[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC/RFS: aptjail: Powerful chroot() generator for Debian systems

Hi, I'm looking for some advice/guidance/sponsorship on a Debian package I'm working on called "aptjail". It's basically a Perl script I wrote to create/manage/update chroot() jails based around package dependencies and contents obtained from apt/dpkg. When building a jail, it looks at a few general things:

(1) The list of packages it's configured to use, and all their dependencies, subtracting ignoring packages in an "ignore" list.
(2)  A list of additional files to copy
(3) A "template" directory containing configuration files and replacements to copy into the chroot and maybe replace their equivalents from the main filesystem (4) A list of "data" patterns which identify paths not to modify at all (logs, pidfile, databases, etc).

From these it allows you to pretty basically say:

"I want a Kerberos chroot jail installed in /private/krb5 with krb5- admin-server krb5-kdc, and all their dependencies, but not krb5- user (or any of the globally-excluded packages, including debconf, adduser, coreutils, net-tools, logrotate, lsb-base, netbase, tzdata, perl, tcpd, psmisc, etc). Also exclude everything in /usr/ share, /usr/lib/gconv, and kadmin.local. Everything in /var/lib/ krb5kdc and /var/log is a data file and should not be touched after the jail is created."

The binary itself has useful --help and --version options, a manpage generated by help2man&vim. The code is all GPLv2-licensed (hopefully evident from the copyright files). It uses "rsync" to do the file- copying dirty work.

The relevant files are all found at http://moffetthome.net:18888/ ~kyle/aptjail/ I've got all the outputs of dpkg-buildpackage, as well as the original source tarball I made ("aptjail-0.01.tar.bz2") and an extracted copy in the "aptjail" subdirectory.

At the moment you have to write your own init-scripts and configs to handle the actual chrooting of the daemons, I don't see any decent way of automating that without significant modifications to other Debian packages.

Both John and I have fairly extensively tested and tinkered with it and haven't yet been able to break it (although we've managed to make rsync segfault reliably while trying to build a mysql jail, don't know why yet).

I appreciate any comments, suggestions, and criticism that will assist me in improving this package to the point where it's useful for other people.

Kyle Moffett

Reply to: