From owner-freebsd-current@FreeBSD.ORG Tue Jul 29 09:48:31 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 317E537B401 for ; Tue, 29 Jul 2003 09:48:31 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5597643FBD for ; Tue, 29 Jul 2003 09:48:30 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h6TGlXai076433; Tue, 29 Jul 2003 12:47:33 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h6TGlXMw076430; Tue, 29 Jul 2003 12:47:33 -0400 (EDT) Date: Tue, 29 Jul 2003 12:47:33 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jens Rehsack In-Reply-To: <3F26A37A.7090402@liwing.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Clement Laforet cc: FreeBSD-Current List Subject: Re: [PATCH] jail NG schript patch for mounting devfs and procfs automatically X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 16:48:31 -0000 On Tue, 29 Jul 2003, Jens Rehsack wrote: > I updated the rcng jail start script to mount devfs and procfs into the > jail if wanted. Adding entries to /etc/fstab didn't work properly, > because the jail filesystem wasn't mounted when the startup process > wants to mount it. > > Going this way allows us to control which jail could be used via ssh (or > another remote shell), too. > > Any comments gladly welcome. > > If it's useful for FreeBSD, I will write the rc.conf(5) update, too. > Please inform me to do this. Neat. Someone, and unfortunately I appear to have lost track of who, had some tweaks to the rcNG scripts to set up some reasonable devfs rules for a jail, and apply them to the devfs mounted in a jail. Otherwise, you risk exposing "undesired" device nodes to the virtual environment. I suspect a search of the -current archives will turn up who, but I think a necessary part of a solution here will be to make sure jails are set up with the right devfs contents. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories