Best practices about Jails
Roland Smith
rsmith at xs4all.nl
Wed Apr 4 21:42:44 UTC 2012
On Wed, Apr 04, 2012 at 10:16:37AM +0200, Andrea Venturoli wrote:
> Hello.
>
> Plase forgive the long post and the amount of questions, but I'm new to
> jails and I'd like to be sure of what I'm doing before deploying more
> than a test one.
> Right now I need to run a commercial Java app, which, ideally, I would
> forbid to access files outside its directory.
> This might be done by simple chrooting it, but I read a jail is a better
> solution, so I started with ezjails.
> First of all, I'm wondering whether it would be possible/useful to use
> chroot even inside that jail. Any opinions?
Not very usefull. If one chroot is safe, a double is overkill. If chroot can
be broken out of, an extra chroot is at most an inconvenience.
> Second question: from inside the jail I can access all services on
> localhost (eg. telnet localhost pop3, where a pop3 server is running on
> the host). Can this be avoided, e.g. with ipfw?
The pf firewall allows you to explicitly exlude aliases from interface
names. I'm assuming ipfw has similar capabilities. If you make a _pass_ rule
for just the real interface without the aliases, you should be able to block
stuff.
Maybe you can create a loopback device, and associate the jail with that. Than
you can filter the traffic to/from that to your hearts' content.
> Ideally, since this jail will run only one deamon and it will be
> accessed through Apache mod_proxy from the host, I'll just need inbound
> access to its port and outbound access to smtp and web proxy on the host
> system. No direct access from/to other hosts.
> Is this possible?
I think so if you make alias the jail to a new loopback interface, you can
filter on that.
> Next... ezjail's author suggests I have a copy of the port tree just for
> the jails and, furthermore, a repository for distfiles for every jail.
> Since this would waste a lot of space, I already used a single distfile
> repository, but I'm also wondering whether it would be a bad idea to use
> the host's port tree. I know lot of people do this and, keeping it tidy
> with portsclean -CD, I wonder if it really would be a security risk in
> my case.
Does your daemon even use ports? If not, there is no use for the ports tree.
But if you want it, you can use a combination of nullfs and unionfs to get a
read-only "view" of the hosts' ports tree in the jail, while the "writes" are
done in the unionfs. This means that you only have to update the hosts' ports
tree, and the jail will automagically see it. Suppose the root of your jail is
in /var/jails/192.168.0.100/. You do the following (in the host) to set it up:
# cd /var/jails/192.168.0.100/usr
# mkdir tmp/foo
# mount_nullfs /usr/ports/ ports/
# mount_unionfs -o noatime tmp/foo ports/
To tear this down when you don't need it anymore, do this;
# umount /var/jails/192.168.0.100/usr/ports
# umount /var/jails/192.168.0.100/usr/ports
# cd /var/jails/192.168.0.100/usr
# rm -rf tmp/foo/*
And yes, the umount command _does_ need to be run twice: once for the unionfs,
and once for the nullfs! The contents of
`/var/jails/192.168.0.100/usr/tmp/foo/*` are deleted to save space.
> What about jails? Should I install portaudit there too and let them flood me
> with reports? Is there a way to let the host's portaudit check jails too?
With the nullfs/unionfs combo, you only need to update the ports tree
once. You do need to update the ports in your jail with e.g. portmaster.
Roland
--
R.F.Smith http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120404/a2b9bc7c/attachment.pgp
More information about the freebsd-questions
mailing list