jails - jak nejlepe
Jiri
jiri.b at sendmail.cz
Fri Jul 23 05:12:32 CEST 2004
Zdravim,
Sunday, July 18, 2004, 5:21:21 PM, bylo napsano:
J> Rovnez kdyby byla potreba oprava nejake casti jailu, jak to co
J> nejvice usnadnit pri existenci vice full jailu?
porad na tim dumu a napada me jestli by resenim nebylo mount_overlay z
netbsd?
The mount_overlay filesystem differs from the null filesystem in that the
mount_overlay filesystem does not replicate the sub-tree, it places
itself between the sub-tree and all future access.
jak to presne funguje? jako ze /overlay je ta "prototype layer" - tedy
jako zdroj a v zmeny v mount-pointu zustanou pouze tam?
http://www.daemon-systems.org/man/mount_overlay.8.html
jestli ano, tak by to bylo zajimavy pri sprave nekolika zcela
indentickych prostredi - jailu.
na fbsd by se to dalo udelat jako /zdrojjail read-only a pomoci
mount_null namountovat dale, resp.
zajimave reseni na jedno pouziti nabizi kombinace mount_union a mount_null. napr. jail
v adresari ale chcete nektere jeho podadresare mit napr. jako noexec,
nodev atd.
<below>:/tmp/realjail on /tmp/jail (union, noclusterw)
/tmp/realjail/usr/ports/packages on /tmp/jail/usr/ports/packages (null, local, read-only)
srot# touch /tmp/jail/usr/ports/packages/hovno
touch: /tmp/jail/usr/ports/packages/hovno: Read-only file system
srot# touch /tmp/realjail/usr/ports/packages/package
srot# ls /tmp/jail/usr/ports/packages/
package
jirib
--
mail: jiri.b at sendmail.cz | jabber: jiri.b at njs.netlab.cz
IRCnet/EFnet/SILCnet: jirib | ICQ: 261273235
GPGfingerprint: 21A1 8E02 CDF0 DCAA B385 A253 EF0C F1CE B618 8EAB
More information about the Users-l
mailing list