Solitary Confinement

by PapaScott on 22 July 2004

The past few days I’ve been setting up some small scale FreeBSD jails. Setting up a full scale jail is well documented, just run make install into some directory, and there are some nice tools to manage jails once they are running. However, a full make install weighs in at over 100 MB. Even deleting some files leaves 80 MB. That seemed to me to be too heavy… I want each jail to run just one service: a squid, an apache, a postfix, a mysql. I couldn’t find anything on setting up a “thin” jail, other than the advice to “delete what you don’t need”.

However, I did find MiniBSD, a standalone system designed to fit on a Compact Flash card. By building it, then deleting the files not needed for a jail, I ended up with 15 MB. I needed to add some things back (pam libraries, pkg tools), but then I had a tight system with sshd and the ability to install packages. To set up a new jail, I can unjust unpack my tar, set up an alias interface, and start it up. For squid or postfix I just need two packages. Apache requires a few more.

My goal is to have all my network services running in its own jail, 3 or 4 jails per PC, each jail with a redundant setup on another machine. When a system goes down, I can use rinetd to bounce the original IPs into the backup jail… no playing with firewalls or DNS tables to get back going. The host machines have no ports other than ssh open… only the jails are visible to the outside world. You may break one of my services, even gain root with it, but you’re still behind bars.

DaveP July 23, 2004 at 15:07

Sounds like a cool idea. Please document your approach so the rest of us can learn. Me, I approach security by using OpenBSD so even if someone gets onto the machine, they can’t get root, and combining the two might be a belt-and-suspenders kind of solution that would make me Very Happy.

Comments on this entry are closed.

Previous post:

Next post: