Date: Mon, 14 Jul 2003 22:52:31 +0200 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Uwe Doering <gemini@geminix.org> Cc: "V. Jones" <vjones62@earthlink.net> Subject: Re: jails, ipfilter & stunnel Message-ID: <20030714205231.GC4973@garage.freebsd.pl> In-Reply-To: <3F130FE1.1080308@geminix.org> References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> <3F110290.5060902@geminix.org> <20030714182923.GB4973@garage.freebsd.pl> <3F130FE1.1080308@geminix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Mon, Jul 14, 2003 at 10:17:37PM +0200, Uwe Doering wrote: +> >You can check my patch for multiple ips in jails which also fix +> >sockets ordering behaviour. +> > +> > For FreeBSD 4.x: +> > http://garage.freebsd.pl/mijail.tbz +> > http://garage.freebsd.pl/mijail.README +> > For FreeBSD 5.1-CURRENT: +> > http://garage.freebsd.pl/mijail5.tbz +> > http://garage.freebsd.pl/mijail5.README +> > http://garage.freebsd.pl/patches/mijail5.patch +> +> Thanks for the patches. Did you try to contribute them to the FreeBSD +> project? If so, any reaction so far? Of course I've tried, but as you can see...:) +> >If www pages don't have dynamic elements you can mount them as read-only +> >with mount_null(8) for example. Only logs should be writable, but you +> >need only one directory with 'schg' flag and touch(1)'ed log files +> >inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be removed +> >in jail even if securelevel is <= 0. +> +> Just be careful with mount_null(8). You might get away with it +> unscathed if you use it read-only, but you shouldn't try anything else +> with it. Last time I checked I managed to panic the kernel with it even +> faster than with mount_union(8), which is badly broken as well (look at +> the comment at the end of the man pages). I wouldn't recommend using +> either in a production system. You could always try to use NFS on local machine, but those comments from the manual page's end should be removed in 5.x (for unionfs as well). There are developers that work on this - tjr@ on nullfs and das@ on unionfs. -- Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxMYDz/PhmMH/Mf1AQGVmgP9Hk5oFQGYTMs0NOS9HlVB7XzBOaP831Sb SNEW30tWRfgl0vFrpTRyuY9Ll7fVtJdyAVo84P0fF7hz67KNxwWc6SGuwEfN+PVw pSL0Tof3+y8StM+KcEeTUEEoD2B1zlOQ1frz5Y8a9lpa01xZo7UQVfywcbp+xJ+x 1nbCfwxKxts= =c9LR -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030714205231.GC4973>