Date: Wed, 1 Feb 2012 20:25:42 +0100 From: Roland Smith <rsmith@xs4all.nl> To: Stas Verberkt <legolas@legolasweb.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Securely sharing directories between jails Message-ID: <20120201192542.GA60624@slackbox.erewhon.net> In-Reply-To: <20120201073031.GA1678@homey.local> References: <20120201073031.GA1678@homey.local>
next in thread | previous in thread | raw e-mail | index | archive | help
--lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 01, 2012 at 08:30:31AM +0100, Stas Verberkt wrote: > L.S., >=20 > I want to set up my system in a way where applications are clustered > over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I > need to share data over the jails, which is stored on the host. > Often, nullfs and mounting ro is suitable, but I need write access in > some cases. As nullfs rw over multiple jails can be considered insecure, > I was wondering what would be a secure way. You could use a combination of nullfs and unionfs. Below is is what I do to share /usr/ports on the host with a jail, but keep the jail from writing in the host's tree. host# cd /usr/local/var/jails/192.168.0.100/usr host# mkdir tmp/foo host# mount_nullfs /usr/ports/ ports/ host# mount_unionfs -o noatime tmp/foo ports/ With this, the jail sees the hosts' /usr/ports tree, but when it wants to write there, the written files end up under tmp/foo in the jails' tree. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8pkbYACgkQEnfvsMMhpyVkcACgqRxA4IKFdoyHwaDx8T3+9G3v lTwAoIg3cZ1dwciHFsKd5/Cgmx7V6rDU =dmFW -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120201192542.GA60624>