Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2014 15:00:00 +0800
From:      Luzar <luzar722@gmail.com>
To:        Robert Sevat <robert@indylix.nl>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: How much of freebsd can be made read-only in a jail
Message-ID:  <5466F9F0.6080207@gmail.com>
In-Reply-To: <5466E135.80304@indylix.nl>
References:  <5466E135.80304@indylix.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
Robert Sevat wrote:
> Hey all,
> 
> I've started using Ansible to make my life easier while managing a lot
> of jails. I've used ezjail up until now, but if I am using automation to
> manage them anyway, I might as well let Ansible setup the jails in an
> even more restrictive way. I am aware of the existence of bsdploy, but
> that uses ezjail and I'm aiming for an even more locked down system.
> 
> goal:
> -make it impossible to install programs from inside the jail, only
> install them from outside the jail with pkg -j
> -make it impossible to edit any configuration files from inside the jail
> since that can be done from the host.
> 
> So my question is, how much can be made read-only?
> 
> And what needs to be kept writable at a minimum for this to work?
> /tmp
> /var/log (configure syslog server so logs don't need to be stored locally?)
> /var/tmp?
> /var/db?
> 
> Anything I'm missing or other directories that should be writable? It
> will of course depend per application, but I only run one service per
> jail. So application specific exceptions will be made while configuring
> the jail in the ansible playbook.
> 
> Maybe I'm overlooking something and this is a bad idea because $reason?
> Any other advice / tips?
> 
> Thank you for your time!
> 
> Kind Regards,
> Robert Sevat
> 

If your jail config files and running directories [system & user] are
read-only you can not install packages from the host. Your whole concept
is flawed from the getgo.

[ansible] is a software product you have to purchase. If your supporting
a large enterprise then maybe the $1000.00 per year cost can be
justified. The Freebsd port is just the 30 day free trial version.

I suggest you checkout the qjail utility.









Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5466F9F0.6080207>