From owner-freebsd-questions@FreeBSD.ORG Mon Apr 26 03:27:37 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6257E16A4CE for ; Mon, 26 Apr 2004 03:27:37 -0700 (PDT) Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF99843D41 for ; Mon, 26 Apr 2004 03:27:36 -0700 (PDT) (envelope-from fw@deneb.enyo.de) Received: (debugging) helo=deneb ip=212.9.189.171 name=deneb.enyo.de Received: from deneb.enyo.de ([212.9.189.171] helo=deneb) by mail.enyo.de with esmtp id 1BI3Km-0004mI-R5 for freebsd-questions@freebsd.org; Mon, 26 Apr 2004 12:27:32 +0200 Received: from fw by deneb with local (Exim 4.32) id 1BI3Km-0001Cb-B0 for freebsd-questions@freebsd.org; Mon, 26 Apr 2004 12:27:32 +0200 To: freebsd-questions@freebsd.org From: Florian Weimer Date: Mon, 26 Apr 2004 12:27:32 +0200 Message-ID: <87fzaravaj.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Jail organization X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 10:27:37 -0000 I'd like to use jails to run different server software in different jails, so that if one service is compromised, the others are not affected (unless there are kernel bugs, of course). All jails are in the same administrative domain. Three different ways of setting up the jails come to my mind. * No data sharing between any jails. Problem: Upgrades are more difficult then necessary (a libc update has to be applied to each jail individual, for example). * /usr is mounted read-only and shared, /usr/local is jail-specific. Problem: Installing ports is problematic because some of them want to write to /usr. * Both /usr and /usr/local are shared. Problem: All software is available in all jails. Some hackery is necessary to prevent most of the daemons from starting, and setuid/setgid binaries might have issues. So far, I've used the second and third variant, but I have little experience with handling updates. How do you solve these problems? Is there a different approach I missed? (As an administrator, I'm rather new to FreeBSD, so please bear with me.) -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.