freebsd jail: web and database server config questions
Jasvinder S. Bahra
bbdl21548 at blueyonder.co.uk
Tue Oct 13 18:28:58 UTC 2009
I'm no expert but i'll give this a go.
> Is it advisable/wise/okay/clever to run a webserver on my host
> system and a database server on my jailed system? The webserver
> will need to connect to the database system on startup and
> update the database based on client access.
A key concept in securing a system is defence in depth.
Personally, I would setup two jails on the system and run the
database in one jail and the webserver in the other. That way,
if one of the two became compromised, the intruder would still
have to do some work to get system root access.
> However, if a machine gets compromised, it would rather be the
> webserver, therefore running the webserver in the jailed
> environment seems better to me. But how could that be done, if
> the webserver requires to connect through tcp/ip to the
> database server running on the host system? I thought that a
> key-feature of a jailed system is that it can't access
> resources outside the jail.
Your correct that a jail is almost entirely self-contained, but
no more so than a standalone system - and a standalone system can
still communicate with other systems using network communications.
In (exactly) the same way, a process in one jail can still
communicate with a process in another jail.
For example, say you were using MySQL and Apache Webserver. If
the two processes were running on two different systems, they can
communicate with each other via a network connection on port 3306.
As a jailed system is a virtual-standalone system, each of them
would have a virtual-network card, and so two seperate IP addresses.
Thus, the two processes could communicate with each other in
exactly the same way as the two actually-standalone systems.
> And how do I go around when I need to update my host system due
> to a security advisory. I heard the jailed environment will not
> be affected? So basically that means I would need to create a
> new jail everytime I recompile (as that's the way I'm using to
> stay current)
Your correct, recompiling the host system does not affect the
jailed systems. However there are ways around that. I use a
tool called ezjail. It allows you to update a jail with a single
command.
See http://erdgeist.org/arts/software/ezjail/ and the handbook
for more details.
Jazz
More information about the freebsd-questions
mailing list