2. Chroot Jails

2.1. Basics

Jail configuration files are located in /etc/sysconfig/jail and must be the same name (uppercase) as the name of the package, i.e. /etc/sysconfig/jail/POSTFIX

Chroot jails are initialized or shut down with the helper script: /etc/init.d/jail . This script takes 2 parameters:

<action> This is either start or stop.

<config> This is the filename of the jail definition file, without the pathname, i.e.: POSTFIX

To create the postfix jail you would issue the command: /etc/init.d/jail start POSTFIX

2.2. Jail configuration files


Take a look at the sample config file and on what you find on your Devil-Linux box in the directory /etc/sysconfig.jail.

2.3. Compartment

Devil-Linux uses the program compartment (originally created by SuSE's Marc Heuse, but he doesn't maintain it anymore) to start daemons in a chroot jail. The used compartment has some more features then the standard v1.2, so check what man compartment or compartment --help on your Devil Linux Box has to tell you.

A very nice feature of compartment is that you can set Linux Capabilities. I can't explain here what this is, so go ahead do a man capset and take a look at linux-2.4.20/include/linux/capability.h (not on Devil-Linux !) or ask Google. ;-)

2.4. Sample jail configuration file

# $Source: /cvsroot/devil-linux/build/docs/documentation/documentation.xml,v $
# $Revision: $
# $Date: 2004/06/16 17:12:53 $
# http://www.devil-linux.org
# define the chroot-jail for Lotus Domino Server

# name of the daemon
NAME Lotus Domino

# filename of the daemon
# leave empty, if you want to start the daemon yourself
#DAEMON /opt/lotus/bin/server

# parameters to give to the daemon
# leave empty, when you start the daemon yourself

# define user and group under which this daemon should run
# leave empty, when you start the daemon yourself
USER notes
GROUP notes

# set Linux capabilities
# leave empty, when you start the daemon yourself

# define this, if daemon needs another directory
# when you specify this, the chroot jail is not cleaned upon initialization

# define this, when the jail directory should not be emptied

# define this, if the package should not be unpacked into the jail root directory

# devices to create
# parameter: devicename type major minor user.group rights
DEV null c 1 3 0.0 0666
DEV zero c 1 5 0.0 0666
DEV tty9 c 4 9 0.0 0666

# files and directories  to copy
COPY /etc/resolv.conf
COPY /etc/services
COPY /etc/host.conf
COPY /etc/nsswitch.conf
COPY /lib/libnss_dns*
COPY /etc/localtime

# copy the user/group from the main /etc/passwd and /etc/group files
# this doesn't copy anything from /etc/shadow !

# specify what should be mounted
# MOUNT <device> <mount-point> <mount-parameters>
MOUNT /dev/devil-linux/dominobin        /opt            -o ro,nodev
MOUNT /dev/devil-linux/dominodata       /var/data       -o rw,noexec,nodev
MOUNT none      /proc   -o ro,noexec,nodev      -t proc