[Date Prev][Date Next]
Re: jail(2) support to OpenLDAP
2006/1/17, Kurt D. Zeilenga <Kurt@openldap.org>:
> Thanks for the contribution. A few comments...
> I wonder if builtin support for jail(2) is generally useful or
> not. My thoughts are that admins should generally use jail(8)
> as discussed in the jail(8) manual page.
> The only reason I could see for having builtin jail(2)
> support is the same reason we have builtin chroot(2) support,
> ldapi://. The Unix domain socket is opened before the chroot(2)
> call and, in your patch, before the jail(2) call.
> But I note placement of the jail(2) call in your patch
> means that the all listeners, including TCP/IP ones, are
> opened before the jail(2) call. This likely will lead
> to unexpected behavior where the listener is not allowed
> in the jail. Of course, if you move the jail(2) call before
> the listener startup, you'd have removed the only reason
> for integrating the jail(2) support.
> While we could redesign the listener startup to separately
> start UNIX from TCP listeners, allowing the jail(2) call
> to be properly placed, I am not sure its worth it.
> jail(2) is best thought of as a virtual hosting
> Now a few patch specific issues:
> why do you call chroot(2) after calling jail(2). This
> seems, at best, extraneous. jail(2) calls chroot(2)
That's a mistake. I wrote chroot("/") instead chdir("/"), sorry.
> I would suggest combining the jail arguments
> slapd -J host:IP:/path
> so as to avoid consuming multiple flags.