[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Implementing bind9 in multiple jails.



When I try to run bind9 inside of an ezjail sandbox, it complains about not being able to create the devfs:

  test237# ./named start
  mount_devfs: Operation not permitted
  ./named: WARNING: devfs_domount(): Unable to mount devfs on
  /var/named/dev
  devfs rule: ioctl DEVFSIO_RAPPLY: Inappropriate ioctl for device
  devfs rule: ioctl DEVFSIO_RAPPLY: Inappropriate ioctl for device
  Starting named.
  test237# ps -auxw | grep -i name
  bind 28512  0.0  0.1  7420  4512  ??  SsJ   6:00PM   0:00.00 /usr/sbin/named -t /var/named -u bind
  test237# df -k
  Filesystem    1K-blocks   Used     Avail Capacity  Mounted on
  /dev/aacd1s1d 130610200 658586 119502798     1%    /
  test237# sockstat
  USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS
  FOREIGN ADDRESS
  bind     named      28512 3  dgram  -> /var/run/logpriv
  bind     named      28512 20 udp4   10.8.124.66:49386  *:*
  bind     named      28512 21 tcp4   10.8.124.66:953    *:*
  test237#

Yes, I know bind already is in a jail by default, but I want to be able to run multiple separate instances of named in different sandboxes, to be run by entirely different IT groups who should not have access to each other's configurations - and at the same time I would like it to be run the standard FreeBSD way in the /var/named/ jail so everything will still look like a normal, stand-alone system.

The inability to create the devfs may not be the only problem, so if anyone is running bind9 inside an ezjail sandbox and has a list of "gotchas" and how to solve them, that would be appreciated.

rick