isolation of GO lang application (jail and chroot)
39 views
Skip to first unread message
Sergei G
Aug 15, 2016, 2:58:55 PM8/15/16
to FreeBSD Questions
Hi,
I have a small web application (using GO language) that I wrote and need to
run as a daemon. I would love to expose it to Internet in a safe and
secure way.
I know I can load a jail (I use qjail) and load application that way. I
will then forward requests from nginx to the tail. That's what I typically
do. The jail is a mini copy of operating system with application running
inside of it.
I'd like to lighten the configuration effort.
chroot comes to mind, but I have not done that. Do I have to code chroot
as a system call from inside my GO language application? Or can I chroot
just like I do jails?
Can I jail just a single process without setting up a copy of operating
system? That's what ideally I would like to do.
My application does open a TCP/IP socket for serving data and works with
local file system.
Do you have any recommendation?
Thank you
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
I have a small web application (using GO language) that I wrote and need to
run as a daemon. I would love to expose it to Internet in a safe and
secure way.
I know I can load a jail (I use qjail) and load application that way. I
will then forward requests from nginx to the tail. That's what I typically
do. The jail is a mini copy of operating system with application running
inside of it.
I'd like to lighten the configuration effort.
chroot comes to mind, but I have not done that. Do I have to code chroot
as a system call from inside my GO language application? Or can I chroot
just like I do jails?
Can I jail just a single process without setting up a copy of operating
system? That's what ideally I would like to do.
My application does open a TCP/IP socket for serving data and works with
local file system.
Do you have any recommendation?
Thank you
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Aleksander Alekseev
Aug 15, 2016, 3:43:38 PM8/15/16
to Sergei G, FreeBSD Questions
Hello, Sergei
There is a good chapter about jails in a handbook:
https://www.freebsd.org/doc/handbook/jails.html
However in my opinion since your application is already "all in one"
executable which is written in safe high level language there is little
benefit of using jails in your case. Perhaps running it under a user
with appropriate permissions and quotas, plus setting up a firewall will
be good enough.
I believe jails are more for applications you don't really trust. For
instance if you are creating a shared web hosting or selling VDS'es.
For all this "running everything in a container and only one executable
per container" stupid rules we should be grateful to Docker and people
who sell it. Most of the time you don't need it since it's just doesn't
solve any problem.
--
Best regards,
Aleksander Alekseev
There is a good chapter about jails in a handbook:
https://www.freebsd.org/doc/handbook/jails.html
However in my opinion since your application is already "all in one"
executable which is written in safe high level language there is little
benefit of using jails in your case. Perhaps running it under a user
with appropriate permissions and quotas, plus setting up a firewall will
be good enough.
I believe jails are more for applications you don't really trust. For
instance if you are creating a shared web hosting or selling VDS'es.
For all this "running everything in a container and only one executable
per container" stupid rules we should be grateful to Docker and people
who sell it. Most of the time you don't need it since it's just doesn't
solve any problem.
--
Best regards,
Aleksander Alekseev
Steve O'Hara-Smith
Aug 15, 2016, 4:45:00 PM8/15/16
to freebsd-...@freebsd.org
On Mon, 15 Aug 2016 11:58:44 -0700
Sergei G <sergeig...@gmail.com> wrote:
> Can I jail just a single process without setting up a copy of operating
> system? That's what ideally I would like to do.
Yes you can do this, all you need to do is to make sure that you
Sergei G <sergeig...@gmail.com> wrote:
> Can I jail just a single process without setting up a copy of operating
> system? That's what ideally I would like to do.
have everything the application needs inside the jail - shared libraries,
configuration files, workspace etc. The set the exec_start for the jail to
the program you want to run. I usually do this by installing the
application in the host and then copying the essentials into the jail. IME
this usually involves a few false starts as you find things missing that
are needed in the jail but once past those it just works(tm), so don't
uninstall from the host until the jail is working.
The next fiddly part comes when you need to upgrade the jailed
application, the safest way is to start from scratch in a fresh jail and
cut over the IP address when it works.
You probably need to abandon qjail and set the jail up by hand to
do this. The payoff comes in security, if someone manages to compromise the
application there's nothing else in the jail for them to play with.
--
Steve O'Hara-Smith <st...@sohara.org>
Reply all
Reply to author
Forward
0 new messages