From owner-freebsd-hackers Wed Nov 13 11:21:11 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2A8237B401 for ; Wed, 13 Nov 2002 11:21:09 -0800 (PST) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21E3643E77 for ; Wed, 13 Nov 2002 11:21:08 -0800 (PST) (envelope-from marck@rinet.ru) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.12.5/8.12.5) with ESMTP id gADJKvTJ054276; Wed, 13 Nov 2002 22:21:01 +0300 (MSK) (envelope-from marck@rinet.ru) Date: Wed, 13 Nov 2002 22:20:57 +0300 (MSK) From: Dmitry Morozovsky To: Hans Zaunere Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Shared files within a jail In-Reply-To: <20021113030847.69266.qmail@web12801.mail.yahoo.com> Message-ID: <20021113221521.N49845-100000@woozle.rinet.ru> X-NCC-RegID: ru.rinet MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 12 Nov 2002, Hans Zaunere wrote: HZ> After much searching and contemplation, I've decided to ask the HZ> question directly: HZ> HZ> I'm implementing a jail server, which will provide a very limited set HZ> of resources (Apache/MySQL/PHP). Setup is going well, however I've run HZ> into a little snag that I hope can be worked out. HZ> HZ> I want to allow the users the ability to compile and use their own HZ> instances of Apache and MySQL from within the jail. But instead of HZ> duplicating the basic system libs and bins, I'd like to maintain a HZ> single repository of this, which can then be read-only from within the HZ> jail. Options: HZ> HZ> -- Symlinks won't work because of the chroot. HZ> -- Mounts from within the jail aren't allowed, plus a single partition HZ> can't be mounted multiple times, AFAIK. HZ> -- I don't have NFS setup, and I would like to avoid it as much as HZ> possible. HZ> -- mount_null seems to be the answer, however the warning at the end of HZ> the man page is scary. HZ> HZ> Is there any combination of these (or anything I'm forgetting) that HZ> could help me here? Is mount_null stable? HZ> HZ> I've had an account on a jail server which had /shared visible within HZ> the jail, and symlinks to /bin, /usr/lib and such. I'm not sure how HZ> this was actually implemented, and I'd be interested if anyone has seen HZ> or heard of any solutions to this type of problem. I did multiple sets of null:/shared/J/usr /J/jailNN/usr procfs /J/jailNN/proc mfs:48k /J/jailNN/dev with a bit of tweaking such as: /bin and /sbin moved to ${JHOME}/usr/Rbin and /Rsbin and symlinked, /usr/home and /usr/local have moved out to jail home and symlinked for standard jail there as also useful mount such as null:/shared/J/local /J/jailNN/local ... and it at least seems workable for some ten to twenty jails on a moderately powerful (1g5 Athlon with 512M of memory) machine. All jails are rather lightweight (have only Apaches/PHP besides base system) though. Sincerely, D.Marck [DM5020, DM268-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message