/usr/share/doc/jailer/README

This little script aims to help sysadmins to create and maintain chrooted environments.

How to use?

The script reads the configuration from a file, which must be specified in the command-line. In the config file you can list all of your chrooted environments, eg. jails. The script parses the config file and than generates or regenerates the jail. An option is to specify a jail to generate on command-line.

./jailer.pl config-file [jail-to-build]

Only one jail can be specified!

The config file has two big part. One is for the general rules, and the other is for each jail.

For the general part:

-- * --
<general>
Debs: deb1 deb2 deb3
Junk: /junk1 /junk2 /ju/nk/3
Junk-Debs: deb1 deb2 deb3
Extra: /ex/tr/a/1/* /extra2 /extr/a3
Links: /file1<=>/link1 /fil/e2<=>/lin/k2
</general>
-- * --

The general rules are used in all of the jail. This way you have to specify common things only once.

The jails part:

-- * --
<jail1>
Root: /path/to/the/root1
Debs: deb1 deb2 deb3
Junk: /junk1 /junk2 /ju/nk/3
Junk-Debs: deb1 deb2 deb3
Extra: /ex/tr/a/1/* /extra2 /extr/a3
Links: /file1<=>/link1 /fil/e2<=>/lin/k2
Conf: /etc/my/*
</jail1>

<jail2>
Root: /path/to/the/root2
Debs: deb1 deb2 deb3
Junk: /junk1 /junk2 /ju/nk/3
Junk-Debs: deb1 deb2 deb3
Extra: /ex/tr/a/1/* /extra2 /extr/a3
Links: /file1<=>/link1 /fil/e2<=>/lin/k2
Conf: /etc/my.conf
</jail2>
-- * --

The name of the jail (eg. jail1, jail2) does not matter, it is only for you.

How does it work?

Root: the root of the specified jail.

Debs: the deb files you want to have in the specified jail. You do not have to specify the dependencies, the program will take care of them.

Junk-Debs: the deb files which are needed by the jail(dependency), but you do not want them to be used.

Junk: From the deb list the program creates a file list, here you can specify the unwanted(junk) files. You must use the full path name. (NOTE: If you specify /bin/foo/* than /bin/foo/bar is also selected.)

Extra: Here you can specify additional files, which you want to use in the jail. Use globing!

Links: Here you can specify symlinks to create in the jail. Useful for the alternative system. (eg: /usr/bin/perl-5.005<=>/usr/bin/perl)

Conf: You can specify the default config files to copy in the jail, if file already exist in jail, nothing is copied!

NOTE: the script works only on debian, while it uses the /var/lib/dpkg/available and the /var/lib/dpkg/info/*.list files!!!

NOTE: You need cpio to run successfully jailer, and of course perl :)

The field separator is a space. (NOTE: If you do not need any of the option delete it, do not leave empty!)


Feedbacks, bugs, comments are welcome!

Marton Illes
marci@balabit.hu


Living example:

-- * --
<general>
Junk: /usr/doc/* /usr/man/* /usr/share/man/* /usr/share/doc/* /etc/init.d/* /usr/share/zoneinfo/* /sbin/ldconfig.new /etc/*
</general>

<ntp>
Root: /var/chroot/ntp
Debs: ntp
Conf: /etc/ntp.conf
Extra: /dev/null /etc/hosts /etc/resolv.conf /etc/nsswitch.conf
</ntp>
<general>
Junk: /usr/doc/* /usr/man/* /usr/share/man/* /usr/share/doc/* /etc/init.d/* /usr/share/zoneinfo/* /sbin/ldconfig.new /etc/*
</general>

<bind>
Root: /var/chroot/bind
Conf: /etc/bind/*
Debs: bind
Junk-Debs: tcpd arpd
Extra: /dev/null /dev/log
Junk: /usr/share/* /sbin/* /usr/sbin/arp  /usr/sbin/arping /usr/sbin/inetd /usr/sbin/ipautofw /usr/sbin/ipmasqadm /usr/sbin/tzconfig /usr/sbin/update-inetd /usr/sbin/zic /usr/lib/* /bin/* /usr/bin/tzselect /usr/bin/ldd /usr/bin/getent /usr/bin/zdump /lib/libwrap* /lib/libm* /lib/libcrypt* /lib/libthread* /lib/libutil* /lib/librt* /lib/libpthread* /lib/libnss* /lib/libdb* /lib/libdl* /lib/libBrokenLocale* /lib/libnsl* /lib/libSegFault* /lib/libresolv* /usr/sbin/iconv /usr/sbin/local /usr/bin/rpc* /usr/bin/trace*
</bind>
jailer 0.4-17 / usr / share / doc / jailer / README
