Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2014 06:14:29 +0100
From:      Robert Sevat <robert@indylix.nl>
To:        freebsd-questions@freebsd.org
Subject:   How much of freebsd can be made read-only in a jail
Message-ID:  <5466E135.80304@indylix.nl>

Next in thread | Raw E-Mail | Index | Archive | Help
Hey all,

I've started using Ansible to make my life easier while managing a lot
of jails. I've used ezjail up until now, but if I am using automation to
manage them anyway, I might as well let Ansible setup the jails in an
even more restrictive way. I am aware of the existence of bsdploy, but
that uses ezjail and I'm aiming for an even more locked down system.

goal:
-make it impossible to install programs from inside the jail, only
install them from outside the jail with pkg -j
-make it impossible to edit any configuration files from inside the jail
since that can be done from the host.

So my question is, how much can be made read-only?

And what needs to be kept writable at a minimum for this to work?
/tmp
/var/log (configure syslog server so logs don't need to be stored locally?)
/var/tmp?
/var/db?

Anything I'm missing or other directories that should be writable? It
will of course depend per application, but I only run one service per
jail. So application specific exceptions will be made while configuring
the jail in the ansible playbook.

Maybe I'm overlooking something and this is a bad idea because $reason?
Any other advice / tips?

Thank you for your time!

Kind Regards,
Robert Sevat



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5466E135.80304>