Date: Sat, 15 Nov 2014 08:14:35 +0100 From: Robert Sevat <robert@indylix.nl> To: Luzar <luzar722@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: How much of freebsd can be made read-only in a jail Message-ID: <5466FD5B.5070303@indylix.nl> In-Reply-To: <5466F9F0.6080207@gmail.com> References: <5466E135.80304@indylix.nl> <5466F9F0.6080207@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/15/2014 08:00 AM, Luzar wrote: > Robert Sevat wrote: >> Hey all, >> >> I've started using Ansible to make my life easier while managing a lot >> of jails. I've used ezjail up until now, but if I am using automation to >> manage them anyway, I might as well let Ansible setup the jails in an >> even more restrictive way. I am aware of the existence of bsdploy, but >> that uses ezjail and I'm aiming for an even more locked down system. >> >> goal: >> -make it impossible to install programs from inside the jail, only >> install them from outside the jail with pkg -j >> -make it impossible to edit any configuration files from inside the jail >> since that can be done from the host. >> >> So my question is, how much can be made read-only? >> >> And what needs to be kept writable at a minimum for this to work? >> /tmp >> /var/log (configure syslog server so logs don't need to be stored >> locally?) >> /var/tmp? >> /var/db? >> >> Anything I'm missing or other directories that should be writable? It >> will of course depend per application, but I only run one service per >> jail. So application specific exceptions will be made while configuring >> the jail in the ansible playbook. >> >> Maybe I'm overlooking something and this is a bad idea because $reason? >> Any other advice / tips? >> >> Thank you for your time! >> >> Kind Regards, >> Robert Sevat >> > > If your jail config files and running directories [system & user] are > read-only you can not install packages from the host. Your whole concept > is flawed from the getgo. > > [ansible] is a software product you have to purchase. If your supporting > a large enterprise then maybe the $1000.00 per year cost can be > justified. The Freebsd port is just the 30 day free trial version. > > I suggest you checkout the qjail utility. > > > > > > Hey, Ansible is free and opensource if you use it on the command line. Only ansible-tower the enterprise gui offering is paid. The jail is only read-only from inside the jail. From outside the jail you can edit the files just like any other file. Pkg with the -j option works will indeed not work since that executes in the jail. But "pkg -c /usr/jails/apache install whois" does work. So the concept isn't flawed. Qjail is a fork of ezjail and isn't what I'm looking for. Kind Regards, Robert Sevat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5466FD5B.5070303>