how to run FreeBSD in memory only?

B

benoitc

I would like to be able to maintain different remote installation of freebsd instances that are not under my control. For that Ideallly, I would like to run FreeBSD from memory and only keep data on the disk encrypted.

Is there any good solutio to build and start a freebsd system using ipxe? maybe mfsbsd ?
What solution could exist that would allow me to manage remote instances on one place. Something similar to MAAS but that doesn't require a specific subscription?
 
benoitc said:
and only keep data on the disk encrypted.
Click to expand...
You know this needs to be decrypted when you actually read or write data to it? Disk encryption is all nice but doesn't protect anything on a running system. Disk encryption is only useful in case the disk itself gets stolen.

You could run FreeBSD from a memory backed disk, that's not the problem. But any changes you make (or data getting stored) will be lost when you restart the system..
 
well the point is to have persistent storage in the encrypted disk. The system will need to be started from a remote place in. It's a server so if you unplug it and relocate it you will have likely the possibility to restart the system and decrypt the content. That its main purpose of the design yes, prevent agains stolen disk. Other access will also be kind of difficult on the server itself without appropriate credentials.

How to build such disk though ? Is there any recipe for it?
 
benoitc said:
well the point is to have persistent storage in the encrypted disk.
Click to expand...
In order to do this the disk needs to be unencrypted. That's what geli(8) does "on-the-fly". But this also means that data is available and accessible on the running system.

benoitc said:
How to build such disk though ? Is there any recipe for it?
Click to expand...
Just do an encrypted disk install.
 
benoitc said:
I would like to be able to maintain different remote installation of freebsd instances that are not under my control. For that Ideallly, I would like to run FreeBSD from memory and only keep data on the disk encrypted.

Is there any good solutio to build and start a freebsd system using ipxe? maybe mfsbsd ?
What solution could exist that would allow me to manage remote instances on one place. Something similar to MAAS but that doesn't require a specific subscription?
Click to expand...

I use `cbsd jail2iso` script (convert jail to ISO, RAW or bhyve VM) to build custom mfsbsd/livecd images (e.g. install into jail Puppet agent + cert and after running the image, your hosts will automatically connect to the server where you can manage the host).
You can also change network settings in the image on the fly. For example take a look on https://boot.convectix.com/ - you can get `mfsbsd` image, in which you will have an already configured working network (+ SSH service).
I use images like this to boot rented dedicated servers into FreeBSD OS without installing FreeBSD on disks, to RAM (via KVM or isboot (ISCSI/HTTP boot)) then login into mfsbsd, decrypt disks and start jails and bhyve VM - decrypted disks represent the working directory of the CBSD. This way it will work until the next host reboot.
 
Ole said:
I use `cbsd jail2iso` script (convert jail to ISO, RAW or bhyve VM) to build custom mfsbsd/livecd images (e.g. install into jail Puppet agent + cert and after running the image, your hosts will automatically connect to the server where you can manage the host).
You can also change network settings in the image on the fly. For example take a look on https://boot.convectix.com/ - you can get `mfsbsd` image, in which you will have an already configured working network (+ SSH service).
I use images like this to boot rented dedicated servers into FreeBSD OS without installing FreeBSD on disks, to RAM (via KVM or isboot (ISCSI/HTTP boot)) then login into mfsbsd, decrypt disks and start jails and bhyve VM - decrypted disks represent the working directory of the CBSD. This way it will work until the next host reboot.
Click to expand...
what if i would like to keep the os in memory (the HPC way) , would it be possible to have the os filesystemi. ram loaded via ipxe?
 
What do you mean by 'keep the os in memory' ? MFSBSD allows you to load the OS into memory and detach the storage. The system will work (and you can change settings in it) until the server is rebooted. If you need persistent data you can mount via network ( iSCSI, hastd, ggate, NFS .. ) to store changes if you don't want to touch your system drives (in my case, all the configuration for remote servers is on the puppet server, so I don't worry about persistence). However, you can use 'MFSBSD' firmware only to decrypt the local disks and continue booting the system via re-root ( `reboot -r` ). In this case, you will protect your data from cases where peripheral equipment may be confiscated.
 
You must log in or register to reply here.
Back
Top