Hello Robert,
Robert Wotzlaw:
> Your script auroot "A sample script to build a chroot-ed/jail environment for
> Internet service" has inspired me to write the script bldchraufs. The script
:::
> I will thank You for, if You could take a look at the script.
Good script.
Do you have a plan to make the script on your web site? If you send me
the URL, I will add it to aufs2-util.git/sample/auroot/README.txt. If
you don't have your web site, I will add the script under
aufs2-util.git/sample/auroot/. Which do you prefer?
I'd suggest you to use the loop in your script.
For instance,
----------------------------------------------------------------------
make_it_au() # mntpnt
{
mkdir -p /tmp/rw/$1 /tmp/jail/$1
mount -t aufs -o br:/tmp/rw/$1:/$1 none /tmp/jail/$1
}
for i in var usr usr/local boot home srv
do make_it_au $i
done
make_it_bound() # mntpnt
{
mkdir -p /tmp/jail/$1
mount -o bind /$1 /tmp/jail/$1
}
for i in proc sys ...
do make_it_bound $i
done
----------------------------------------------------------------------
(This is just a sample and I didn't run it by myself)
> I have a question concerning the last lines of the script. In this lines the
> mount command binds the devices /dev, /dev/pts and /dev/shm into the matched
> directories of the union under /tmp/jail/. In this configuration the devices
> aren't a part of a branch. Is this an acceptable mount? Should I create a read
> only and a write branch for the above devices and mount the branches under an
> union?
You don't need to make them union.
Binding these dirs is correct.
> My next question concerns the option bind of the mount command. In Your
> example
:::
> was stored. At first glance I was a little bit puzzled, but I think, You can't
> change the access writes of a device during a bind mount. The bind of a device
> is an alias - a other name for the same thing. The properties of a bound
> device
> are the same as the properties of the mounted device. Is this right? In the
> chroot environment the kind of the binding makes no problem, because the
> system
> doesn't see the origin of the bind.
You are right.
"-o bind,ro" will not make it READONLY.
I don't remember why I did it. It might be a historical reason. For
instance, it did work once, but linux or mount command changed later.
Anyway I don't remember and have no plan to investigate the history.
As long as you make it sure, you are right and the auroot script is
wrong.
hal.new?
What is for?
J. R. Okajima
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
