robert Watson wrote: > Simple, but costly. Imagine for a moment that you have 700 jails on a > single machine, and you'd like to be able to consistently announce to all > admins of all jails that a version upgrade is taking place on 5/16/2000, > and the downtime is one hour :-). I'd rather have a single file system > exported to all jails, saving space and time. For a jail running apache+php+ssl (a fairly complex application), I have ~3.4 MB of files from the base system (35 files). This isn't very large. One need only store the file once per filesystem (hard links). > I didn't have mine tuned quite that much, I just eliminated clearly > unnecessary things (dmesg, ipfw, ifconfig, ...). Clearly what you > eliminate depends a lot on what you want to do with the jail. I think this is backwards ... one should include in the jail only what is needed, rather than eliminate things that are apparently unneeded. > A similar idea for jails would be a possibility, although that only > catches the files that were used, not the files that might be used > :-). Yep, determining all the paths that an arbitrary application might access is NP-complete :-) But I think an excellent start could be generated by looking at what namei translations are done on behalf of a given process. > I'd like to be > able to (effectively) atomically upgrade a jail by shutting down the jail, > umounting its /usr reference, mounting the new /usr reference, and > restarting the jail. Yes, I think this is the best solution if (a) one has dozens of jails, (b) the requirements of all of them are identical, and (c) the number of files that are to be `shared' among the jails is large. e.g. a public access unix system for web hosting or other. I guess in the latter case, one has to be happy with local NFS mounts at the moment, since VFS layering is, I believe, still buggy. -- Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000517152621.A48218>