[nsd-users] systemd unit files for NSD launch in chroot?

darx at sent.com darx at sent.com
Thu Mar 7 03:05:38 UTC 2013


Hi Paul,

On Wed, Mar 6, 2013, at 06:50 PM, Paul Wouters wrote:
> We ship them in Fedora, but they're pretty straightforward. We do not
> use chroot() as it offers nothing over SElinux, and does not come with
> the chroot maintenance nightmare hackery.
> 
> IMHO, chroot() for security is pretty much dead. Even without SElinux,
> the cost of putting up a VM with only your single daemon makes chroot
> basically obsolete.

Can't disagree -- if (1) I use Fedora, (2) I use SELinux, and (3) I have
only the single daemon.

In my case, none are true.

I use OpenSuse.  I do not use SELinux.  I use multiple daemons running
in the VM.

systemd-managed, chroot'd Bind9 is currently one of them, as an example.

> In Fedora you can even use "linux containers", which uses CGROUPS to run your daemon in isolation.

My VM is a Xen guest; switching VM tech'y is not an option here.  If
you're suggesting running LXC *in* the Xen guest, that's a layered
complexity I'd prefer to do without -- if it's even doable.

In any case, it sounds like users will be on our own to cobble up the
chroot setup up into our systemd init environment, and that it will not
be addressed in the release.  True?

-darx



More information about the nsd-users mailing list