Date: Sat, 15 Nov 2014 19:09:56 +0100 From: Robert Sevat <robert@indylix.nl> To: Nicolas Geniteau <nicolas@geniteau.com> Cc: freebsd-questions@freebsd.org Subject: Re: How much of freebsd can be made read-only in a jail Message-ID: <546796F4.6020901@indylix.nl> In-Reply-To: <CADw3u-dwqZD3bsQrDyxpwkPNdTOhuBwOymzcLC71vMVvLNte=A@mail.gmail.com> References: <5466E135.80304@indylix.nl> <CADw3u-dwqZD3bsQrDyxpwkPNdTOhuBwOymzcLC71vMVvLNte=A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/15/2014 12:35 PM, Nicolas Geniteau wrote: > Hi Robert, > > First, I don't have any FreeBSD accessible now, so my answer will be > quite imprecise. > > 2014-11-15 6:14 GMT+01:00 Robert Sevat <robert@indylix.nl>: >> I've started using Ansible to make my life easier while managing a lot >> of jails. > Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is > it well supported ? > >> So my question is, how much can be made read-only? > I already done this kind of things in the past. If my memory is good, > I set all /tmp and /var RW and works well with almost services. You > can probably be more restrictive, but, is it really usefull ? > > If I had to do this kind of thing now, I would try to do same as a > diskless boot. > https://www.freebsd.org/doc/handbook/network-diskless.html > man diskless > > The /etc/rc.initdiskless script (or something like this), after mount > / in RO by NFS, create a memory filesystem populated by a template > for, generaly, /var and /etc (I can't explain why the diskless > documentation say to do /etc too). > > Using this principe, no change on disk is possible, only in RAM. > > It seems to me that the script is well documented, you probably can > adapt it to fill your needs. > > > Regards, > Ansible appears to be quite well supported, there are modules for pkg / jails and I've read that quite a few people have been using it. While a diskless boot is similar, it doesn't have the same security advantages because you introduce new attack vectors. You need a NFS server that can be attacked, I think nullfs mounts have less attack surface. It does have the advantage of making persistence harder due to every restart the jail being 'wiped clean'. I agree with you that only having /tmp and /var writable will probably suffice. I'll give that a go. Thanks for your insight. Kind Regards, Robert Sevat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?546796F4.6020901>