From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 11:36:13 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 035515A2 for ; Sat, 15 Nov 2014 11:36:13 +0000 (UTC) Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B51C5CDB for ; Sat, 15 Nov 2014 11:36:12 +0000 (UTC) Received: by mail-yk0-f181.google.com with SMTP id 142so3834528ykq.12 for ; Sat, 15 Nov 2014 03:36:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=hQJGapIM1oSDof53+MLu5XHme+8JRi4/s5KzzB4W5RA=; b=p1joByWajvmsiBa+UPphRsBhKoI3QB5X/OHRQK4R9rinGDNqsN1f4G7F+H+np9KUwE YPQjD8CW28cy96upBelGOGq5dT3aebVSKOMzlraglP77H9DnMGcWbB6gt61fGAwDDgnN 9DSZwpo6wUPSfDfIcdfW+cws1T9UEYz1jHpfe9Pgc/pUxeh8TYKJLdGrlnQ0KQPXWfp3 xJS1ShgmtaDIi2gY8KVWyPTXeFYq5zXDUL3m+qQJUwlGtlibtpjDtPmlS+bfgJdU/19v qmLc9ZnbTM9OWLXoPNDi1Fsls61frT5HeepyyU/+YvpbhsadyZ/o1xQcnGdRHyJRUV8Q r1tw== X-Received: by 10.236.26.116 with SMTP id b80mr16034673yha.60.1416051371927; Sat, 15 Nov 2014 03:36:11 -0800 (PST) MIME-Version: 1.0 Sender: nicolas.geniteau@gmail.com Received: by 10.170.60.133 with HTTP; Sat, 15 Nov 2014 03:35:51 -0800 (PST) In-Reply-To: <5466E135.80304@indylix.nl> References: <5466E135.80304@indylix.nl> From: Nicolas Geniteau Date: Sat, 15 Nov 2014 12:35:51 +0100 X-Google-Sender-Auth: pBIgGync30TBSjDK_zOKD1zwoSE Message-ID: Subject: Re: How much of freebsd can be made read-only in a jail To: Robert Sevat Content-Type: text/plain; charset=UTF-8 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2014 11:36:13 -0000 Hi Robert, First, I don't have any FreeBSD accessible now, so my answer will be quite imprecise. 2014-11-15 6:14 GMT+01:00 Robert Sevat : > I've started using Ansible to make my life easier while managing a lot > of jails. Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is it well supported ? > So my question is, how much can be made read-only? I already done this kind of things in the past. If my memory is good, I set all /tmp and /var RW and works well with almost services. You can probably be more restrictive, but, is it really usefull ? If I had to do this kind of thing now, I would try to do same as a diskless boot. https://www.freebsd.org/doc/handbook/network-diskless.html man diskless The /etc/rc.initdiskless script (or something like this), after mount / in RO by NFS, create a memory filesystem populated by a template for, generaly, /var and /etc (I can't explain why the diskless documentation say to do /etc too). Using this principe, no change on disk is possible, only in RAM. It seems to me that the script is well documented, you probably can adapt it to fill your needs. Regards, -- Nicolas