How much of freebsd can be made read-only in a jail

[Robert Sevat]

On 11/15/2014 12:35 PM, Nicolas Geniteau wrote:
> Hi Robert,
>
> First, I don't have any FreeBSD accessible now, so my answer will be
> quite imprecise.
>
> 2014-11-15 6:14 GMT+01:00 Robert Sevat <robert at indylix.nl>:
>> I've started using Ansible to make my life easier while managing a lot
>> of jails.
> Great, Ansible is a very usefull tool ! I never tried on FreeBSD, is
> it well supported ?
>
>> So my question is, how much can be made read-only?
> I already done this kind of things in the past. If my memory is good,
> I set all /tmp and /var RW and works well with almost services. You
> can probably be more restrictive, but, is it really usefull ?
>
> If I had to do this kind of thing now, I would try to do same as a
> diskless boot.
> https://www.freebsd.org/doc/handbook/network-diskless.html
> man diskless
>
> The /etc/rc.initdiskless script (or something like this), after mount
> / in RO by NFS, create a memory filesystem populated by a template
> for, generaly, /var and /etc (I can't explain why the diskless
> documentation say to do /etc too).
>
> Using this principe, no change on disk is possible, only in RAM.
>
> It seems to me that the script is well documented, you probably can
> adapt it to fill your needs.
>
>
> Regards,
>

Ansible appears to be quite well supported, there are modules for pkg /
jails and I've read that quite a few people have been using it.

While a diskless boot is similar, it doesn't have the same security
advantages because you introduce new attack vectors. You need a NFS
server that can be attacked, I think nullfs mounts have less attack
surface. It does have the advantage of making persistence harder due to
every restart the jail being 'wiped clean'.

I agree with you that only having /tmp and /var writable will probably
suffice. I'll give that a go. Thanks for your insight.

Kind Regards,
Robert Sevat