RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
Hi, I'm looking for some advice/guidance/sponsorship on a Debian
package I'm working on called "aptjail". It's basically a Perl
script I wrote to create/manage/update chroot() jails based around
package dependencies and contents obtained from apt/dpkg. When
building a jail, it looks at a few general things:
(1) The list of packages it's configured to use, and all their
dependencies, subtracting ignoring packages in an "ignore" list.
(2) A list of additional files to copy
(3) A "template" directory containing configuration files and
replacements to copy into the chroot and maybe replace their
equivalents from the main filesystem
(4) A list of "data" patterns which identify paths not to modify at
all (logs, pidfile, databases, etc).
From these it allows you to pretty basically say:
"I want a Kerberos chroot jail installed in /private/krb5 with krb5-
admin-server krb5-kdc, and all their dependencies, but not krb5-
user (or any of the globally-excluded packages, including debconf,
adduser, coreutils, net-tools, logrotate, lsb-base, netbase,
tzdata, perl, tcpd, psmisc, etc). Also exclude everything in /usr/
share, /usr/lib/gconv, and kadmin.local. Everything in /var/lib/
krb5kdc and /var/log is a data file and should not be touched after
the jail is created."
The binary itself has useful --help and --version options, a manpage
generated by help2man&vim. The code is all GPLv2-licensed (hopefully
evident from the copyright files). It uses "rsync" to do the file-
copying dirty work.
The relevant files are all found at http://moffetthome.net:18888/
~kyle/aptjail/ I've got all the outputs of dpkg-buildpackage, as
well as the original source tarball I made ("aptjail-0.01.tar.bz2")
and an extracted copy in the "aptjail" subdirectory.
At the moment you have to write your own init-scripts and configs to
handle the actual chrooting of the daemons, I don't see any decent
way of automating that without significant modifications to other
Debian packages.
Both John and I have fairly extensively tested and tinkered with it
and haven't yet been able to break it (although we've managed to make
rsync segfault reliably while trying to build a mysql jail, don't
know why yet).
I appreciate any comments, suggestions, and criticism that will
assist me in improving this package to the point where it's useful
for other people.
Cheers,
Kyle Moffett
Reply to: