On Thu, Dec 1, 2022 at 2:01 AM Milan Obuch <freebsd-curr...@dino.sk> wrote:
> On Thu, 01 Dec 2022 10:29:25 +0100 > Alexander Leidinger <alexan...@leidinger.net> wrote: > > > Quoting Alan Somers <asom...@freebsd.org> (from Tue, 29 Nov 2022 > > 17:28:10 -0700): > > > > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem > > > <rick.mack...@gmail.com> wrote: > > > > >> So, what do others think of enforcing the requirement that each > > >> jail have its own file systems for this? > > > > > > I think that's a totally reasonable requirement. Especially so for > > > ZFS users, who already create a filesystem per jail for other > > > reasons. > > > > While I agree that it is a reasonable requirement, just a note that > > we can not assume that every existing jail resides on its own file > > system. The base system jail infrastructure doesn't check this, and > > the ezjail port doesn't either. The iocage port does it. > > > > My position would be 'recommended, but not forced-to' one. I have > various installations with jails sharing parts of filesystem (like > ports or src tree for development, or even local git repository), or > even running with exactly the same directory as root of number of > jails. Probably not a common scenario for sure, but still useful. > Others indicate they want mountd to run inside the jail. To get that to work, the jail needs to be in a separate file system, since it is the file system(s) mount point(s) that the export information is attached to in the kernel. It comes down to... #1 - Run mountd outside of the jails and encourage use of separate file systems. (Also, since the exports information would be applied to the file system(s) and not the jails, a malicious NFS client could "guess" a file handle and access files outside of the jail. This seems counter to what a jail should provide.) OR #2 - Require separate file systems and run mountd inside the jail(s). I think that allowing both alternatives would be too confusing and it seems that most want mountd to run within the jail(s). As such, unless others prefer #1, I think #2 is the way to go. rick > > Regards, > Milan >
