Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2014 19:09:56 +0100
From:      Robert Sevat <>
To:        Nicolas Geniteau <>
Subject:   Re: How much of freebsd can be made read-only in a jail
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 11/15/2014 12:35 PM, Nicolas Geniteau wrote:
> Hi Robert,
> First, I don't have any FreeBSD accessible now, so my answer will be
> quite imprecise.
> 2014-11-15 6:14 GMT+01:00 Robert Sevat <>:
>> I've started using Ansible to make my life easier while managing a lot
>> of jails.
> Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is
> it well supported ?
>> So my question is, how much can be made read-only?
> I already done this kind of things in the past. If my memory is good,
> I set all /tmp and /var RW and works well with almost services. You
> can probably be more restrictive, but, is it really usefull ?
> If I had to do this kind of thing now, I would try to do same as a
> diskless boot.
> man diskless
> The /etc/rc.initdiskless script (or something like this), after mount
> / in RO by NFS, create a memory filesystem populated by a template
> for, generaly, /var and /etc (I can't explain why the diskless
> documentation say to do /etc too).
> Using this principe, no change on disk is possible, only in RAM.
> It seems to me that the script is well documented, you probably can
> adapt it to fill your needs.
> Regards,

Ansible appears to be quite well supported, there are modules for pkg /
jails and I've read that quite a few people have been using it.

While a diskless boot is similar, it doesn't have the same security
advantages because you introduce new attack vectors. You need a NFS
server that can be attacked, I think nullfs mounts have less attack
surface. It does have the advantage of making persistence harder due to
every restart the jail being 'wiped clean'.

I agree with you that only having /tmp and /var writable will probably
suffice. I'll give that a go. Thanks for your insight.

Kind Regards,
Robert Sevat

Want to link to this message? Use this URL: <>