[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Chrooted packages, where to put them?



** On May 24, Stephen Frost scribbled:
> On Wed, 24 May 2000, Marco d'Itri wrote:
> 
> > On May 23, Marek Habersack <grendel@vip.net.pl> wrote:
> > 
> >  >  I'm building for mysle a chrooted bind package. It's gonna be used locally
> >  >only, but I want it to conform to the Debian Policy Manual/FHS as much as it
> >  >is possible. My first idea was to put the chroot tree in /usr/local, but
> > It's a system dependent choice, there is currently no FHS policy
> > regarding chroots.
> > 
> > (BTW, I'm considering writing a tool which automatically maintains and
> > updates chroot environments, I think more of our daemons should be
> > chrooted. It's a shame our BIND package even runs as root.)
> 
> 	I would have to agree with this...  bind should not be running as root,
> and would be best if it was run in a chroot jail.  I set it up here and it was
> not a very complex process, perhaps once I get more experiance I'll try and do
> something to better automate the process.
Setting up itself isn't hard. The harder part is to package it that way. I
think we should have (assuming more daemons will run chrooted) a separate
package providing the chroot framework. I imagine it would provide something
like that:

/var/chroot/
/var/chroot/lib <- all the libraries go here
/var/chroot/etc <- necessary config files

The chrooted daemons would be installed in a package/ subdir of the chroot
tree, e.g.:

/var/chroot/bind

and create structure of their own hardlinking the libraries and /etc files
from the /var/chroot/ tree (for that to work all of the packages must be on
one filesystem). They would run chrooted into their /var/chroot/package/
directory. All packages would require the chroot package (e.g. chroot-base).
Comments?

marek

Attachment: pgpan5m5Fn4e1.pgp
Description: PGP signature


Reply to: