jails - jak nejlepe

Jan Pechanec jp at devnull.cz
Fri Jul 23 09:47:07 CEST 2004


On Fri, 23 Jul 2004, Jiri wrote:

>jestli ano, tak by to bylo zajimavy pri sprave nekolika zcela
>indentickych prostredi - jailu.
>
>na fbsd by se to dalo udelat jako /zdrojjail read-only a pomoci
>mount_null namountovat dale, resp.

	mount_nullfs na FreeBSD oficialne nefunguje a prakticky taky 
moc ne. Nedavno se v jedny freebsd.org konfere toto resilo, dotycny si 
stezoval, ze mu to dlouho fungovalo a pak prestalo. Dostaval jen 
odpovedi v tomto duchu z man mount_nullfs:

     THIS FILE SYSTEM TYPE IS NOT YET FULLY SUPPORTED (READ: IT DOESN'T WORK)
     AND USING IT MAY, IN FACT, DESTROY DATA ON YOUR SYSTEM.  USE AT YOUR OWN
     RISK.  BEWARE OF DOG.  SLIPPERY WHEN WET.

	Mineno i v tom smyslu, ze kdyz to nefunguje a nedokaze si 
pomoci sam, ma smulu. Je mozne to obejit pouzitim lokalniho NFS, i 
kdyz to neni nic moc. A nepsalo se o tom, ze by se nekdo chystal 
nullfs fixnout.

	h.

>
>zajimave reseni na jedno pouziti nabizi kombinace mount_union a mount_null. napr. jail
>v adresari ale chcete nektere jeho podadresare mit napr. jako noexec,
>nodev atd.
>
><below>:/tmp/realjail on /tmp/jail (union, noclusterw)
>/tmp/realjail/usr/ports/packages on /tmp/jail/usr/ports/packages (null, local, read-only)
>srot# touch /tmp/jail/usr/ports/packages/hovno
>touch: /tmp/jail/usr/ports/packages/hovno: Read-only file system
>srot# touch /tmp/realjail/usr/ports/packages/package
>srot# ls /tmp/jail/usr/ports/packages/
>package
>
>
>jirib
>
>
>

-- 
Jan Pechanec <jp (at) devnull (dot) cz>



More information about the Users-l mailing list