Date: Mon, 26 Apr 2004 13:42:42 +0200 From: Harald Schmalzbauer <h@schmalzbauer.de> To: freebsd-questions@freebsd.org Cc: Florian Weimer <fw@deneb.enyo.de> Subject: Re: Jail organization Message-ID: <200404261342.48970.h@schmalzbauer.de> In-Reply-To: <87fzaravaj.fsf@deneb.enyo.de> References: <87fzaravaj.fsf@deneb.enyo.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_4WPjAsZo4ZOq05m Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Montag, 26. April 2004 12:27 schrieb Florian Weimer: > I'd like to use jails to run different server software in different > jails, so that if one service is compromised, the others are not > affected (unless there are kernel bugs, of course). All jails are in > the same administrative domain. > > Three different ways of setting up the jails come to my mind. > > * No data sharing between any jails. > > Problem: Upgrades are more difficult then necessary (a libc update > has to be applied to each jail individual, for example). > > * /usr is mounted read-only and shared, /usr/local is jail-specific. > > Problem: Installing ports is problematic because some of them want > to write to /usr. > > * Both /usr and /usr/local are shared. > > Problem: All software is available in all jails. Some hackery is > necessary to prevent most of the daemons from starting, and > setuid/setgid binaries might have issues. Use mount_nullfs whenever you need more than the spezialized jail itself wa= s=20 designed for, eg. when installing a new port=20 mount_nullfs /hostusr/ports /jailuser/ports. I explicitly use one single label for each jail. Don't forget in case of a= =20 compromised jail the hacker could simply fill up your filesystem when you u= se=20 only directories. =2DHarry > > So far, I've used the second and third variant, but I have little > experience with handling updates. How do you solve these problems? > Is there a different approach I missed? > > (As an administrator, I'm rather new to FreeBSD, so please bear with > me.) --Boundary-02=_4WPjAsZo4ZOq05m Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAjPW4Bylq0S4AzzwRAr0dAJ9209LFl/f/w4JGDWMT7Va/1IF/fQCeJNQR a1/57XU/UX/wEB3GaTl/oow= =fhPR -----END PGP SIGNATURE----- --Boundary-02=_4WPjAsZo4ZOq05m--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404261342.48970.h>