is nfs mount inside jail possible?
Robert Watson
rwatson at FreeBSD.org
Wed Jun 25 16:08:44 UTC 2008
On Wed, 25 Jun 2008, Alexander Leidinger wrote:
>> ... nfs seems not to be jail friendly. Here is the question at subject.
>> Thanks!
>
> Correct. If you are not afraid to patch the system: zfs has the JAIL flag
> set, you just need to do the same with nfs.
>
> To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and change
> it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL);
>
> I suggest to not do this with tmpfs if you do shared hosting (you don't want
> that strangers eat up all your physical RAM).
The security implications of doing this are rather non-trivial, and should be
carefully taken carefully into account. This is not a configuration I would
recommend for most sites on the basis that they might not be well-equipped to
reason about the indirect security consequences.
There are also some potentially tricky technical elements here -- for example,
some versions of FreeBSD are known to have TCP implementations that are not
entirely happy with NFS running in a jail. Likewise, some of the associated
services of NFS, such as rpc.statd and rpc.lockd, will not work properly with
virtualization prior to 8.x (and possibly after) as they both have interesting
security requirements and rely on things like each IP address being associated
with at most one client.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-jail
mailing list