From owner-freebsd-questions@FreeBSD.ORG Mon Apr 26 04:43:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9510F16A4CE for ; Mon, 26 Apr 2004 04:43:20 -0700 (PDT) Received: from flintsbach.schmalzbauer.de (flintsbach.schmalzbauer.de [62.245.232.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFCA643D39 for ; Mon, 26 Apr 2004 04:43:17 -0700 (PDT) (envelope-from h@schmalzbauer.de) Received: from bsdharry (firewall.zenk.de [212.14.84.243]) i3QBh2dv012068; Mon, 26 Apr 2004 13:43:03 +0200 (CEST) (envelope-from h@schmalzbauer.de) From: Harald Schmalzbauer Organization: Zenk Gesellschaft =?iso-8859-15?q?f=FCr_Systemberatung?= m.b.H. To: freebsd-questions@freebsd.org Date: Mon, 26 Apr 2004 13:42:42 +0200 User-Agent: KMail/1.6.1 References: <87fzaravaj.fsf@deneb.enyo.de> In-Reply-To: <87fzaravaj.fsf@deneb.enyo.de> X-Name: Zenk Gesellschaft fuer Systemberatung m.b.H. X-Address: Schaeufeleinstrasse 1 X-Location: 80686 Muenchen X-Country: Germany X-Phone: +49 (0) 89 5468490 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_4WPjAsZo4ZOq05m"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200404261342.48970.h@schmalzbauer.de> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mailjail.dmz.flintsbach.schmalzbauer.de cc: Florian Weimer Subject: Re: Jail organization X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: antwort@schmalzbauer.de List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 11:43:20 -0000 --Boundary-02=_4WPjAsZo4ZOq05m Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Montag, 26. April 2004 12:27 schrieb Florian Weimer: > I'd like to use jails to run different server software in different > jails, so that if one service is compromised, the others are not > affected (unless there are kernel bugs, of course). All jails are in > the same administrative domain. > > Three different ways of setting up the jails come to my mind. > > * No data sharing between any jails. > > Problem: Upgrades are more difficult then necessary (a libc update > has to be applied to each jail individual, for example). > > * /usr is mounted read-only and shared, /usr/local is jail-specific. > > Problem: Installing ports is problematic because some of them want > to write to /usr. > > * Both /usr and /usr/local are shared. > > Problem: All software is available in all jails. Some hackery is > necessary to prevent most of the daemons from starting, and > setuid/setgid binaries might have issues. Use mount_nullfs whenever you need more than the spezialized jail itself wa= s=20 designed for, eg. when installing a new port=20 mount_nullfs /hostusr/ports /jailuser/ports. I explicitly use one single label for each jail. Don't forget in case of a= =20 compromised jail the hacker could simply fill up your filesystem when you u= se=20 only directories. =2DHarry > > So far, I've used the second and third variant, but I have little > experience with handling updates. How do you solve these problems? > Is there a different approach I missed? > > (As an administrator, I'm rather new to FreeBSD, so please bear with > me.) --Boundary-02=_4WPjAsZo4ZOq05m Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAjPW4Bylq0S4AzzwRAr0dAJ9209LFl/f/w4JGDWMT7Va/1IF/fQCeJNQR a1/57XU/UX/wEB3GaTl/oow= =fhPR -----END PGP SIGNATURE----- --Boundary-02=_4WPjAsZo4ZOq05m--