# Limits and constraints for Jailed API Server user



## shepherdAZ (Dec 17, 2015)

Background
I am currently running a web application using three jails. The host's PUBLIC_IP:80 is mapped through with pf to the first jail's PRIVATE_IP:8080, where Nginx listens acting as front-end and TLS termination point. From Nginx, requests are upstreamed to the second Jail using a UNIX domain socket where a Python Flask application (API Server) sits and runs as a non-root user. The Flask application calls out to a third jail again via a UNIX socket where Redis is listening. The UNIX sockets are nullfs mounted across jails 1&2 and 2&3 using specific user accounts and permissions. Whilst the Python application is running in Jail 2, I have to permit RW access to the files as Python needs this for generating its bytecode etc and trying to do this elsewhere and remount is a mess. I am now taking two actions to secure this environment further:

re-writing the Python API Server code in Go so I can nullfs mount the application files as read-only into Jail 2 to prevent any modification, and;
locking down all the Jails with appropriate resource and user limits.

Question
Since FreeBSD 10.2 includes RCTL/RACCT in the generic kernel and we can turn this on in the loader now, does anyone have some basic "always do this as a minimum" guidance for configuring these RCTL policies/rules? "memoryuse" and "pcpu" look like good ones to start with, but hoping someone can give me some real-world use examples from their own experiences. 

Thanks!


----------

