Securely sharing directories between jails
Roland Smith
rsmith at xs4all.nl
Wed Feb 1 19:26:15 UTC 2012
On Wed, Feb 01, 2012 at 08:30:31AM +0100, Stas Verberkt wrote:
> L.S.,
>
> I want to set up my system in a way where applications are clustered
> over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I
> need to share data over the jails, which is stored on the host.
> Often, nullfs and mounting ro is suitable, but I need write access in
> some cases. As nullfs rw over multiple jails can be considered insecure,
> I was wondering what would be a secure way.
You could use a combination of nullfs and unionfs. Below is is what I do to
share /usr/ports on the host with a jail, but keep the jail from writing in
the host's tree.
host# cd /usr/local/var/jails/192.168.0.100/usr
host# mkdir tmp/foo
host# mount_nullfs /usr/ports/ ports/
host# mount_unionfs -o noatime tmp/foo ports/
With this, the jail sees the hosts' /usr/ports tree, but when it wants to
write there, the written files end up under tmp/foo in the jails' tree.
Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120201/e33ad0f7/attachment.pgp
More information about the freebsd-questions
mailing list