I'm no expert but i'll give this a go.
Is it advisable/wise/okay/clever to run a webserver on my host
system and a database server on my jailed system? The webserver
will need to connect to the database system on startup and
update the database based on client access.
A key concept in securing a system is defence in depth.
Personally, I would setup two jails on the system and run the
database in one jail and the webserver in the other. That way,
if one of the two became compromised, the intruder would still
have to do some work to get system root access.
However, if a machine gets compromised, it would rather be the
webserver, therefore running the webserver in the jailed
environment seems better to me. But how could that be done, if
the webserver requires to connect through tcp/ip to the
database server running on the host system? I thought that a
key-feature of a jailed system is that it can't access
resources outside the jail.
Your correct that a jail is almost entirely self-contained, but
no more so than a standalone system - and a standalone system can
still communicate with other systems using network communications.
In (exactly) the same way, a process in one jail can still
communicate with a process in another jail.
For example, say you were using MySQL and Apache Webserver. If
the two processes were running on two different systems, they can
communicate with each other via a network connection on port 3306.
As a jailed system is a virtual-standalone system, each of them
would have a virtual-network card, and so two seperate IP addresses.
Thus, the two processes could communicate with each other in
exactly the same way as the two actually-standalone systems.
And how do I go around when I need to update my host system due
to a security advisory. I heard the jailed environment will not
be affected? So basically that means I would need to create a
new jail everytime I recompile (as that's the way I'm using to
stay current)
Your correct, recompiling the host system does not affect the
jailed systems. However there are ways around that. I use a
tool called ezjail. It allows you to update a jail with a single
command.
See http://erdgeist.org/arts/software/ezjail/ and the handbook
for more details.
Jazz
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
