Jail organization
Harald Schmalzbauer
h at schmalzbauer.de
Mon Apr 26 04:43:20 PDT 2004
Am Montag, 26. April 2004 12:27 schrieb Florian Weimer:
> I'd like to use jails to run different server software in different
> jails, so that if one service is compromised, the others are not
> affected (unless there are kernel bugs, of course). All jails are in
> the same administrative domain.
>
> Three different ways of setting up the jails come to my mind.
>
> * No data sharing between any jails.
>
> Problem: Upgrades are more difficult then necessary (a libc update
> has to be applied to each jail individual, for example).
>
> * /usr is mounted read-only and shared, /usr/local is jail-specific.
>
> Problem: Installing ports is problematic because some of them want
> to write to /usr.
>
> * Both /usr and /usr/local are shared.
>
> Problem: All software is available in all jails. Some hackery is
> necessary to prevent most of the daemons from starting, and
> setuid/setgid binaries might have issues.
Use mount_nullfs whenever you need more than the spezialized jail itself was
designed for, eg. when installing a new port
mount_nullfs /hostusr/ports /jailuser/ports.
I explicitly use one single label for each jail. Don't forget in case of a
compromised jail the hacker could simply fill up your filesystem when you use
only directories.
-Harry
>
> So far, I've used the second and third variant, but I have little
> experience with handling updates. How do you solve these problems?
> Is there a different approach I missed?
>
> (As an administrator, I'm rather new to FreeBSD, so please bear with
> me.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040426/7893833f/attachment.bin
More information about the freebsd-questions
mailing list