Date: Wed, 22 Dec 2010 21:08:03 -0600 From: Adam Vande More <amvandemore@gmail.com> To: "Jason C. Wells" <jcw@speakeasy.net> Cc: freebsd general questions <freebsd-questions@freebsd.org> Subject: Re: Nullfs Allows Jailbreaking Message-ID: <AANLkTimR7SPE3v6eeiREAfj8tur3OemV9QGehZea9Qtc@mail.gmail.com> In-Reply-To: <4D12BA51.2010602@speakeasy.net> References: <4D12BA51.2010602@speakeasy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 22, 2010 at 8:56 PM, Jason C. Wells <jcw@speakeasy.net> wrote: > I like the idea of using a template for multiple jails that I plan to use > later. I like the ide of mounting the template read only. I had to splice > in the other nullfs filesystems so that things that need to be read-write > can be. > > But it seems kinda funky. Inside the jail it looks like EVERYTHING is > read-only and you have no way of knowing that /tmp is actually read-write. > There seems to be a violation of the segregation going on here. > > What pitfalls can you see in a file system scheme like this for my jails? > Is the above behavior by design or did I find a flaw? > I think you're reinventing the wheel. The sysutils/ezjail already handles this gracefully in addition to many other features. For reference ezjail creates a layout like this: /usr/jails/www.example.com.device on /usr/jails/www.example.com (ufs, local, soft-updates) /usr/jails/basejail on /usr/jails/www.example.com/basejail (nullfs, local, read-only) devfs on /usr/jails/www.example.com/dev (devfs, local, multilabel) >From inside the jail you see: /usr/jails/www.example.com.device on / (ufs, local, soft-updates) -- Adam Vande More
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimR7SPE3v6eeiREAfj8tur3OemV9QGehZea9Qtc>