HEADS UP: named now runs chroot'ed by default
tillman at seekingfire.com
Wed Oct 6 10:36:11 PDT 2004
On Tue, Oct 05, 2004 at 05:11:16PM -0700, Doug Barton wrote:
> On Thu, 30 Sep 2004, Tillman Hodgson wrote:
> >How does chroot and NFS interact?
> It is theoretically possible, but I would not do it for performance and
> reliability reasons. If you are doing something useful with named on a
> real network you will have enough variables that you cannot control
> which will make your life difficult, I personally would not want to add
> more pain to the mix that could be avoided. :)
> If you want to share configs, share data, etc; then rsync, scp, etc. are
> your friends. When I was at Yahoo! we had all the essential files in a
> central CVS repo and I used makefiles with various targets to push them
> out to the servers. This made updates, replication, installation, etc.
> very easy with almost no room for error, and no external dependencies
> other than the network and power for the individual name server.
I was using NFS not for sharing between machines but rarely to add a bit
of security an convenience: a host compromise on the named box could
not modify the files (RO export), yet an internal client could update
the zone file easily (ssh/kerberized telnet to the file server in
question and edit the file) and a rndc reload would update the named.
I can move away from that model easily enough, I just need to actually
make a plan to do so. If NFS and chroot are unhappy bedfellows, I'll do
"If knowledge creates problems, ignorance will not solve them"
-- Isaac Asimov.
More information about the freebsd-current