Date: Thu, 26 Jun 2008 16:36:51 +0400 From: Boris Samorodov <bsam@ipt.ru> To: Robert Watson <rwatson@FreeBSD.org> Cc: Alexander Leidinger <Alexander@Leidinger.net>, freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? Message-ID: <16441660@bb.ipt.ru> In-Reply-To: <20080625164434.J87282@fledge.watson.org> (Robert Watson's message of "Wed\, 25 Jun 2008 16\:50\:58 %2B0100 \(BST\)") References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625164434.J87282@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Jun 2008 16:50:58 +0100 (BST) Robert Watson wrote: > On Wed, 25 Jun 2008, Alexander Leidinger wrote: > >> ... nfs seems not to be jail friendly. Here is the question at > >> subject. Thanks! > > > > Correct. If you are not afraid to patch the system: zfs has the JAIL > > flag set, you just need to do the same with nfs. > > > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > > change it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > > > I suggest to not do this with tmpfs if you do shared hosting (you > > don't want that strangers eat up all your physical RAM). > The security implications of doing this are rather non-trivial, and > should be carefully taken carefully into account. This is not a > configuration I would recommend for most sites on the basis that they > might not be well-equipped to reason about the indirect security > consequences. > There are also some potentially tricky technical elements here -- for > example, some versions of FreeBSD are known to have TCP > implementations that are not entirely happy with NFS running in a > jail. Likewise, some of the associated services of NFS, such as > rpc.statd and rpc.lockd, will not work properly with virtualization > prior to 8.x (and possibly after) as they both have interesting > security requirements and rely on things like each IP address being > associated with at most one client. Thanks, Robert. Security issues are surely should be taken into consideration here. I'll check if the task may be changed towards static mounts (i.e. outside the jail). WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16441660>