nullfs and named pipes.
Jeremie Le Hen
jeremie at le-hen.org
Fri Feb 16 10:31:16 UTC 2007
Josef,
On Thu, Feb 15, 2007 at 03:22:59PM +0000, Josef Karthauser wrote:
> On Thu, Feb 15, 2007 at 02:57:50PM +0100, Jeremie Le Hen wrote:
> >
> > Note that all processes within a jail can only intefere with processes
> > from another jail or host as if they were on different machines. This
> > means they can communicate through PF_INET for instance but not
> > PF_LOCAL.
> >
>
> [...]
>
> So how does this relate to jails?
>
> The point of using nullfs is to make a PF_LOCAL socket appear local
> even in the jail(!). Using the patch above this is indeed the case
> and as far as the jail is concerned the socket is indeed local,
> meaning that a process within a jail can talk via it to a process
> on the host environment with no restrictions. This is crucially
> important for mysql for instance as there is significant overhead
> associated with PF_INET connections which can be avoided by talking
> to PF_LOCAL sockets.
I was wrong, you are right. I was pretty sure the kernel retained
the credentials of the listening process and that trying to connect
to the latter using a process that has a mismatching jail ID would
fail.
On term #1:
% jarjarbinks:~:103# nc -U -l /usr/space/chroot/tmp/mysock
On term #2:
% jarjarbinks:/usr/src:102# echo "I won't speak before testing" | jail /usr/space/chroot test 192.168.1.3 /usr/bin/nc -U /tmp/mysock
On term #1!
% I won't speak before testing
Sorry for the noise. At least, I rekindled the thread :-).
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-fs
mailing list