Re: jail(2) support to OpenLDAP

["Oni (Paolo Meschi)" <paolo.meschi@gmail.com>]

2006/1/17, Kurt D. Zeilenga <Kurt@openldap.org>:
> Thanks for the contribution.  A few comments...
>
> I wonder if builtin support for jail(2) is generally useful or
> not.  My thoughts are that admins should generally use jail(8)
> as discussed in the jail(8) manual page.
>
> The only reason I could see for having builtin jail(2)
> support is the same reason we have builtin chroot(2) support,
> ldapi://.  The Unix domain socket is opened before the chroot(2)
> call and, in your patch, before the jail(2) call.
>
> But I note placement of the jail(2) call in your patch
> means that the all listeners, including TCP/IP ones, are
> opened before the jail(2) call.  This likely will lead
> to unexpected behavior where the listener is not allowed
> in the jail.  Of course, if you move the jail(2) call before
> the listener startup, you'd have removed the only reason
> for integrating the jail(2) support.
>
> While we could redesign the listener startup to separately
> start UNIX from TCP listeners, allowing the jail(2) call
> to be properly placed, I am not sure its worth it.
> jail(2) is best thought of as a virtual hosting
> mechanism.

I understand...

> Now a few patch specific issues:
>
> why do you call chroot(2) after calling jail(2).  This
> seems, at best, extraneous.  jail(2) calls chroot(2)
> internally.

That's a mistake. I wrote chroot("/") instead chdir("/"), sorry.

> I would suggest combining the jail arguments
>         slapd -J host:IP:/path
> so as to avoid consuming multiple flags.