Jail organization

Harald Schmalzbauer h at schmalzbauer.de
Mon Apr 26 04:43:20 PDT 2004

Am Montag, 26. April 2004 12:27 schrieb Florian Weimer:
> I'd like to use jails to run different server software in different
> jails, so that if one service is compromised, the others are not
> affected (unless there are kernel bugs, of course).  All jails are in
> the same administrative domain.
> Three different ways of setting up the jails come to my mind.
>   * No data sharing between any jails.
>     Problem: Upgrades are more difficult then necessary (a libc update
>     has to be applied to each jail individual, for example).
>   * /usr is mounted read-only and shared, /usr/local is jail-specific.
>     Problem: Installing ports is problematic because some of them want
>     to write to /usr.
>   * Both /usr and /usr/local are shared.
>     Problem: All software is available in all jails.  Some hackery is
>     necessary to prevent most of the daemons from starting, and
>     setuid/setgid binaries might have issues.

Use mount_nullfs whenever you need more than the spezialized jail itself was 
designed for, eg. when installing a new port 
mount_nullfs /hostusr/ports /jailuser/ports.
I explicitly use one single label for each jail. Don't forget in case of a 
compromised jail the hacker could simply fill up your filesystem when you use 
only directories.


> So far, I've used the second and third variant, but I have little
> experience with handling updates.  How do you solve these problems?
> Is there a different approach I missed?
> (As an administrator, I'm rather new to FreeBSD, so please bear with
> me.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040426/7893833f/attachment.bin

More information about the freebsd-questions mailing list