Date: Wed, 6 Oct 2004 11:36:08 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-current@freebsd.org Subject: Re: HEADS UP: named now runs chroot'ed by default Message-ID: <20041006173608.GA58024@seekingfire.com> In-Reply-To: <20041005170720.M3095@bo.vpnaa.bet> References: <20040928025635.Q5094@ync.qbhto.arg> <200409291951.12610.peter@wemm.org> <43039.193.35.129.161.1096541075.squirrel@webmail.xtaz.net> <20040930153801.GP35869@seekingfire.com> <20041005170720.M3095@bo.vpnaa.bet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 05, 2004 at 05:11:16PM -0700, Doug Barton wrote:
> On Thu, 30 Sep 2004, Tillman Hodgson wrote:
>
> >How does chroot and NFS interact?
>
> It is theoretically possible, but I would not do it for performance and
> reliability reasons. If you are doing something useful with named on a
> real network you will have enough variables that you cannot control
> which will make your life difficult, I personally would not want to add
> more pain to the mix that could be avoided. :)
>
> If you want to share configs, share data, etc; then rsync, scp, etc. are
> your friends. When I was at Yahoo! we had all the essential files in a
> central CVS repo and I used makefiles with various targets to push them
> out to the servers. This made updates, replication, installation, etc.
> very easy with almost no room for error, and no external dependencies
> other than the network and power for the individual name server.
I was using NFS not for sharing between machines but rarely to add a bit
of security an convenience: a host compromise on the named box could
not modify the files (RO export), yet an internal client could update
the zone file easily (ssh/kerberized telnet to the file server in
question and edit the file) and a rndc reload would update the named.
I can move away from that model easily enough, I just need to actually
make a plan to do so. If NFS and chroot are unhappy bedfellows, I'll do
so :-)
-T
--
"If knowledge creates problems, ignorance will not solve them"
-- Isaac Asimov.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041006173608.GA58024>