From owner-freebsd-questions@FreeBSD.ORG Mon May 15 03:23:06 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44A4816A404 for ; Mon, 15 May 2006 03:23:06 +0000 (UTC) (envelope-from albi@scii.nl) Received: from post-25.mail.nl.demon.net (post-25.mail.nl.demon.net [194.159.73.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id B73A743D49 for ; Mon, 15 May 2006 03:23:05 +0000 (GMT) (envelope-from albi@scii.nl) Received: from aseed.demon.nl ([83.160.138.119]:13243) by post-25.mail.nl.demon.net with esmtp (Exim 4.51) id 1FfTfj-00043k-Tw; Mon, 15 May 2006 03:23:04 +0000 Received: from aseed.demon.nl (unknown [192.168.0.48]) by aseed.demon.nl (Postfix) with ESMTP id DBD0258110B; Mon, 15 May 2006 05:23:03 +0200 (CEST) Received: from http.aseed.net (unknown [192.168.0.50]) by aseed.demon.nl (Postfix) with ESMTP id B8248581106; Mon, 15 May 2006 05:23:03 +0200 (CEST) Received: from amandla.biko8b.scii.nl (217-19-30-147.dsl.cambrium.nl [217.19.30.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by http.aseed.net (Postfix) with ESMTP id B3ACA58C605; Mon, 15 May 2006 05:23:02 +0200 (CEST) Date: Mon, 15 May 2006 05:22:59 +0200 From: albi To: Philip Hallstrom Message-Id: <20060515052259.38ff3ba7.albi@scii.nl> In-Reply-To: <20060514221324.L69900@bravo.pjkh.com> References: <1147578337.10075.12.camel@LatitudeFC5.network> <20060514100121.60fce840.wmoran@collaborativefusion.com> <1147630193.10075.33.camel@LatitudeFC5.network> <20060514221324.L69900@bravo.pjkh.com> X-Mailer: Sylpheed version 2.1.1 (GTK+ 2.8.6; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP Cc: wmoran@collaborativefusion.com, freebsd-questions@freebsd.org, andrew.chace@gmail.com Subject: Re: VM and jailed processes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 03:23:06 -0000 On Sun, 14 May 2006 22:14:31 -0500 (CDT) Philip Hallstrom wrote: > > I'm thinking of using mount_nullfs(8) to provide read-only mounts > > for all the executables in each jail. I've been doing some reading, > > 'man rtld(1)', and it seems that the linker will take of sharing > > non-writable code between processes, even if the executables are > > loaded from different mount-points/file-systems. > > You should also look at ezjail... it uses the same tricks to reduce > the size of individual jail systems. I haven't used it, but keep > meaning too (next server :) > > http://erdgeist.org/arts/software/ezjail/ i haven't tried ezjail, but i'm using read-only nullfs mounts with jails for more than a year on 2 different mail-servers (surprising how one own original ideas appear not to be original after a while :) you should perhaps realise that it's not all that easy, e.g. software like : postfix, mailman, dovecot or any other smtp or imap/pop3-server software probably needs 1 special user-account or more to be able to run, also e.g. postfix and squirrelmail need files in /var/spool/ some software, like postfixadmin, provides a setup-script which refuses to correctly detect which software is installed (it however runs fine with most of /usr/local/ directories mounted with nullfs mounted read-only from a build-jail) also, you will need to copy /usr/local/etc/ files/dirs when needed in other words, it's very interesting, but beware of the amount of work it *might* involve -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import