From owner-freebsd-hackers@FreeBSD.ORG Fri Apr 22 15:42:23 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45B0216A4CE for ; Fri, 22 Apr 2005 15:42:23 +0000 (GMT) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id C882F43D2D for ; Fri, 22 Apr 2005 15:42:22 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 138DA319294; Fri, 22 Apr 2005 17:42:21 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 40E49405B; Fri, 22 Apr 2005 17:41:40 +0200 (CEST) Date: Fri, 22 Apr 2005 17:41:40 +0200 From: Jeremie Le Hen To: Jas arlerr Message-ID: <20050422154140.GW91329@obiwan.tataz.chchile.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i cc: freebsd-hackers@freebsd.org cc: joerg@britannica.bec.de Subject: Re: Configuration differences for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2005 15:42:23 -0000 Hi, > I am not very familar with mount_nullfs, but i think it is _one_ copy with > _multiple_ references(FIXME).So if we modify something in one jail, the > same effect will also impose on other jails,even the real machine. Due > to this problem, readonly mounts may be a good choice. Usually, /bin and others are never modified, that's why it may be null mounted readonly. If you want to be able to write to these directories from inside the jail, there are two methods : - First is to use mount_unionfs(8) which will mount another directory above the null mounted directory. Note that unionfs is currently known to be broken, although there are no official list of known bugs, AFAIK. Having a null mount AND an union mount over it may perhaps introduce a non-negligible overhead, I guess. - Make each jail have its own world. > BUT if we do some things related to the /etc files, such as passwd, ro > mounts can not deal with this situation because different jails need > different passwd files for private users. > So I think this can only be done by making a copy of relevant files but not > ro mounts. Once again, /etc is not intended to be null mounted. It contains sensitive informations about the host that should not be published in jails. You will have to use the "distribution" make target from /usr/src/etc (see my previous email). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >