Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Feb 2012 20:25:42 +0100
From:      Roland Smith <rsmith@xs4all.nl>
To:        Stas Verberkt <legolas@legolasweb.nl>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Securely sharing directories between jails
Message-ID:  <20120201192542.GA60624@slackbox.erewhon.net>
In-Reply-To: <20120201073031.GA1678@homey.local>
References:  <20120201073031.GA1678@homey.local>
next in thread | previous in thread | raw e-mail | index | archive | help 

--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Feb 01, 2012 at 08:30:31AM +0100, Stas Verberkt wrote:
> L.S.,
>=20
> I want to set up my system in a way where applications are clustered
> over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I
> need to share data over the jails, which is stored on the host.
> Often, nullfs and mounting ro is suitable, but I need write access in
> some cases. As nullfs rw over multiple jails can be considered insecure,
> I was wondering what would be a secure way.

You could use a combination of nullfs and unionfs. Below is is what I do to
share /usr/ports on the host with a jail, but keep the jail from writing in
the host's tree.

    host# cd /usr/local/var/jails/192.168.0.100/usr
    host# mkdir tmp/foo
    host# mount_nullfs /usr/ports/ ports/
    host# mount_unionfs -o noatime tmp/foo ports/

With this, the jail sees the hosts' /usr/ports tree, but when it wants to
write there, the written files end up under tmp/foo in the jails' tree.

Roland
--=20
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk8pkbYACgkQEnfvsMMhpyVkcACgqRxA4IKFdoyHwaDx8T3+9G3v
lTwAoIg3cZ1dwciHFsKd5/Cgmx7V6rDU
=dmFW
-----END PGP SIGNATURE-----

--lrZ03NoBR/3+SXJZ--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120201192542.GA60624>