From owner-freebsd-fs@FreeBSD.ORG Fri Mar 30 07:56:29 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19518106566C for ; Fri, 30 Mar 2012 07:56:29 +0000 (UTC) (envelope-from rsb@berentweb.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 826558FC14 for ; Fri, 30 Mar 2012 07:56:28 +0000 (UTC) Received: by lagv3 with SMTP id v3so621162lag.13 for ; Fri, 30 Mar 2012 00:56:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berentweb.com; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=NWZJTc6Tx5JqOw+zrUDK/TNntWYYFCcXdLFENZ+BvMw=; b=QRIAcXavqxSXoK7TC4sKmhhxceqKnJ3Xxp4hX+5/wQycyU6AXVYaLB0X7/2TG+m0uZ ftBOZUL7jYygziBHnoxVVZHbGVEw/PscfwpeEM5v/AyIYbFGk86Su4WAOc/F/4lacKSi /yBZIbNXxU41Y20Q0FTT+Mfmpic84gs3CJI6I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:x-gm-message-state :content-type; bh=NWZJTc6Tx5JqOw+zrUDK/TNntWYYFCcXdLFENZ+BvMw=; b=Cp3IZih0ylUZlkFn3wO4T9MH04lBVY7s799tRw7Qgsdy3tme5UXKIYnkN5ayq2/PWc l+pus7SLmOwAnCWCh8A410MrsCLfxLonYROumWNIrjbzTsXV6/y2qGJ5xrD0jNhstosm /o4XXHKWUqvz/3A1CNY02IVe4KhYHCPkoZu0EWq9rOMWfheLVOdQAFST7HGwRCPNqZfE zrneCrc3SFNFrqI/y5zc0fKGHxEO32y7b0TRvW94UVegBn7BqjDjk4U1hvqemnI11Hwh 4Yi6T1Drc1mg+nuwQLHzF3W2hffVK086NL9zlEZCMh0NJsR/ae61hmEkToBv2nVBPwE+ S94g== MIME-Version: 1.0 Received: by 10.152.105.211 with SMTP id go19mr1365426lab.51.1333094186985; Fri, 30 Mar 2012 00:56:26 -0700 (PDT) Sender: rsb@berentweb.com Received: by 10.112.77.15 with HTTP; Fri, 30 Mar 2012 00:56:26 -0700 (PDT) X-Originating-IP: [78.162.12.68] In-Reply-To: <20120329202846.GB76833@server.vk2pj.dyndns.org> References: <0685CC3A-753B-4C5B-9E15-C0565B48F885@ultra-secure.de> <20120329202846.GB76833@server.vk2pj.dyndns.org> Date: Fri, 30 Mar 2012 10:56:26 +0300 X-Google-Sender-Auth: D5e3tpl18Q2ka8642ltn7t9D2ZM Message-ID: From: Beeblebrox To: freebsd-fs@freebsd.org X-Gm-Message-State: ALoCoQkiyIJZsPQmCSdQB5EWmiHT3HyRyjnMiGBx/A+1EcMPRc0GnAEJpMb6ol9H/5C1tFl0GXHU Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: jailed NFS server X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2012 07:56:29 -0000 All NFS clients are "slave nodes" booting diskless and the network structure is a build/compute farm. I therefore have nothing to be concerned with regards to security on the internal network side, as long as I have my PF working correctly. In this structure I do need NFS responding as fast as possible and I really do not want to fiddle with strange errors tinderbox might start throwing at build time because of jail incompatibility. Thanks for the input everyone, but I've decided to serve NFS from host under the circumstances. So SOLVED, although not as initially intended... On Thu, Mar 29, 2012 at 11:28 PM, Peter Jeremy wrote: > On 2012-Mar-29 05:12:43 +0300, Beeblebrox wrote: > >Maybe I will give unfs3 a try. However, One of the reasons I'm trying to > >set it up is to be able to run Tinderbox on that jail for distributed > >compiling. When I did a little searching about unfs3 + Tinderbox + jail, > it > >came up with posts about problems and that such setup "does not give good > >results". > > Whilst I've not used unfs3 on FreeBSD, I do use it on Solaris to allow > me to NFS export a (ZFS) filesystem from within a zone. My experience > is that it works reasonably well, given its limitations: > - It's single-threaded. This isn't an issue for me because there are > only a couple of light users. It would be useless as a server for > more than that. > - There's no support for locking (lockd/statd). > - A user who has shell access to the server and can mount a filesystem > via unfs3 can DoS the NFS server by killing the unfs3 daemon. > > I did find it necessary to fix a number of bugs along the way. > > -- > Peter Jeremy >