Date: Fri, 30 Mar 2012 10:56:26 +0300 From: Beeblebrox <zaphod@berentweb.com> To: freebsd-fs@freebsd.org Subject: Re: jailed NFS server Message-ID: <CAPSTskt0E8UAdX3u=pYx4f%2BtiVQwMErq-hdROhi4CkkE24HDXQ@mail.gmail.com> In-Reply-To: <20120329202846.GB76833@server.vk2pj.dyndns.org> References: <CAPSTskvLbixeyYW9BWFR0bSfJ3%2Br59ZYHHLyJAaYFERobO6O=w@mail.gmail.com> <0685CC3A-753B-4C5B-9E15-C0565B48F885@ultra-secure.de> <CAPSTsku7fefaJQ-whx3OecNhU%2BvLHDcRtFc=iThQY-xoN_uBxA@mail.gmail.com> <20120329202846.GB76833@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
All NFS clients are "slave nodes" booting diskless and the network structure is a build/compute farm. I therefore have nothing to be concerned with regards to security on the internal network side, as long as I have my PF working correctly. In this structure I do need NFS responding as fast as possible and I really do not want to fiddle with strange errors tinderbox might start throwing at build time because of jail incompatibility. Thanks for the input everyone, but I've decided to serve NFS from host under the circumstances. So SOLVED, although not as initially intended... On Thu, Mar 29, 2012 at 11:28 PM, Peter Jeremy <peterjeremy@acm.org> wrote: > On 2012-Mar-29 05:12:43 +0300, Beeblebrox <zaphod@berentweb.com> wrote: > >Maybe I will give unfs3 a try. However, One of the reasons I'm trying to > >set it up is to be able to run Tinderbox on that jail for distributed > >compiling. When I did a little searching about unfs3 + Tinderbox + jail, > it > >came up with posts about problems and that such setup "does not give good > >results". > > Whilst I've not used unfs3 on FreeBSD, I do use it on Solaris to allow > me to NFS export a (ZFS) filesystem from within a zone. My experience > is that it works reasonably well, given its limitations: > - It's single-threaded. This isn't an issue for me because there are > only a couple of light users. It would be useless as a server for > more than that. > - There's no support for locking (lockd/statd). > - A user who has shell access to the server and can mount a filesystem > via unfs3 can DoS the NFS server by killing the unfs3 daemon. > > I did find it necessary to fix a number of bugs along the way. > > -- > Peter Jeremy >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPSTskt0E8UAdX3u=pYx4f%2BtiVQwMErq-hdROhi4CkkE24HDXQ>