From owner-freebsd-fs@freebsd.org Wed Sep 16 16:58:42 2015 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3AD699CD796 for ; Wed, 16 Sep 2015 16:58:42 +0000 (UTC) (envelope-from toasty@dragondata.com) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 000731DD5 for ; Wed, 16 Sep 2015 16:58:41 +0000 (UTC) (envelope-from toasty@dragondata.com) Received: by iofb144 with SMTP id b144so237210869iof.1 for ; Wed, 16 Sep 2015 09:58:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dragondata.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vGpWoB/h6gCRZ4DExnd/aebPMpjNVUTgguAowILf4PQ=; b=XbXagU89YMx+cNTzdEGQuhzbZiA1LA4TFrlKiX9ydqT1+7oT1PH9mBRnoCjYrFh7QV zBswpL2L7xUu3pgWT4qA6ZkJ6PwoCjgC8PGS+FGmz0XMEkpETC2815pHlnBZa2zYgM89 4et/nnlLlpJSVovv9YcPgF5NnHrcsf3H7SfNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=vGpWoB/h6gCRZ4DExnd/aebPMpjNVUTgguAowILf4PQ=; b=avw7vqeTrrB/koYoCt+SME3jm/kEhYg+aIL1ITgqVFEzgJlDW6WSmSMPXBNj7QYo/l CEimOuXtfgEmMoJ6SbkqKzqsAkpbvFe+8B/Z/rRuHKeWkLy9ICmRZLxYc0DPwAZdtwM0 IB3BzK0f1+j8SUcf/bEpbCFm3R5euWbzChSxBH9VaRyOxs1yvpD5/ZXDCu+uJ6DXgMLt U1+oKu2qLGTiru0X28Ld4EFPzXbTUCrYRwQQn0gxjzYDJsorngKeT8ks4xaA5uzYbUFn LMv6cn/lNSVSM2lXODKFamAfHwwR9tSV8eulbTExu0xKimo+8wI55lKia1INSOT05s/v Z+2w== X-Gm-Message-State: ALoCoQkLAFqtFUWOaBcsiRVxP3j1s+WOG0pBXFawY5V3kGiq19oudpUHPvM6xvSDASc0sBvOaNNr X-Received: by 10.107.34.18 with SMTP id i18mr46055200ioi.149.1442422721359; Wed, 16 Sep 2015 09:58:41 -0700 (PDT) Received: from unassigned.v6.your.org ([2001:4978:1:45:7029:bae0:76fe:ae62]) by smtp.gmail.com with ESMTPSA id 20sm10744622ioj.25.2015.09.16.09.58.40 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 16 Sep 2015 09:58:40 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\)) Subject: Re: Neutered devices in jails (per FS flag?) From: Kevin Day In-Reply-To: <55F99F5A.302@rlwinm.de> Date: Wed, 16 Sep 2015 11:58:38 -0500 Cc: freebsd-fs@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <7D445BFC-AB18-4EAD-8065-F0A934B1A479@dragondata.com> References: <55F99F5A.302@rlwinm.de> To: Jan Bramkamp X-Mailer: Apple Mail (2.3094) X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2015 16:58:42 -0000 > On 16/09/15 18:30, Kevin Day wrote: >> We=E2=80=99re currently using jails to allow servers to copy backups = of themselves to a central backup server. The problem we=E2=80=99re = having is with mknod/devices. Currently jails don=E2=80=99t allow device = files to be created, which makes sense - you don=E2=80=99t want them to = be able to bypass the jail by opening /dev/kmem or something. We want = jails to be able to create device files, just not be able to open/use = them. >>=20 >> Has anyone given any thought to changing this behavior? Allowing = jails to create/manipulate device files, but not actually opening them? = I.e. instead of returning EPERM on creating the device, instead return = EPERM on opening it? This would likely need to be a filesystem flag, = because jails still require some devices to work (a separate devfs mount = or something). We could make the jail=E2=80=99s /dev read only or use = devfs so those devices still work, but have the parent jail directory = with a =E2=80=9Cnoopendev=E2=80=9D flag or something similar. >>=20 >> Has anyone gone down this path before? >=20 > There is no reason to backup device files on FreeBSD because FreeBSD = uses a dynamic devfs. Backup the devfs rules and devfs.conf instead of = the device files. We=E2=80=99re backing up non-FreeBSD systems, as well as some software = that creates its own devices inside a mini-chroot it needs to run.