On Wed, Feb 01, 2012 at 08:30:31AM +0100, Stas Verberkt wrote:
L.S.,
I want to set up my system in a way where applications are clustered
over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I
need to share data over the jails, which is stored on the host.
Often, nullfs and mounting ro is suitable, but I need write access in
some cases. As nullfs rw over multiple jails can be considered insecure,
I was wondering what would be a secure way.
You could use a combination of nullfs and unionfs. Below is is what I do to
share /usr/ports on the host with a jail, but keep the jail from writing in
the host's tree.
host# cd /usr/local/var/jails/192.168.0.100/usr
host# mkdir tmp/foo
host# mount_nullfs /usr/ports/ ports/
host# mount_unionfs -o noatime tmp/foo ports/
With this, the jail sees the hosts' /usr/ports tree, but when it wants to
write there, the written files end up under tmp/foo in the jails' tree.
Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
pgphIuUox4Drv.pgp
Description: PGP signature
