[nsd-users] systemd unit files for NSD launch in chroot?
darx at sent.com
darx at sent.com
Thu Mar 7 03:05:38 UTC 2013
Hi Paul,
On Wed, Mar 6, 2013, at 06:50 PM, Paul Wouters wrote:
> We ship them in Fedora, but they're pretty straightforward. We do not
> use chroot() as it offers nothing over SElinux, and does not come with
> the chroot maintenance nightmare hackery.
>
> IMHO, chroot() for security is pretty much dead. Even without SElinux,
> the cost of putting up a VM with only your single daemon makes chroot
> basically obsolete.
Can't disagree -- if (1) I use Fedora, (2) I use SELinux, and (3) I have
only the single daemon.
In my case, none are true.
I use OpenSuse. I do not use SELinux. I use multiple daemons running
in the VM.
systemd-managed, chroot'd Bind9 is currently one of them, as an example.
> In Fedora you can even use "linux containers", which uses CGROUPS to run your daemon in isolation.
My VM is a Xen guest; switching VM tech'y is not an option here. If
you're suggesting running LXC *in* the Xen guest, that's a layered
complexity I'd prefer to do without -- if it's even doable.
In any case, it sounds like users will be on our own to cobble up the
chroot setup up into our systemd init environment, and that it will not
be addressed in the release. True?
-darx
More information about the nsd-users
mailing list