How much of freebsd can be made read-only in a jail

[Luzar]

Robert Sevat wrote:
> Hey all,
> 
> I've started using Ansible to make my life easier while managing a lot
> of jails. I've used ezjail up until now, but if I am using automation to
> manage them anyway, I might as well let Ansible setup the jails in an
> even more restrictive way. I am aware of the existence of bsdploy, but
> that uses ezjail and I'm aiming for an even more locked down system.
> 
> goal:
> -make it impossible to install programs from inside the jail, only
> install them from outside the jail with pkg -j
> -make it impossible to edit any configuration files from inside the jail
> since that can be done from the host.
> 
> So my question is, how much can be made read-only?
> 
> And what needs to be kept writable at a minimum for this to work?
> /tmp
> /var/log (configure syslog server so logs don't need to be stored locally?)
> /var/tmp?
> /var/db?
> 
> Anything I'm missing or other directories that should be writable? It
> will of course depend per application, but I only run one service per
> jail. So application specific exceptions will be made while configuring
> the jail in the ansible playbook.
> 
> Maybe I'm overlooking something and this is a bad idea because $reason?
> Any other advice / tips?
> 
> Thank you for your time!
> 
> Kind Regards,
> Robert Sevat
> 

If your jail config files and running directories [system & user] are
read-only you can not install packages from the host. Your whole concept
is flawed from the getgo.

[ansible] is a software product you have to purchase. If your supporting
a large enterprise then maybe the $1000.00 per year cost can be
justified. The Freebsd port is just the 30 day free trial version.

I suggest you checkout the qjail utility.