This little script aims to help sysadmins to create and maintain chrooted enviroments.

How to use?

The script reads the configuration from a file, which must be specified in the command-line. In the config file you can list all of your chrooted enviroments, eg. jails. The script prases the config file and than generates or regenerates the jail. An option is to specify a jail to generate on command-line.

./jailer.pl config-file [jail-to-build]

Only one jail can be specifyed!

The config file has two big part. One is for the general rules, and the other is for each jail.

For the general part:

-- * --
<general>
Debs: deb1 deb2 deb3
Junk: /junk1 /junk2 /ju/nk/3
Junk-Debs: deb1 deb2 deb3
Extra: /ex/tr/a/1/* /extra2 /extr/a3
Links: /file1<=>/link1 /fil/e2<=>/lin/k2
</general>
-- * --

The general rules ara used in all of the jail. This way you have to specify common things only once.

The jails part:

-- * --
<jail1>
Root: /path/to/the/root1
Debs: deb1 deb2 deb3
Junk: /junk1 /junk2 /ju/nk/3
Junk-Debs: deb1 deb2 deb3
Extra: /ex/tr/a/1/* /extra2 /extr/a3
Links: /file1<=>/link1 /fil/e2<=>/lin/k2
Conf: /etc/my/*
</jail1>

<jail2>
Root: /path/to/the/root2
Debs: deb1 deb2 deb3
Junk: /junk1 /junk2 /ju/nk/3
Junk-Debs: deb1 deb2 deb3
Extra: /ex/tr/a/1/* /extra2 /extr/a3
Links: /file1<=>/link1 /fil/e2<=>/lin/k2
Conf: /etc/my.conf
</jail2>
-- * --

The name of the jail (eg. jail1, jail2) does not metter, it is only for you.

How does it work?

Root: the root of the specified jail.

Debs: the deb files you want to have in the specified jail. You do not have to specify the depedencies, the program will take care of them.

Junk-Debs: the deb files which are needed by the jail(depedency), but you do not want them to be used.

Junk: From the deb list the program creates a file list, here you can specify the unwanted(junk) files. You must use the full path name. (NOTE: If you specify /bin/foo/* than /bin/foo/bar is also selected.)

Extra: Here you can specify additional files, which you want to use in the jail. Use globbing!

Links: Here you can specify symlinks to create in the jail. Usefull for the alternative system. (eg: /usr/bin/perl-5.005<=>/usr/bin/perl)

Conf: You can specify the deault config files to copy in the jail, if file already exist in jail, nothing is coppied!

NOTE: the script works only on debian, while it uses the /var/lib/dpkg/available and the /var/lib/dpkg/info/*.list files!!!

NOTE: You need cpio to run successfully jailer, and of course perl :)

The field separator is a space. (NOTE: If you do not need any of the option delete it, do not leave empty!)


Feedbacks, bugs, comments are welcome!

Marton Illes
marci@balabit.hu


Living example:

-- * --
<general>
Junk: /usr/doc/* /usr/man/* /usr/share/man/* /usr/share/doc/* /etc/init.d/* /usr/share/zoneinfo/* /sbin/ldconfig.new /etc/*
</general>

<ntp>
Root: /var/chroot/ntp
Debs: ntp
Conf: /etc/ntp.conf
Extra: /dev/null /etc/hosts /etc/resolv.conf /etc/nsswitch.conf
</ntp>
<general>
Junk: /usr/doc/* /usr/man/* /usr/share/man/* /usr/share/doc/* /etc/init.d/* /usr/share/zoneinfo/* /sbin/ldconfig.new /etc/*
</general>

<bind>
Root: /var/chroot/bind
Conf: /etc/bind/*
Debs: bind
Junk-Debs: tcpd arpd
Extra: /dev/null /dev/log
Junk: /usr/share/* /sbin/* /usr/sbin/arp  /usr/sbin/arping /usr/sbin/inetd /usr/sbin/ipautofw /usr/sbin/ipmasqadm /usr/sbin/tzconfig /usr/sbin/update-inetd /usr/sbin/zic /usr/lib/* /bin/* /usr/bin/tzselect /usr/bin/ldd /usr/bin/getent /usr/bin/zdump /lib/libwrap* /lib/libm* /lib/libcrypt* /lib/libthread* /lib/libutil* /lib/librt* /lib/libpthread* /lib/libnss* /lib/libdb* /lib/libdl* /lib/libBrokenLocale* /lib/libnsl* /lib/libSegFault* /lib/libresolv* /usr/sbin/iconv /usr/sbin/local /usr/bin/rpc* /usr/bin/trace*
</bind>

