Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How much of freebsd can be made read-only in a jail
60 views
Skip to first unread message
Robert Sevat
Nov 15, 2014, 12:19:53 AM11/15/14
to
Hey all,
I've started using Ansible to make my life easier while managing a lot
of jails. I've used ezjail up until now, but if I am using automation to
manage them anyway, I might as well let Ansible setup the jails in an
even more restrictive way. I am aware of the existence of bsdploy, but
that uses ezjail and I'm aiming for an even more locked down system.
goal:
-make it impossible to install programs from inside the jail, only
install them from outside the jail with pkg -j
-make it impossible to edit any configuration files from inside the jail
since that can be done from the host.
So my question is, how much can be made read-only?
And what needs to be kept writable at a minimum for this to work?
/tmp
/var/log (configure syslog server so logs don't need to be stored locally?)
/var/tmp?
/var/db?
Anything I'm missing or other directories that should be writable? It
will of course depend per application, but I only run one service per
jail. So application specific exceptions will be made while configuring
the jail in the ansible playbook.
Maybe I'm overlooking something and this is a bad idea because $reason?
Any other advice / tips?
Thank you for your time!
Kind Regards,
Robert Sevat
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
I've started using Ansible to make my life easier while managing a lot
of jails. I've used ezjail up until now, but if I am using automation to
manage them anyway, I might as well let Ansible setup the jails in an
even more restrictive way. I am aware of the existence of bsdploy, but
that uses ezjail and I'm aiming for an even more locked down system.
goal:
-make it impossible to install programs from inside the jail, only
install them from outside the jail with pkg -j
-make it impossible to edit any configuration files from inside the jail
since that can be done from the host.
So my question is, how much can be made read-only?
And what needs to be kept writable at a minimum for this to work?
/tmp
/var/log (configure syslog server so logs don't need to be stored locally?)
/var/tmp?
/var/db?
Anything I'm missing or other directories that should be writable? It
will of course depend per application, but I only run one service per
jail. So application specific exceptions will be made while configuring
the jail in the ansible playbook.
Maybe I'm overlooking something and this is a bad idea because $reason?
Any other advice / tips?
Thank you for your time!
Kind Regards,
Robert Sevat
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Luzar
Nov 15, 2014, 2:00:16 AM11/15/14
to
read-only you can not install packages from the host. Your whole concept
is flawed from the getgo.
[ansible] is a software product you have to purchase. If your supporting
a large enterprise then maybe the $1000.00 per year cost can be
justified. The Freebsd port is just the 30 day free trial version.
I suggest you checkout the qjail utility.
Robert Sevat
Nov 15, 2014, 2:14:46 AM11/15/14
to
Ansible is free and opensource if you use it on the command line. Only
ansible-tower the enterprise gui offering is paid.
The jail is only read-only from inside the jail. From outside the jail
you can edit the files just like any other file.
Pkg with the -j option works will indeed not work since that executes in
the jail.
But "pkg -c /usr/jails/apache install whois" does work. So the concept
isn't flawed. Qjail is a fork of ezjail and isn't what I'm looking for.
Kind Regards,
Robert Sevat
Nicolas Geniteau
Nov 15, 2014, 6:36:22 AM11/15/14
to
Hi Robert,
First, I don't have any FreeBSD accessible now, so my answer will be
quite imprecise.
2014-11-15 6:14 GMT+01:00 Robert Sevat <rob...@indylix.nl>:
> I've started using Ansible to make my life easier while managing a lot
> of jails.
Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is
it well supported ?
> So my question is, how much can be made read-only?
I already done this kind of things in the past. If my memory is good,
I set all /tmp and /var RW and works well with almost services. You
can probably be more restrictive, but, is it really usefull ?
If I had to do this kind of thing now, I would try to do same as a
diskless boot.
https://www.freebsd.org/doc/handbook/network-diskless.html
man diskless
The /etc/rc.initdiskless script (or something like this), after mount
/ in RO by NFS, create a memory filesystem populated by a template
for, generaly, /var and /etc (I can't explain why the diskless
documentation say to do /etc too).
Using this principe, no change on disk is possible, only in RAM.
It seems to me that the script is well documented, you probably can
adapt it to fill your needs.
Regards,
--
Nicolas
First, I don't have any FreeBSD accessible now, so my answer will be
quite imprecise.
2014-11-15 6:14 GMT+01:00 Robert Sevat <rob...@indylix.nl>:
> I've started using Ansible to make my life easier while managing a lot
> of jails.
it well supported ?
> So my question is, how much can be made read-only?
I set all /tmp and /var RW and works well with almost services. You
can probably be more restrictive, but, is it really usefull ?
If I had to do this kind of thing now, I would try to do same as a
diskless boot.
https://www.freebsd.org/doc/handbook/network-diskless.html
man diskless
The /etc/rc.initdiskless script (or something like this), after mount
/ in RO by NFS, create a memory filesystem populated by a template
for, generaly, /var and /etc (I can't explain why the diskless
documentation say to do /etc too).
Using this principe, no change on disk is possible, only in RAM.
It seems to me that the script is well documented, you probably can
adapt it to fill your needs.
Regards,
--
Nicolas
Robert Sevat
Nov 15, 2014, 1:10:05 PM11/15/14
to
jails and I've read that quite a few people have been using it.
While a diskless boot is similar, it doesn't have the same security
advantages because you introduce new attack vectors. You need a NFS
server that can be attacked, I think nullfs mounts have less attack
surface. It does have the advantage of making persistence harder due to
every restart the jail being 'wiped clean'.
I agree with you that only having /tmp and /var writable will probably
suffice. I'll give that a go. Thanks for your insight.
Kind Regards,
Robert Sevat
0 new messages