From owner-freebsd-hackers  Tue Nov 12 21:31: 2 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A1F8B37B401
	for <freebsd-hackers@FreeBSD.ORG>; Tue, 12 Nov 2002 21:31:00 -0800 (PST)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4C94843E42
	for <freebsd-hackers@FreeBSD.ORG>; Tue, 12 Nov 2002 21:31:00 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.5/8.12.5) with ESMTP id gAD5UxFC067931;
	Tue, 12 Nov 2002 21:30:59 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.5/8.12.5/Submit) id gAD5UxNt067928;
	Tue, 12 Nov 2002 21:30:59 -0800 (PST)
	(envelope-from dillon)
Date: Tue, 12 Nov 2002 21:30:59 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200211130530.gAD5UxNt067928@apollo.backplane.com>
To: "Daniel O'Connor" <doconnor@gsoft.com.au>
Cc: Hans Zaunere <zaunere@yahoo.com>, freebsd-hackers@FreeBSD.ORG
Subject: Re: Shared files within a jail
References: <20021113034726.75787.qmail@web12801.mail.yahoo.com> <1037159767.66058.34.camel@chowder.localdomain>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

    Try using null mounts.  The warning is in there because making the
    null mount code work is a real hack and the authors aren't entirely
    sure that everything's gotten covered.  That said, use of a null mount
    is certainly a lot safer if the stuff behind the mount is mostly
    static.  

    Note that you can also use localhost NFS mounts to replicate pieces of
    filesystems within jails, but you need to remember that the kernel 
    will wind up caching multiple copies of the data for these two cases
    and that NFS has file locking issues.

    Finally, keep in mind that disk space these days is quite cheap.  
    Duplicating the data is not as bad a way to go as you might think, and 
    it allows you to incrementally upgrade each jail.  It may suffice to use
    the null mount trick *only* for the big binaries and libraries that you
    really want to share, and it may be reasonable to use softlinks to
    accomplish it, like this:

    JAIL FILESYSTEM:

	/		complete copy of /
	/usr		complete copy of /usr
	/mnt		null mount of the master /
	/mnt/usr	null mount of the master /usr

	And then use softlinks to enforce binary sharing by default:

	/bin/*		instead of the binaries make softlinks to /mnt/bin
	/usr/bin/*		... softlinks to /mnt/usr/bin
	/usr/lib/*		... softlinks to /mnt/usr/lib
	/usr/local/lib/*	... softlinks to /mnt/usr/local/lib
	/usr/local/bin/*	... softlinks to /mnt/usr/local/bin

    So that way the user can remove the softlink and install his own
    copy of the software if he wishes, and mess with anything else as well.

    That's just an example.  There are a thousand ways to do it.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message