Tuesday, October 14, 2008

Building Ports on a "Production" System

PuffyI am limited to one OpenBSD/amd64 box in my environment. And, unfortunately, it is my "production" server (at home).

So that I could build and test ports on my "production" server without installing millions of dependencies and polluting my environment, I set up a SSH-based chroot environment to build the ports.

My server has a lot of disk space for my use (1.5 TB). I have it configured to use ~1.2 TB of the available space, leaving ~300 GB available to be partitioned. I created a new 100 GB /home/chroot partition. I have the partition mounted with "rw,softdep" so that I can store and use devices and suid binaries.

I created a "/home/chroot/ports-amd64" directory and unpacked all of the amd64 snapshot install sets (matching what is installed on the system) to that directory. Then, I changed to /home/chroot/ports-amd64/dev and ran "sudo ./MAKEDEV all" to create devices for the chroot.

Then I created a new user for the chroot. I went with too long of a username, portsamd64, but it's clear what the purpose is. Then, I copied the following files from /etc to /home/chroot/ports-amd64/etc:

cd /etc
cp group hostname.* master.passwd mk.conf \
 motd mygate myname passwd profile profile.local \
 pwd.db resolv.conf sh_aliases spwd.db sudoers \

I then ran "sudo ln -sf /usr/share/zoneinfo/EST5EDT /home/chroot/ports-amd64/etc/localtime" so the chroot has the same time as the "host" system. In my /etc/profile.local, I have the ability to override the system hostname in the PS1 prompt, so I edited the profile.local file to have "export HOSTNAME=amd64jail". That way, I can easily distinguish between shells in the chroot and shells directly to the host. Then, I edited /home/chroot/ports-amd64/etc/group and added the portsamd64 user to the wheel group. This way, portsamd64 can use sudo within the chroot but not outside of it.

Then, I set up /etc/ssh/sshd_config with the following configuration:

Match User portsamd64
        ChrootDirectory /home/chroot/ports-amd64

and restarted sshd.

Now I was able to ssh to my chroot as portsamd64. When logged in, I see the other processes that are running on the system, but cannot affect the parent of the chroot's filesystem. I created /var/run/dev.db by running "sudo dev_mkdb" and I created /var/run/ld.so.hints by running "sudo ldconfig /usr/lib /usr/local/lib /usr/X11R6/lib". So, I just checked out the ports tree and built some ports.

I'm sure there are potential security problems with this configuration. I am not using this for security, but for convenience.

1 comment:

  1. Cool. I am wondering if the same basic idea could be used to populate the chroot of OpenBSD's httpd?

    The problem I always have when attempting to run httpd with chroot is that lots of stuff I want to use aren't in the the chroot. I'd like to be able to set up a way where I could install perl, mod_perl, wordpress, etc. easily, but all within the chroot jail of httpd.