Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2014 08:14:35 +0100
From:      Robert Sevat <robert@indylix.nl>
To:        Luzar <luzar722@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: How much of freebsd can be made read-only in a jail
Message-ID:  <5466FD5B.5070303@indylix.nl>
In-Reply-To: <5466F9F0.6080207@gmail.com>
References:  <5466E135.80304@indylix.nl> <5466F9F0.6080207@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 11/15/2014 08:00 AM, Luzar wrote:
> Robert Sevat wrote:
>> Hey all,
>>
>> I've started using Ansible to make my life easier while managing a lot
>> of jails. I've used ezjail up until now, but if I am using automation to
>> manage them anyway, I might as well let Ansible setup the jails in an
>> even more restrictive way. I am aware of the existence of bsdploy, but
>> that uses ezjail and I'm aiming for an even more locked down system.
>>
>> goal:
>> -make it impossible to install programs from inside the jail, only
>> install them from outside the jail with pkg -j
>> -make it impossible to edit any configuration files from inside the jail
>> since that can be done from the host.
>>
>> So my question is, how much can be made read-only?
>>
>> And what needs to be kept writable at a minimum for this to work?
>> /tmp
>> /var/log (configure syslog server so logs don't need to be stored
>> locally?)
>> /var/tmp?
>> /var/db?
>>
>> Anything I'm missing or other directories that should be writable? It
>> will of course depend per application, but I only run one service per
>> jail. So application specific exceptions will be made while configuring
>> the jail in the ansible playbook.
>>
>> Maybe I'm overlooking something and this is a bad idea because $reason?
>> Any other advice / tips?
>>
>> Thank you for your time!
>>
>> Kind Regards,
>> Robert Sevat
>>
>
> If your jail config files and running directories [system & user] are
> read-only you can not install packages from the host. Your whole concept
> is flawed from the getgo.
>
> [ansible] is a software product you have to purchase. If your supporting
> a large enterprise then maybe the $1000.00 per year cost can be
> justified. The Freebsd port is just the 30 day free trial version.
>
> I suggest you checkout the qjail utility.
>
>
>
>
>
>
Hey,

Ansible is free and opensource if you use it on the command line. Only
ansible-tower the enterprise gui offering is paid.

The jail is only read-only from inside the jail. From outside the jail
you can edit the files just like any other file.
Pkg with the -j option works will indeed not work since that executes in
the jail.

But "pkg -c /usr/jails/apache install whois" does work. So the concept
isn't flawed. Qjail is a fork of ezjail and isn't what I'm looking for.

Kind Regards,
Robert Sevat



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5466FD5B.5070303>