jails - jak nejlepe

Jiri jiri.b at sendmail.cz
Fri Jul 23 05:12:32 CEST 2004


Zdravim,

Sunday, July 18, 2004, 5:21:21 PM, bylo napsano:

J>   Rovnez kdyby byla potreba oprava nejake casti jailu, jak to co
J>   nejvice usnadnit pri existenci vice full jailu?

porad na tim dumu a napada me jestli by resenim nebylo mount_overlay z
netbsd?

     The mount_overlay filesystem differs from the null filesystem in that the
     mount_overlay filesystem does not replicate the sub-tree, it places
     itself between the sub-tree and all future access.

jak to presne funguje? jako ze /overlay je ta "prototype layer" - tedy
jako zdroj a v zmeny v mount-pointu zustanou pouze tam?

http://www.daemon-systems.org/man/mount_overlay.8.html

jestli ano, tak by to bylo zajimavy pri sprave nekolika zcela
indentickych prostredi - jailu.

na fbsd by se to dalo udelat jako /zdrojjail read-only a pomoci
mount_null namountovat dale, resp.

zajimave reseni na jedno pouziti nabizi kombinace mount_union a mount_null. napr. jail
v adresari ale chcete nektere jeho podadresare mit napr. jako noexec,
nodev atd.

<below>:/tmp/realjail on /tmp/jail (union, noclusterw)
/tmp/realjail/usr/ports/packages on /tmp/jail/usr/ports/packages (null, local, read-only)
srot# touch /tmp/jail/usr/ports/packages/hovno
touch: /tmp/jail/usr/ports/packages/hovno: Read-only file system
srot# touch /tmp/realjail/usr/ports/packages/package
srot# ls /tmp/jail/usr/ports/packages/
package


jirib


-- 
mail: jiri.b at sendmail.cz | jabber: jiri.b at njs.netlab.cz
IRCnet/EFnet/SILCnet: jirib | ICQ: 261273235
GPGfingerprint: 21A1 8E02 CDF0 DCAA B385  A253 EF0C F1CE B618 8EAB




More information about the Users-l mailing list