Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Mar 2001 20:35:54 -0500
From:      "Dave VanAuken" <dave@hawk-systems.com>
To:        <freebsd-questions@FreeBSD.ORG>
Subject:   RE: FreeVSD for FreeBSD? 
Message-ID:  <DBEIKNMKGOBGNDHAAKGNIEMHECAA.dave@hawk-systems.com>
In-Reply-To: <200103122333.KAA10180@tungsten.austclear.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
so all and all, still alot of time and coding required, and you pretty
much massacre the jail and its function by doing that...

the other option is chrooting all the relevant required applications
individually, or creating safe copies of them (a la Verio virtual
servers).  Again, back to the lots of coding and time.

No one has a prepackaged FreeVSD type of port for FreeBSD?

Dave

-----Original Message-----
From: Tony Landells [mailto:ahl@austclear.com.au]
Sent: Monday, March 12, 2001 6:33 PM
To: Dave VanAuken
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: FreeVSD for FreeBSD?



dave@hawk-systems.com said:
> was averaging about 200mb per jail, this was with only token
reduction
> in un-needed files(no serious pruning) and with inclusion of port
> sources for common entried such as MySQL, PHP, and so forth.  Hard
> linking them could be an option though I have not explored the
> ramifications of:
> 1) linking to a source outside of the jail(chrooted environment)

Well, you can't hard link to a file on a different file system, but
otherwise it is a reference to the inode itself and as such doesn't
care about chroot.

Of course, you still need any dynamic libraries as well.

And by doing this you're bypassing one of the big security advantages
of a jail, because someone breaking into a jail can corrupt the hard
linked files, affecting every jail (and the server) that uses them.

If you were to give someone root access in their jail, they could
"update" software to the detriment of others, particularly if they're
experimenting with, for example, perl and decide that they need some
customisation, but their version dumps core.  They might think "it
doesn't matter, I'll sleep on it and come back to it tomorrow", while
other users are tearing their hair out because their Web site is down,
or something that worked yesterday has stopped working, ...

> 2) the problem of cvsuping the root(host) server and
> dealing with the jail's relianced on hard linked portions of the
tree
> that are cvsup'ed without rebuilding the jails (this is a major
> pitfall of jail as I see it)

It depends how you build things.  Since the hard link is a reference
to the inode, if you just change the file contents you're fine (well,
assuming it works--see my previous paragraph).  However, if you build
by recreating files (either moving or removing the original, then
create a new file with the same name) then you lose because the hard
link will refer to the original inode and thus won't pick up the
change.

A lot of this depends on whether you're using jail for convenience
or security, and whether you intend to give root access in jails to
their "owners".

Cheers,
Tony
--
Tony Landells					<ahl@austclear.com.au>
Senior Network Engineer				Ph:  +61 3 9677 9319
Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNIEMHECAA.dave>