From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 07:14:37 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A26262E for ; Sat, 15 Nov 2014 07:14:37 +0000 (UTC) Received: from mail.indylix.nl (mail.indylix.nl [31.220.44.23]) by mx1.freebsd.org (Postfix) with ESMTP id 20DAF1EA for ; Sat, 15 Nov 2014 07:14:36 +0000 (UTC) Message-ID: <5466FD5B.5070303@indylix.nl> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=indylix.nl; s=o26EqTc7; t=1416035675; bh=nNFwmHZ7wZQUBNmX3kSIRphJDM/DJxA0BXDjdl0T3ng=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=q4A+JuFxAYEFNCfL3+EruATH+8sDX6wdPXo9HRAknIq6T2//CrA+UTetUpp9vWUlH jshF6G4CEi88vb2yULSJ47bwD+DA20jG4QQVGhIuNGZrauvIX2GCUGk1cHZSEBoUKc 33bK47tHQKWdQKFbyDcz3swUdRgVY7ZQ5koDGJ13uV9XqWZgF+q23vNSrJZTMbNAXY aDSisPBDU8M7ji45eeVn2AwovWMAf8Rq5hMx3hErSVMNXOaYA2B5ewZBFmWwEHHfDW CQCgysQ7nTGfY1iwan3drgISmwz4Ft1auqEf1GP9WbkhwIe/9NTcX8cmB6cYTPUN5P iExAZSaihi4cQ== Date: Sat, 15 Nov 2014 08:14:35 +0100 From: Robert Sevat MIME-Version: 1.0 To: Luzar Subject: Re: How much of freebsd can be made read-only in a jail References: <5466E135.80304@indylix.nl> <5466F9F0.6080207@gmail.com> In-Reply-To: <5466F9F0.6080207@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2014 07:14:37 -0000 On 11/15/2014 08:00 AM, Luzar wrote: > Robert Sevat wrote: >> Hey all, >> >> I've started using Ansible to make my life easier while managing a lot >> of jails. I've used ezjail up until now, but if I am using automation to >> manage them anyway, I might as well let Ansible setup the jails in an >> even more restrictive way. I am aware of the existence of bsdploy, but >> that uses ezjail and I'm aiming for an even more locked down system. >> >> goal: >> -make it impossible to install programs from inside the jail, only >> install them from outside the jail with pkg -j >> -make it impossible to edit any configuration files from inside the jail >> since that can be done from the host. >> >> So my question is, how much can be made read-only? >> >> And what needs to be kept writable at a minimum for this to work? >> /tmp >> /var/log (configure syslog server so logs don't need to be stored >> locally?) >> /var/tmp? >> /var/db? >> >> Anything I'm missing or other directories that should be writable? It >> will of course depend per application, but I only run one service per >> jail. So application specific exceptions will be made while configuring >> the jail in the ansible playbook. >> >> Maybe I'm overlooking something and this is a bad idea because $reason? >> Any other advice / tips? >> >> Thank you for your time! >> >> Kind Regards, >> Robert Sevat >> > > If your jail config files and running directories [system & user] are > read-only you can not install packages from the host. Your whole concept > is flawed from the getgo. > > [ansible] is a software product you have to purchase. If your supporting > a large enterprise then maybe the $1000.00 per year cost can be > justified. The Freebsd port is just the 30 day free trial version. > > I suggest you checkout the qjail utility. > > > > > > Hey, Ansible is free and opensource if you use it on the command line. Only ansible-tower the enterprise gui offering is paid. The jail is only read-only from inside the jail. From outside the jail you can edit the files just like any other file. Pkg with the -j option works will indeed not work since that executes in the jail. But "pkg -c /usr/jails/apache install whois" does work. So the concept isn't flawed. Qjail is a fork of ezjail and isn't what I'm looking for. Kind Regards, Robert Sevat