Configuration differences for jails

Jeremie Le Hen jeremie at
Fri Apr 22 08:42:23 PDT 2005


> I am not very familar with mount_nullfs, but i think it is _one_ copy with 
> _multiple_ references(FIXME).So if we modify something in one jail, the
> same effect will also impose on other jails,even the real machine. Due
> to this problem, readonly mounts may be a good choice.

Usually, /bin and others are never modified, that's why it may be null
mounted readonly.  If you want to be able to write to these directories
from inside the jail, there are two methods :

    - First is to use mount_unionfs(8) which will mount another
      directory above the null mounted directory.  Note that unionfs
      is currently known to be broken, although there are no official
      list of known bugs, AFAIK.  Having a null mount AND an union
      mount over it may perhaps introduce a non-negligible overhead,
      I guess.

    - Make each jail have its own world.

> BUT if we do some things related to the /etc files, such as passwd, ro 
> mounts can not deal with this situation because different jails need
> different passwd files for private users.
> So I think this can only be done by making a copy of relevant files but not 
> ro mounts.

Once again, /etc is not intended to be null mounted.  It contains
sensitive informations about the host that should not be published in
jails.  You will have to use the "distribution" make target from
/usr/src/etc (see my previous email).

Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

More information about the freebsd-hackers mailing list