[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bind9-chroot (was: questions on ITP)



On Fri, Sep 28, 2001 at 10:15:09AM +0200, Christian Kurz wrote:
> > lets not exaggerate, the only distribution i know that actually
> 
> Where I'm an exaggerating, I'm just describing the problem and how one
> possible one to handle it would be.

you are making grandiose claims that people will abandon debian in
droves to use other distros if debian does not supply quick and
automatic chroot options for bind.  i counter that the other
distributions don't chroot bind by default nor offer chroot as an
option, you have to do it manually.

so why would someone abandon debian if they have to do a chroot config
manually under 2.2 kernels when they have to do it manually on all the
other dists no matter what kernel they use?

> > chroots bind by default is OpenBSD.  it wasn't until very recently
> 
> It's not about the problem of having chroot by default. Having a script
> that is invoked upon user interaction that generates the chroot would in
> my opinion be also an acceptable solution. We just shouldn't have a
> solution for chrooting bind that depends on kernel 2.4.x features.

I think respecting debian policy is more important then supporting 2.2
kernels for chrooted bind.

the only real options for 2.2 are:

1: rsync /etc/bind to $chroot/etc/bind in the initscript on start.

2: violate policy and move the config files out of /etc

option 1 sucks since you have to fully restart bind to make changes to
your configs instead of merly sending a SIGHUP (or is that even
needed?) 

option 2 is unnacceptable IMO, and really in fact by current policy,
and throwing away policy would be foolish since thats what makes
debian such high quality distribution.

comparing this to postfix isn't very useful either, in postfix the
config files do NOT live in the chroot, the only things put in chroot
is a couple libs that are required and things like /etc/hosts and
/etc/localtime.  bind mounts are not an option for postfix without
severly reducing the security of the chroot (you would have to mount
all of /etc and all of /lib to make it effective, and at that point
why bother).

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpT6rwXmhaj4.pgp
Description: PGP signature


Reply to: