From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 18:09:57 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D08C5482 for ; Sat, 15 Nov 2014 18:09:57 +0000 (UTC) Received: from mail.indylix.nl (mail.indylix.nl [31.220.44.23]) by mx1.freebsd.org (Postfix) with ESMTP id 965DD3A1 for ; Sat, 15 Nov 2014 18:09:57 +0000 (UTC) Message-ID: <546796F4.6020901@indylix.nl> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=indylix.nl; s=o26EqTc7; t=1416074996; bh=d4L6gErrl4mQUrsViEuxuB3NUaIcRkU6+oEmOLdtZJQ=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=tBXSG0wzrhBhDgdXbWCHwxcNjDtb8ss02n4m/3b+J2XlcVQPglicK/rDfr1/Jok0f DVN/S5B6mrh6EHBdc1iJ6aIK2y1CLt/VkLr1ERE0zIfhqeEaO06yCZjCD1SYHEDyev F7B1Dt1VlhbRFdx4liKNAEFOcofoQrlou7yBr0SviEOIrfiFBClJb9fhhJLm3WCA/O I/084PZp2l9cDw07bbTCz/Sm8VTKXeHdWZCyQ6WLnuz/Lt22VV73OmJMblVOvUO0aQ gxKrzEk6PNuZycx6JuSgvGmfIY5GGENeRxXAUBAss+nV9+L1GXCzVqKfwIDyBnmk2/ jQwg58uP6AH6g== Date: Sat, 15 Nov 2014 19:09:56 +0100 From: Robert Sevat MIME-Version: 1.0 To: Nicolas Geniteau Subject: Re: How much of freebsd can be made read-only in a jail References: <5466E135.80304@indylix.nl> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2014 18:09:57 -0000 On 11/15/2014 12:35 PM, Nicolas Geniteau wrote: > Hi Robert, > > First, I don't have any FreeBSD accessible now, so my answer will be > quite imprecise. > > 2014-11-15 6:14 GMT+01:00 Robert Sevat : >> I've started using Ansible to make my life easier while managing a lot >> of jails. > Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is > it well supported ? > >> So my question is, how much can be made read-only? > I already done this kind of things in the past. If my memory is good, > I set all /tmp and /var RW and works well with almost services. You > can probably be more restrictive, but, is it really usefull ? > > If I had to do this kind of thing now, I would try to do same as a > diskless boot. > https://www.freebsd.org/doc/handbook/network-diskless.html > man diskless > > The /etc/rc.initdiskless script (or something like this), after mount > / in RO by NFS, create a memory filesystem populated by a template > for, generaly, /var and /etc (I can't explain why the diskless > documentation say to do /etc too). > > Using this principe, no change on disk is possible, only in RAM. > > It seems to me that the script is well documented, you probably can > adapt it to fill your needs. > > > Regards, > Ansible appears to be quite well supported, there are modules for pkg / jails and I've read that quite a few people have been using it. While a diskless boot is similar, it doesn't have the same security advantages because you introduce new attack vectors. You need a NFS server that can be attacked, I think nullfs mounts have less attack surface. It does have the advantage of making persistence harder due to every restart the jail being 'wiped clean'. I agree with you that only having /tmp and /var writable will probably suffice. I'll give that a go. Thanks for your insight. Kind Regards, Robert Sevat