From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 23 03:54:36 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C195816A4CE for ; Sat, 23 Apr 2005 03:54:36 +0000 (GMT) Received: from omc3-s26.bay6.hotmail.com (omc3-s26.bay6.hotmail.com [65.54.249.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9779043D41 for ; Sat, 23 Apr 2005 03:54:36 +0000 (GMT) (envelope-from jas_arlerr@hotmail.com) Received: from hotmail.com ([65.54.247.18]) by omc3-s26.bay6.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 22 Apr 2005 20:54:36 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 22 Apr 2005 20:54:36 -0700 Message-ID: Received: from 61.187.54.10 by by2fd.bay2.hotmail.msn.com with HTTP; Sat, 23 Apr 2005 03:54:36 GMT X-Originating-IP: [61.187.54.10] X-Originating-Email: [jas_arlerr@hotmail.com] X-Sender: jas_arlerr@hotmail.com In-Reply-To: <20050422154140.GW91329@obiwan.tataz.chchile.org> From: "Jas arlerr" To: jeremie@le-hen.org Date: Sat, 23 Apr 2005 03:54:36 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=gb2312; format=flowed X-OriginalArrivalTime: 23 Apr 2005 03:54:36.0489 (UTC) FILETIME=[2AA44390:01C547B8] X-Mailman-Approved-At: Sat, 23 Apr 2005 12:09:41 +0000 cc: freebsd-hackers@freebsd.org cc: joerg@britannica.bec.de Subject: Re: Configuration differences for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Apr 2005 03:54:36 -0000 >From: Jeremie Le Hen >To: Jas arlerr >CC: joerg@britannica.bec.de, freebsd-hackers@freebsd.org >Subject: Re: Configuration differences for jails >Date: Fri, 22 Apr 2005 17:41:40 +0200 > >Hi, > > > I am not very familar with mount_nullfs, but i think it is _one_ copy with > > _multiple_ references(FIXME).So if we modify something in one jail, the > > same effect will also impose on other jails,even the real machine. Due > > to this problem, readonly mounts may be a good choice. > >Usually, /bin and others are never modified, that's why it may be null >mounted readonly. If you want to be able to write to these directories >from inside the jail, there are two methods : > > - First is to use mount_unionfs(8) which will mount another > directory above the null mounted directory. Note that unionfs > is currently known to be broken, although there are no official > list of known bugs, AFAIK. Having a null mount AND an union > mount over it may perhaps introduce a non-negligible overhead, > I guess. > > - Make each jail have its own world. > > > BUT if we do some things related to the /etc files, such as passwd, ro > > mounts can not deal with this situation because different jails need > > different passwd files for private users. > > So I think this can only be done by making a copy of relevant files but not > > ro mounts. > >Once again, /etc is not intended to be null mounted. It contains >sensitive informations about the host that should not be published in >jails. You will have to use the "distribution" make target from >/usr/src/etc (see my previous email). I see! Thanks for your explanation! regards Jas _________________________________________________________________ 与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn