Re: Noob Jail question.
Hi.. I've actualy got a messing about PC with 8.1 on, that I often play with during lunch times at work. Trouble is, been working through lunchtimes for the last week or three. Self teaching is good, you certainly learn things, but though I'm not in need of instant self gratification, it's a bit frustrating the time it takes to learn, and then get it sorted, when I idealy want it to just work. Still, for the price (free of course) I can't complain, and it's not as if I'm doing it for a job, or charging anyone for it. If I was, I'd take paid for advice, and pass the cost on! Thanks for the encoragement.. Dave B. On 17 Dec 2010 at 12:14, Indexer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. It is the best way to learn. Setup a VM of fbsd 8.1 on your computer, and just play with it on that with jails, and learn what you can an cant do. Remember that if you ever need help of course, these email lists are great. Also, read the FBSD handbook, it has some great instructions Isnt self directed learning great ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
On 12/18/10 02:58, Dave wrote: Hi.. I've actualy got a messing about PC with 8.1 on, that I often play with during lunch times at work. Trouble is, been working through lunchtimes for the last week or three. Self teaching is good, you certainly learn things, but though I'm not in need of instant self gratification, it's a bit frustrating the time it takes to learn, and then get it sorted, when I idealy want it to just work. If you take them time now, it'll get quicker in the future. Happens to me all the time, so I understand the frustration, but hang in there and eventually you'll be flipping them out wherever you like. Being able to ask sometimes stupid questions here to get things clear is always handy too- sometimes something that should be obvious evades our comprehension :) Still, for the price (free of course) I can't complain, and it's not as if I'm doing it for a job, or charging anyone for it. If I was, I'd take paid for advice, and pass the cost on! It'll pay off in the end. IF you were getting paid for it, you'd have the knowledge for future clients, so I'm not sure how that fits in the economics ;) That said, I've found that paid advice is not always as helpful or knowledgeable as free... That may not be the case where you though. Here things are ruled by how much can be gained now and in the near future such as off the shelf. Thanks for the encoragement.. Dave B. On 17 Dec 2010 at 12:14, Indexer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. It is the best way to learn. Setup a VM of fbsd 8.1 on your computer, and just play with it on that with jails, and learn what you can an cant do. Remember that if you ever need help of course, these email lists are great. Also, read the FBSD handbook, it has some great instructions Isnt self directed learning great ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
Dave d...@g8kbv.demon.co.uk writes: I've been reading the FreeBSD Manual (a dangerous thing to do during lunchtimes!) relating to Jails. Other than making my head spin, I'm finding it a tad dificult finding out just what you can/cant do with a Jail. Mainly, because I'm not familiar with a lot of the terms used, and though the man pages are no doubt correct as a reference, they don't explain it well, in as much as how to use it, well in my addled mind at the moment. I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) If anyone understands what the heck I'm blathering on about, please explain it to me, as I think I've lost the plot. Comments, advice, brickbats etc? You may try to use sysutils/ezjail to install/manage/etc jails. Using ezjail-admin is quite easy. Ezjails are realy light (they use readonly mount_nullfs to a basejail rather then real filesystems). Then you may consider using one jail for FTPD with write access and an other jail for HTTPD server with read-only access (say, readonly mount_nullfs) to those written by FTPD files/filesystems. -- WBR, bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
On 16 Dec 2010 at 14:50, Da Rock wrote: On 12/16/10 09:32, Dave wrote: Hi. As some of you may remember, I've managed to build a F'BSD V8.0 based system that provides me with:- . . . . Hi.. Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. Cheers. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. It is the best way to learn. Setup a VM of fbsd 8.1 on your computer, and just play with it on that with jails, and learn what you can an cant do. Remember that if you ever need help of course, these email lists are great. Also, read the FBSD handbook, it has some great instructions Isnt self directed learning great ;) Cheers. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNCsBsAAoJEHF16AnLoz6JG58P/Auqb1g9Id0r+uAIdg7atLf0 +KCaJ78n/2+aYYUAxbjnfAIQrv/qwqvV163EnZCVq4xJSAfUlZWo9fkV55mPN5co d5ZO9s7dr4p57ptv3MuF8+DtG0dPq9KtBPQT1U7m94uzXSDCRtjVJMzg5AqIfRTi +ZO19ewjfMkhvEi0qmk2BoOTc50WGaQSU8A09r8ItquDOAqGYV+a7yPswUhn6Uc8 NCc+m1kDdAyxjLKTMzcP1Lkxh8j/RU8fxpPZQkIc6U/6dF56NGUob+99R6xsUt5P y3LgkMd1R6pOngrid3MXxB7pIlh6Hy/tSICgcpsUPYbXinKlSFrSKlX6PIHRZlj0 vIO89ofHMl2m8T0L52zZcAupcnP43i+cUI7paPBAekbmuV/VhaCOWxCZp97CUVKd 30dgngg0zKBZFPHbCeMZLsNT4gsCRnVEJdUYSnxKMg6tLFwK8uCnXU3wPoQ/Gm0u SVsVQTdHJfkHfjt0oEqZeBEPtTi8Nd5HCn6JAEOpXY6I9d4/4qifSM0goV5uyO0F Xo++r6ej+dN1Mo1/4TR0EomEI20hgASnKit9C2exAx77qqmpMpk95O6EZbvF4Q4U dNR/o72Qq5v7SFLV18DlA5sFUnLk7cZclNsaeNf60ZAzp6iCxrsSoZjmbIkX0qEv W5gn8NQbQqDFVy7XbJyk =KnnJ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Noob Jail question.
Hi. As some of you may remember, I've managed to build a F'BSD V8.0 based system that provides me with:- Local GPS disiplined NTP server (working very well) the reason I built the thing in the first place, but it seems FreeBSD can do so much more, so I also have. Hiawatha webserver (also working well) FTPD for updating the web pages Hiawatha serves up (working well) Other systems here generate data, that is FTP'd over the LAN to the web page folders. SSH remote login for admin needs (But not for root login) Also working well. All this will start happily, boot and sort itself out as a headless machine, and if needed collapse gracefully and shutdown cleanly, with one press of the power button. I am impressed! I've been reading the FreeBSD Manual (a dangerous thing to do during lunchtimes!) relating to Jails. Other than making my head spin, I'm finding it a tad dificult finding out just what you can/cant do with a Jail. Mainly, because I'm not familiar with a lot of the terms used, and though the man pages are no doubt correct as a reference, they don't explain it well, in as much as how to use it, well in my addled mind at the moment. I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) If anyone understands what the heck I'm blathering on about, please explain it to me, as I think I've lost the plot. Comments, advice, brickbats etc? Best Regards. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SSH remote login for admin needs (But not for root login) Also working well. Good! I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) - From a security standpoint it makes sense, as it confines a malicous user *if* they get in. But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. You notice the way jails work? they are essentially a fenced off part of your filesystem. So your jail may live in /usr/jails on the host system. You can access all the contents of the jail from the host of course. An easy answer to this would be something like, have a directory called /var/www and have the FTPD write to that. Then mount /var/www as a nullfs in read only mode to /usr/jails/var/www, and point your webserver (which inside the jail is unaware of some of this) to /var/www (or to the host, the /usr/jails/var/www) What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) A jailed app cannot reach outside , this defeat the purpose. On the other hand the host can reach in The best way to learn is to try, so setting it up on a dev machine is probably the best way to go. Again, if you need more help, email this list. Sincerely William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNCVW3AAoJEHF16AnLoz6JXo4P/Rg0+pdhxP8tiKeqSGi6n9dy hYj4KsnnG1diggB/+VI7tnffJqhm9HTqds9f+VXqx/YkTXNZirTBSbQtqAPz41Z6 FwAr1bAw5aUVQf8Pc80xsk9UMeI9L1wM7/rjRYRab1h6g8SBv2Gf/AZ4oLC3rO4C PQwigplntB/MIYMBrAsizpBar7f+sPPpftxlYAIl3s3prysja1KTOW4l+NDOPO4U OUQ2o5x4Gpbt/suhlrx/jjWhSRqyhwblN8DEXkwuIyR6HT9PuUOH05YDB1bg4nSs OW8N5ZD6VoTkcDP1kayBoD5kEcRQX4eji9LksTnsJoxXb4bers1JyT2wsAYZr5LC W45UEtvaHjidsP4mpnnaWMeHL7U89YEaUub8PtR3NYs2ky2A3stw2qKDemvQuP1q QntJVeq8VETig139aKjBcEs04NW/8MkEajKigkDFmUEoHpFfxAsIsIUZO6P0QElQ whcFTDLiq9IG+J+eeq3/YcykCWLJju1cnL0Nzah91L5GHTi866cR2vafP8aJN1/5 D2EQEoghbstIjgTtTBC5Y+csBDffzAS6MfjsJ0S8TC8fYBRSF5sAqQXAc3x/pNZ6 lw8GNgkAmLrrKMmRpbmnHJbGOs22udzfuqtEKMs+dme+L0xNeCuZSJGbxC2+CXtD qayfvD4Kqj8yK+vYMBAt =8A/f -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
On 12/16/10 09:32, Dave wrote: Hi. As some of you may remember, I've managed to build a F'BSD V8.0 based system that provides me with:- Local GPS disiplined NTP server (working very well) the reason I built the thing in the first place, but it seems FreeBSD can do so much more, so I also have. Hiawatha webserver (also working well) FTPD for updating the web pages Hiawatha serves up (working well) Other systems here generate data, that is FTP'd over the LAN to the web page folders. SSH remote login for admin needs (But not for root login) Also working well. All this will start happily, boot and sort itself out as a headless machine, and if needed collapse gracefully and shutdown cleanly, with one press of the power button. I am impressed! I've been reading the FreeBSD Manual (a dangerous thing to do during lunchtimes!) relating to Jails. Other than making my head spin, I'm finding it a tad dificult finding out just what you can/cant do with a Jail. Mainly, because I'm not familiar with a lot of the terms used, and though the man pages are no doubt correct as a reference, they don't explain it well, in as much as how to use it, well in my addled mind at the moment. I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) If anyone understands what the heck I'm blathering on about, please explain it to me, as I think I've lost the plot. Comments, advice, brickbats etc? Best Regards. Dave B. Sounds good. A jail is essentially paravirtualisation, in other words it partitions your OS into distinct segments. Linux has just started making inroads on this with vserver and such. The kernel stays the same, but you actually have separately distinct kernel code, security, etc for each jail. So it make sense then to run just one service within it, but its possible to run an entire system- with multiple systems on one host. This method is extremely fast, barely any trade off compared to running say VirtualBox, VMWare, or Qemu. As you read, you hand off a branch in your file system to hold the data for the jail (kernel, world, and apps and associated data etc), and the jail system inside the jail can only see that branch. Thats its equivalent of / on the host. It can't see outside of that unless you place something inside that banch from the host. You even have to actually mount a separate devfs inside the jail if required. So you want FTPD to drop files into the webserver, and the webserver is in a jail; then (consider the security of what your attempting) either FTPD has to access the branch containing the jail and webroot, or mount using nullfs the branch containing FTPD directory inside the jail. HTH and good luck. For bonus points you can even try a service only jail, where you don't need the whole system in the jail, just the libraries needed by the service app :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org