From owner-freebsd-questions@FreeBSD.ORG Thu Dec 16 04:53:33 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFDA9106564A for ; Thu, 16 Dec 2010 04:53:33 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 350788FC13 for ; Thu, 16 Dec 2010 04:53:32 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.193]) by mail.unitedinsong.com.au (Postfix) with ESMTP id CBD525C44 for ; Thu, 16 Dec 2010 14:58:22 +1000 (EST) Message-ID: <4D099A80.6030808@herveybayaustralia.com.au> Date: Thu, 16 Dec 2010 14:50:08 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.15) Gecko/20101119 Thunderbird/3.0.10 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20101215120036.DFC371065849@hub.freebsd.org> <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> In-Reply-To: <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Noob Jail question. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2010 04:53:33 -0000 On 12/16/10 09:32, Dave wrote: > Hi. > > As some of you may remember, I've managed to build a F'BSD V8.0 based > system that provides me with:- > > Local GPS disiplined NTP server (working very well) the reason I built > the thing in the first place, but it seems FreeBSD can do so much more, > so I also have..... > > Hiawatha webserver (also working well) > > FTPD for updating the web pages Hiawatha serves up (working well) Other > systems here generate data, that is FTP'd over the LAN to the web page > folders. > > SSH remote login for admin needs (But not for "root" login) Also working > well. > > All this will start happily, boot and sort itself out as a "headless" > machine, and if needed collapse gracefully and shutdown cleanly, with one > press of the power button. I am impressed! > > I've been reading the FreeBSD Manual (a dangerous thing to do during > lunchtimes!) relating to Jails. Other than making my head spin, I'm > finding it a tad dificult finding out just what you can/cant do with a > Jail. Mainly, because I'm not familiar with a lot of the terms used, and > though the man pages are no doubt correct as a reference, they don't > "explain" it well, in as much as how to use it, well in my addled mind at > the moment. > > I think I'd like to run Hiawatha in a Jail, as it seems "the right thing > to do" with something that will be exposed to the www. > (Comments/advice?) > > But, how do I arrange it to safely get (read only) access to the website > data, without preventing the FTPD service from having access to update > that data. FTPD will only be reachable from LAN side of the main gateway > router, Hiawatha will have an outside world port forwarded to it by the > router. > > What I'm asking I guess, is.. Can a jail'd app, reach outside the jail > in "read only" mode. (I suspect, maybe?) Or can an app outside the > jail, drop stuff off inside the jail? (For whatever reason, I suspect > not?) > > If anyone understands what the heck I'm blathering on about, please > explain it to me, as I think I've lost the plot. > > Comments, advice, brickbats etc? > > Best Regards. > > Dave B. > Sounds good. A jail is essentially paravirtualisation, in other words it partitions your OS into distinct segments. Linux has just started making inroads on this with vserver and such. The kernel stays the same, but you actually have separately distinct kernel code, security, etc for each jail. So it make sense then to run just one service within it, but its possible to run an entire system- with multiple systems on one host. This method is extremely fast, barely any trade off compared to running say VirtualBox, VMWare, or Qemu. As you read, you hand off a branch in your file system to hold the data for the jail (kernel, world, and apps and associated data etc), and the jail system inside the jail can only see that branch. Thats its equivalent of / on the host. It can't see outside of that unless you place something inside that banch from the host. You even have to actually mount a separate devfs inside the jail if required. So you want FTPD to drop files into the webserver, and the webserver is in a jail; then (consider the security of what your attempting) either FTPD has to access the branch containing the jail and webroot, or mount using nullfs the branch containing FTPD directory inside the jail. HTH and good luck. For bonus points you can even try a service only jail, where you don't need the whole system in the jail, just the libraries needed by the service app :)