Re: Successful jailed GNU/kFreeBSD
- To: debian-bsd@lists.debian.org
- Cc: Jett Tayer <jett@sycorax.ath.cx>
- Subject: Re: Successful jailed GNU/kFreeBSD
- From: Joshua Cummings <jrac@internode.on.net>
- Date: Sun, 15 Jul 2007 23:27:49 +1000
- Message-id: <1184506069.21181.71.camel@krumm>
- In-reply-to: <2193BA71-4414-46A6-8748-7DC45E32C564@sycorax.ath.cx>
- References: <1184152260.6811.9.camel@krumm> <2193BA71-4414-46A6-8748-7DC45E32C564@sycorax.ath.cx>
On Sun, 2007-07-15 at 19:44 +0800, Jett Tayer wrote:
> hi can send me how'd you do it?
>
Posting this response to the list seems like a good idea.
I guess, first of all, the basic steps I used are:
* Get the source code for the jail binary. In this case I used the fetch
script from freebsd-utils (since I was using that as a testing ground).
* This next step should be considered the dirty and hackish part; I
pretty much ripped out any BSD login cap related code to get a working
build. A much more skilled developer with some PAM experience could
probably whip up a replacement for the already small amount of code.
* Now equipped with a usable binary, you can go about your business as
if you were setting up a regular FreeBSD jail manually. In my case, the
base tarball from the latest GNU/kFreeBSD install disc was used to
populate the jail, instead of the traditional FreeBSD source based
method.
* One of the most obvious missing pieces is an equivalent to FreeBSD's
jail configuration via rc.conf and the necessary init scripts for
stopping/starting jails (manually or at boot). At the moment I'm using a
custom /etc/init.d/jail script that reads the basic config values (dir,
hostname, ip address) from /etc/jail.conf.
* Initial interaction with the environment inside the jail is done
through simply executing /bin/sh instead of /etc/init.d/rc.
Then apt-get install openssh-server, exit the jail shell and fire it up.
Shutting down is a manual process due to the current lack of jexec.
So, as you can see, it's fairly...unclean. At the moment.
I personally think jail support is an important feature for Debian
GNU/kFreeBSD to try to support. If not important, a very *attractive*
feature, that, despite more advanced stuff like Xen existing, is still a
really useful thing that potential users might like to see.
To sum up this overgrown rant, the following needs to be done to support
jails:
* Possible small modification to the 'jail' application for PAM
integration?
* Packaging of jail and jls (freebsd-utils perhaps?).
* I can't recall the exact problem with jexec off hand but it needs some
love.
* A stop/start and config script infrastructure.
* Figure out what we need for the J flag to be shown for a jailed
process.
* In a perfect world we'd have a working debootstrap to help things
along.
Any ideas/thoughts/comments from anyone?
--
Joshua
Reply to: