Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2014 12:35:51 +0100
From:      Nicolas Geniteau <nicolas@geniteau.com>
To:        Robert Sevat <robert@indylix.nl>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: How much of freebsd can be made read-only in a jail
Message-ID:  <CADw3u-dwqZD3bsQrDyxpwkPNdTOhuBwOymzcLC71vMVvLNte=A@mail.gmail.com>
In-Reply-To: <5466E135.80304@indylix.nl>
References:  <5466E135.80304@indylix.nl>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Robert,

First, I don't have any FreeBSD accessible now, so my answer will be
quite imprecise.

2014-11-15 6:14 GMT+01:00 Robert Sevat <robert@indylix.nl>:
> I've started using Ansible to make my life easier while managing a lot
> of jails.

Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is
it well supported ?

> So my question is, how much can be made read-only?

I already done this kind of things in the past. If my memory is good,
I set all /tmp and /var RW and works well with almost services. You
can probably be more restrictive, but, is it really usefull ?

If I had to do this kind of thing now, I would try to do same as a
diskless boot.
https://www.freebsd.org/doc/handbook/network-diskless.html
man diskless

The /etc/rc.initdiskless script (or something like this), after mount
/ in RO by NFS, create a memory filesystem populated by a template
for, generaly, /var and /etc (I can't explain why the diskless
documentation say to do /etc too).

Using this principe, no change on disk is possible, only in RAM.

It seems to me that the script is well documented, you probably can
adapt it to fill your needs.


Regards,

-- 
Nicolas



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CADw3u-dwqZD3bsQrDyxpwkPNdTOhuBwOymzcLC71vMVvLNte=A>