On Thu, 7 Dec 2006, Jacob Yocom-Piatt wrote:
> it's not clear to me where the best place to mount a disk image is using
> vnconfig for the whole /var partition. this should obviously happen after
> mounting /usr.
>
> advice appreciated.
>
> cheers,
> jake
For a start, I'd *guess* it could be mounted immediately after the
file-system containing its "regular file" (and of course /usr) is
mounted. If this file-system is not nfs, then that is at the first
occurences of "mount" in /etc/rc. (Around line 203 in 4.0). You
would add your vnconfig and mount command there. You now have a
"non-standard" /etc/rc.
You want it mounted before logging and any other process or daemon
that uses /var is run, including daemons that chroot to /var, notably
named. You probably want them running on the svnd, not "underneath"
it on whatever /var was before mounting the svnd.
Note that if you plan on encryption, the vnconfig command will hang
waiting for the key. It uses a call to getpass(3) for the key,
which will read from /dev/tty. Usually /etc/rc executes with a
/dev/tty so I think that if you use vnconfg -k or -K in /etc/rc, a
human will have to intervene at boot time to enter the key. (I
don't know a cute, simple way (i.e. a shell trick) to execute
vnconfig without a controlling terminal, so it could read from its
stdin (presumably a disk file or maybe from some dongle-like Sekrit
Krypto Device) or if that would be a good idea anyway.) You could
hack vnconfig to read the key from a file, but that's kinda insecure.
I don't know your threat model. See man getpass(3).
Hoping for further comments,
Dave
--
[In] all human groups at all times there are the few who rule
and the many who are ruled.
-- A. Livingston
