Date: Mon, 15 May 2006 05:22:59 +0200 From: albi <albi@scii.nl> To: Philip Hallstrom <freebsd@philip.pjkh.com> Cc: wmoran@collaborativefusion.com, freebsd-questions@freebsd.org, andrew.chace@gmail.com Subject: Re: VM and jailed processes Message-ID: <20060515052259.38ff3ba7.albi@scii.nl> In-Reply-To: <20060514221324.L69900@bravo.pjkh.com> References: <1147578337.10075.12.camel@LatitudeFC5.network> <20060514100121.60fce840.wmoran@collaborativefusion.com> <1147630193.10075.33.camel@LatitudeFC5.network> <20060514221324.L69900@bravo.pjkh.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 14 May 2006 22:14:31 -0500 (CDT) Philip Hallstrom <freebsd@philip.pjkh.com> wrote: > > I'm thinking of using mount_nullfs(8) to provide read-only mounts > > for all the executables in each jail. I've been doing some reading, > > 'man rtld(1)', and it seems that the linker will take of sharing > > non-writable code between processes, even if the executables are > > loaded from different mount-points/file-systems. > > You should also look at ezjail... it uses the same tricks to reduce > the size of individual jail systems. I haven't used it, but keep > meaning too (next server :) > > http://erdgeist.org/arts/software/ezjail/ i haven't tried ezjail, but i'm using read-only nullfs mounts with jails for more than a year on 2 different mail-servers (surprising how one own original ideas appear not to be original after a while :) you should perhaps realise that it's not all that easy, e.g. software like : postfix, mailman, dovecot or any other smtp or imap/pop3-server software probably needs 1 special user-account or more to be able to run, also e.g. postfix and squirrelmail need files in /var/spool/ some software, like postfixadmin, provides a setup-script which refuses to correctly detect which software is installed (it however runs fine with most of /usr/local/ directories mounted with nullfs mounted read-only from a build-jail) also, you will need to copy /usr/local/etc/ files/dirs when needed in other words, it's very interesting, but beware of the amount of work it *might* involve -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060515052259.38ff3ba7.albi>