Date: Sat, 15 Nov 2014 15:00:00 +0800 From: Luzar <luzar722@gmail.com> To: Robert Sevat <robert@indylix.nl> Cc: freebsd-questions@freebsd.org Subject: Re: How much of freebsd can be made read-only in a jail Message-ID: <5466F9F0.6080207@gmail.com> In-Reply-To: <5466E135.80304@indylix.nl> References: <5466E135.80304@indylix.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Sevat wrote: > Hey all, > > I've started using Ansible to make my life easier while managing a lot > of jails. I've used ezjail up until now, but if I am using automation to > manage them anyway, I might as well let Ansible setup the jails in an > even more restrictive way. I am aware of the existence of bsdploy, but > that uses ezjail and I'm aiming for an even more locked down system. > > goal: > -make it impossible to install programs from inside the jail, only > install them from outside the jail with pkg -j > -make it impossible to edit any configuration files from inside the jail > since that can be done from the host. > > So my question is, how much can be made read-only? > > And what needs to be kept writable at a minimum for this to work? > /tmp > /var/log (configure syslog server so logs don't need to be stored locally?) > /var/tmp? > /var/db? > > Anything I'm missing or other directories that should be writable? It > will of course depend per application, but I only run one service per > jail. So application specific exceptions will be made while configuring > the jail in the ansible playbook. > > Maybe I'm overlooking something and this is a bad idea because $reason? > Any other advice / tips? > > Thank you for your time! > > Kind Regards, > Robert Sevat > If your jail config files and running directories [system & user] are read-only you can not install packages from the host. Your whole concept is flawed from the getgo. [ansible] is a software product you have to purchase. If your supporting a large enterprise then maybe the $1000.00 per year cost can be justified. The Freebsd port is just the 30 day free trial version. I suggest you checkout the qjail utility.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5466F9F0.6080207>