Date: Fri, 9 Mar 2001 19:14:55 +0100 (CET) From: Oliver Fromme <olli@secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: nullfs et al Message-ID: <200103091814.TAA91443@lurza.secnetix.de>
next in thread | raw e-mail | index | archive | help
Hi,
What is the "proper" way to mount binaries etc. into a
bunch of jail homes? Obviously, I don't want to copy
/bin, /usr/bin, /usr/lib etc. for every jailed user.
BTW, I'm using 4-stable.
I've grepped the lists and found the following possible
solutions:
(A) Local NFS loopback mounts. Seems to work reliably.
Is this the best way? Somehow it is my impression
that the NFS causes some overhead and might cause
some performance impact. Any opinions?
BTW, this particular machine doesn't use any NFS
otherwise (neither client nor server).
(B) NULLFS (mount_null). The manpage contains explicit
warnings, so using this is probably not a good idea.
However, if the mounted directory is read-only and
all NULLFS mounts are read-only, too, does it still
cause crashes, or would this be more secure?
Apparently NULLFS has been fixed in 5-current, but I
don't want to run -current on this machine.
(C) UNIONFS (mount_union), possibly with the -r option,
which seems to be pretty much the same functionality
as NULLFS. The manpage contains the same warning,
however, I've seen opinions in the list archives that
UNIONFS is more stable than NULLFS, in particular
when used read-only. Anyone with more experiences
on this?
(D) Copy the partition data in the disklabel, so that
multiple partitions occupy the same physical space
on the disk (e.g. da0s1g and da0s1h point to the
same filesystem), then mount each of them read-only.
Would this be safe? The only thing that I don't
like about this approach is that it doesn't scale
very well, because each disklabel only holds 8
partition entries, so I would need a slice for
every 8 jails.
I'd appreciate any comments.
Regards
Oliver
PS: Any replies back to the mailing list, please.
No need to Cc me, as I do read the list.
--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"All that we see or seem is just a dream within a dream" (E. A. Poe)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103091814.TAA91443>