On Thu, Apr 12, 2007 at 03:55:24PM +0300, Kostik Belousov wrote: > On Thu, Apr 12, 2007 at 02:38:33PM +0200, Oliver Fromme wrote: > > Ed Schouten wrote: > > > Bernd Walter wrote: > > > > E.g. hardlink system binaries over multiple jails flaged immuteable. > > > > No jail can compromise the data in other jails, while still allowing > > > > the kernel to share memory pages for it. > > > > > > There are nicer ways to do that as far as I know. Just read-only > > > nullmount some kind of base install to another directory. > > > > Memory pages are not shared across different mounts, > > including nullmounts (AFAIK), which was Bernd's point. > > So Bernd's solution is much better in terms of memory > > usage, which is significant if you run a large number > > of jails. > > Pages are shared for file mmaped from different null mounts. I wasn't aware of this - that's good. But there are still other interesting benefits of extended flags in jails, such as append-only for logfiles, etc... Unlike the old securelevel mechanism the files can still be rotated outside the jails. -- B.Walter http://www.bwct.de http://www.fizon.de bernd_at_bwct.de info_at_bwct.de support_at_fizon.deReceived on Thu Apr 12 2007 - 11:49:20 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:08 UTC