Question concerning package development (OpenJDK and MongoDB)



  • Greetings,

    I am thinking about working on a package for pfSense. I have plenty of experience with unix and programming but would like some input on one aspect of this particular project. Over at the Ubiquiti forums, there has been some attempt at getting the Unifi Wireless LAN Controller software running on top of pfSense. I started by getting it running  on vanilla FreeBSD 8.3 to get an idea of how the setup/configuration flow goes. Unifi has two main dependencies: A Java Runtime (OpenJDK6/7) and MongoDB (NoSQL database). Is this project even worth my time? I would love to build a package that not only gets the runtime, database, and Unifi base installed, but also includes a pfSense graphical frontend for managing the Unifi controller service configuration (start/stop/restart, view log files, delete log files, assign ports, IP binding, install custom ssl certs, etc.) Finally, due to the software license of UniFi (I still need to thoroughly read through this), it might be imperative to require package users to upload their own copy (obtained only after agreeing to the Unifi TOS) of Unifi.

    My biggest concern at the moment though is OpenJDK and MongoDB. Both are relatively large and complex packages (especially OpenJDK)


  • Netgate Administrator



  • @stephenw10:

    I assume you've read this?
    http://forum.pfsense.org/index.php/topic,46342.0.html

    Steve

    I hadn't read that post in particular but I did read the post in the ubiquiti forums. I have gotten the latest version of the controller running on my 2.1 virtual machine. I am having an issue getting my local repository running though. I'm running WAMP and I have a feeling that the PHP version (my WAMP setup is running the latest PHP version and I know that many functions are deprecated are are throwing warnings, which is probably giving the package parser in pfsense a headache). Do you know what PHP (and Apache) version the official repository uses?

    Edit: Tried a different application stack (XAMPP) and everything is working just fine.


  • Netgate Administrator

    In the most recent 2.1 snaps, 5.3.26  :-
    https://github.com/pfsense/pfsense-tools/commit/bffdd00c578026b41a1ebe0e900c6819ccc46197

    You can run phpinfo(); in the php execute box in the webgui. The output is bit big though.  ;)

    Steve



  • A lot of people get the creeps when thinking about running a JVM on a firewall/router.

    When already running pfSense on a VM, why not run the UniFy server in a separate VM?



  • @Klaws:

    A lot of people get the creeps when thinking about running a JVM on a firewall/router.

    When already running pfSense on a VM, why not run the UniFy server in a separate VM?

    True, but if the machine has the resources then why not?

    My biggest question right now stems around PBIs (push button installers). I've actually never built a PBI so this is still new. From my understanding, it should be possible to combine the JRE, Mongodb, and the Unifi core into one *.pbi that gets installed as the pfSense package. This should mitigate most of the fear of installing a JRE on a firewall/router. But here is my concern, what if the software you are ultimately targeting doesn't exist in the freebsd ports tree? What then? OpenJDK and Mongodb both in found /usr/ports but obviously the proprietary unifi software isn't. What would be the appropriate course of action to take?



  • I think the worries are more about Java's security once it is installed and the possibility it could compromise the firewall.



  • @stan-qaz:

    I think the worries are more about Java's security once it is installed and the possibility it could compromise the firewall.

    Right. How do critical JRE fixes get to the box? Will the package perform auto-updates?

    Of course there are jails, which might reduce the effect of JRE vulnerabilities.



  • A Jail is nothing more than a virtual machine … there is no reason to believe a jail is more difficult to crack!



  • I chroot a lot of stuff as it does add some security but it isn't perfect. Interestingly chroot originated with the BSD folks.

    http://en.wikipedia.org/wiki/Chroot#Limitations

    The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out. To mitigate the risk of this security weakness, chrooted programs should relinquish root privileges as soon as practical after chrooting, or other mechanisms – such as FreeBSD Jails - should be used instead. Note that some systems, such as FreeBSD, take precautions to prevent the second chroot attack.



  • @Clear-Pixel:

    A Jail is nothing more than a virtual machine … there is no reason to believe a jail is more difficult to crack!

    If a bug in the jailed application allows it, for example, to access arbitrary files on the System, the jail should confine that illegit access to files inside the jail only.

    Without a jail, such a bug would allow access to the complete host, probably including user lists, passwords, certificates. That's fine if your name is Sony or Facebook, but a few People are still a tiny bit more concerned about IT security. After all, one major argunment for a pfSense deployment is that it's quite secure. Otherwise, you could use the ISA Server instead. Oh my, sorry…it's now calles "Microsoft Forefront Threat Management Gateway". ROFLMAO!



  • So I'm trying to get back into this. I have been doing quite a bit of research into jails. I think running the controller in a jail is absolutely imperative for a few reasons: 1) It keeps the system has "vanilla" as possible (easy to install/uninstall without touching the underlying system). 2) It isolates what could potentially be a security threat. So basically, can a pfSense package create a jail and install software into it without having the PfJailctl package installed?