RFC/RFS: aptjail: Powerful chroot() generator for Debian systems

To: Debian Mentors List <debian-mentors@lists.debian.org>
Cc: John Livingston <jlivings@gmail.com>
Subject: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
From: Kyle Moffett <mrmacman_g4@mac.com>
Date: Sun, 12 Aug 2007 01:05:37 -0400
Message-id: <[🔎] 3B0C3ACA-3DC3-42E0-8586-695554D52AF5@mac.com>

Hi, I'm looking for some advice/guidance/sponsorship on a Debianpackage I'm working on called "aptjail". It's basically a Perlscript I wrote to create/manage/update chroot() jails based aroundpackage dependencies and contents obtained from apt/dpkg. Whenbuilding a jail, it looks at a few general things:

(1) The list of packages it's configured to use, and all theirdependencies, subtracting ignoring packages in an "ignore" list.

(2)  A list of additional files to copy

(3) A "template" directory containing configuration files andreplacements to copy into the chroot and maybe replace theirequivalents from the main filesystem(4) A list of "data" patterns which identify paths not to modify atall (logs, pidfile, databases, etc).


From these it allows you to pretty basically say:

"I want a Kerberos chroot jail installed in /private/krb5 with krb5-admin-server krb5-kdc, and all their dependencies, but not krb5-user (or any of the globally-excluded packages, including debconf,adduser, coreutils, net-tools, logrotate, lsb-base, netbase,tzdata, perl, tcpd, psmisc, etc). Also exclude everything in /usr/share, /usr/lib/gconv, and kadmin.local. Everything in /var/lib/krb5kdc and /var/log is a data file and should not be touched afterthe jail is created."

The binary itself has useful --help and --version options, a manpagegenerated by help2man&vim. The code is all GPLv2-licensed (hopefullyevident from the copyright files). It uses "rsync" to do the file-copying dirty work.

The relevant files are all found at http://moffetthome.net:18888/~kyle/aptjail/ I've got all the outputs of dpkg-buildpackage, aswell as the original source tarball I made ("aptjail-0.01.tar.bz2")and an extracted copy in the "aptjail" subdirectory.

At the moment you have to write your own init-scripts and configs tohandle the actual chrooting of the daemons, I don't see any decentway of automating that without significant modifications to otherDebian packages.

Both John and I have fairly extensively tested and tinkered with itand haven't yet been able to break it (although we've managed to makersync segfault reliably while trying to build a mysql jail, don'tknow why yet).

I appreciate any comments, suggestions, and criticism that willassist me in improving this package to the point where it's usefulfor other people.


Cheers,
Kyle Moffett

Reply to:

Follow-Ups:
- Re: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
  - From: Neil Williams <codehelp@debian.org>
- Re: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
  - From: Francois-Denis Gonthier <neumann@lostwebsite.net>

Prev by Date: RFS: scim-array
Next by Date: Re: Man pages and UTF-8
Previous by thread: RFS: scim-array
Next by thread: Re: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
Index(es):
- Date
- Thread