Michael Tokarev via Postfix-users:
> 10.12.2024 00:46, Wietse Venema via Postfix-users wrote:
>
> >> The prob here is that it isn't trivial at all to set up the
> >> chroot environment, despite all the efforts to solve this so
> >> far. Many things can be simplified greatly by using proxy
> >> maps for example, and that probably will be the way I'll
> >> recommend to use instead of copying all sorts of random stuff
> >> into chroot, regardless if it's needed there or not, or even
> >> if it helps there or not.
> >
> > You could mount read-only,no-execute the dependencies under
> > /var/spool/postfix. Oh wait, systemd builds a symlink web of hell;
> > /etc/resolv.conf is no longer a file but a symlink info the void.
> > Good luck with duplicating that.
> It's lovely you mention this. Very interesting.
>
> 2 points.
>
> 1. The deps which are required within chroot - they're just too
> numerous. All sorts of various stuff from /etc and /lib.
> SSL certs for STARTTLS. All cyrus and openssl stuff. Various
> libnss modules, /etc/services /etc/host.conf etc (some are
> for glibc). A *lot* of stuff. The prob with that is that
> each basically needs its own mount.
> And mounts wont actually help, since individual files gets
> created anew and renamed to place, leaving the mount pointing
> back to the old file.
I was assuming that the idea is to import *directories* (i.e.
colelctions of files) instead of individual files.
BTW My resolv.conf points to a local resolver, which is always on
the same IP address, and thus, resolv.conf is essentially static.
I notice that path was taken by systemd as well.
> It's strange you said systemd builds symlink web of hell.
> It redirected a few (maybe just one) runtime-info file from
> /etc to /run - this way, /etc can be read-only (I used RO
Indeed. This was a bad example.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
