Re: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems

To: debian-mentors@lists.debian.org
Subject: Re: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
From: Neil Williams <codehelp@debian.org>
Date: Sun, 12 Aug 2007 12:04:36 +0100
Message-id: <[🔎] 20070812120436.127639d6.codehelp@debian.org>
In-reply-to: <[🔎] 3B0C3ACA-3DC3-42E0-8586-695554D52AF5@mac.com>
References: <[🔎] 3B0C3ACA-3DC3-42E0-8586-695554D52AF5@mac.com>

On Sun, 12 Aug 2007 01:05:37 -0400
Kyle Moffett <mrmacman_g4@mac.com> wrote:

> Hi, I'm looking for some advice/guidance/sponsorship on a Debian  
> package I'm working on called "aptjail".  It's basically a Perl  
> script I wrote to create/manage/update chroot() jails based around  
> package dependencies and contents obtained from apt/dpkg.  When  
> building a jail, it looks at a few general things:
> 
> (1)  The list of packages it's configured to use, and all their  
> dependencies, subtracting ignoring packages in an "ignore" list.
> (2)  A list of additional files to copy
> (3)  A "template" directory containing configuration files and  
> replacements to copy into the chroot and maybe replace their  
> equivalents from the main filesystem
> (4)  A list of "data" patterns which identify paths not to modify at  
> all (logs, pidfile, databases, etc).

What is the advantage over debootstrap or cdebootstrap? You have to
write new config scripts for those too. (See emdebian-tools for our
config scripts to build cross-building and foreign chroots.)

> > "I want a Kerberos chroot jail installed in /private/krb5 with
> > krb5- admin-server krb5-kdc, and all their dependencies, but not
> > krb5- user (or any of the globally-excluded packages, including
> > debconf, adduser, coreutils, net-tools, logrotate, lsb-base,
> > netbase, tzdata, perl, tcpd, psmisc, etc).  Also exclude everything
> > in /usr/ share, /usr/lib/gconv, and kadmin.local.  Everything
> > in /var/lib/ krb5kdc and /var/log is a data file and should not be
> > touched after the jail is created."

OK, that's pseudo-code. You could do something similar with
debootstrap. The question is: as you have to write config scripts for
aptjail anyway and the process is not yet automatable, what is the
benefit over debootstrap?

> The relevant files are all found at http://moffetthome.net:18888/ 
> ~kyle/aptjail/  I've got all the outputs of dpkg-buildpackage, as  
> well as the original source tarball I made ("aptjail-0.01.tar.bz2")  
> and an extracted copy in the "aptjail" subdirectory.

If you are looking for a sponsor, please follow the guidelines at
mentors.debian.net, provide the location of the .dsc file and/or
upload to mentors.debian.net.
 
> At the moment you have to write your own init-scripts and configs to  
> handle the actual chrooting of the daemons, I don't see any decent  
> way of automating that without significant modifications to other  
> Debian packages.

AFAICT this is no different to debootstrap.

http://people.debian.org/~codehelp/#sponsor
 
-- 

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

Attachment: pgpDcpnET0t_J.pgp
Description: PGP signature

Reply to:

References:
- RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
  - From: Kyle Moffett <mrmacman_g4@mac.com>

Prev by Date: Re: Man pages and UTF-8
Next by Date: Re: Man pages and UTF-8
Previous by thread: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
Next by thread: Re: RFC/RFS: aptjail: Powerful chroot() generator for Debian systems
Index(es):
- Date
- Thread