Re: Successful jailed GNU/kFreeBSD
On Sun, 2007-07-15 at 19:44 +0800, Jett Tayer wrote:
> hi can send me how'd you do it?
Posting this response to the list seems like a good idea.
I guess, first of all, the basic steps I used are:
* Get the source code for the jail binary. In this case I used the fetch
script from freebsd-utils (since I was using that as a testing ground).
* This next step should be considered the dirty and hackish part; I
pretty much ripped out any BSD login cap related code to get a working
build. A much more skilled developer with some PAM experience could
probably whip up a replacement for the already small amount of code.
* Now equipped with a usable binary, you can go about your business as
if you were setting up a regular FreeBSD jail manually. In my case, the
base tarball from the latest GNU/kFreeBSD install disc was used to
populate the jail, instead of the traditional FreeBSD source based
* One of the most obvious missing pieces is an equivalent to FreeBSD's
jail configuration via rc.conf and the necessary init scripts for
stopping/starting jails (manually or at boot). At the moment I'm using a
custom /etc/init.d/jail script that reads the basic config values (dir,
hostname, ip address) from /etc/jail.conf.
* Initial interaction with the environment inside the jail is done
through simply executing /bin/sh instead of /etc/init.d/rc.
Then apt-get install openssh-server, exit the jail shell and fire it up.
Shutting down is a manual process due to the current lack of jexec.
So, as you can see, it's fairly...unclean. At the moment.
I personally think jail support is an important feature for Debian
GNU/kFreeBSD to try to support. If not important, a very *attractive*
feature, that, despite more advanced stuff like Xen existing, is still a
really useful thing that potential users might like to see.
To sum up this overgrown rant, the following needs to be done to support
* Possible small modification to the 'jail' application for PAM
* Packaging of jail and jls (freebsd-utils perhaps?).
* I can't recall the exact problem with jexec off hand but it needs some
* A stop/start and config script infrastructure.
* Figure out what we need for the J flag to be shown for a jailed
* In a perfect world we'd have a working debootstrap to help things
Any ideas/thoughts/comments from anyone?