I am limited to one OpenBSD/amd64 box in my environment. And, unfortunately, it is my "production" server (at home).So that I could build and test ports on my "production" server without installing millions of dependencies and polluting my environment, I set up a SSH-based chroot environment to build the ports.
My server has a lot of disk space for my use (1.5 TB). I have it configured to use ~1.2 TB of the available space, leaving ~300 GB available to be partitioned. I created a new 100 GB /home/chroot partition. I have the partition mounted with "rw,softdep" so that I can store and use devices and suid binaries.
I created a "/home/chroot/ports-amd64" directory and unpacked all of the amd64 snapshot install sets (matching what is installed on the system) to that directory. Then, I changed to /home/chroot/ports-amd64/dev and ran "sudo ./MAKEDEV all" to create devices for the chroot.
Then I created a new user for the chroot. I went with too long of a username, portsamd64, but it's clear what the purpose is. Then, I copied the following files from /etc to /home/chroot/ports-amd64/etc:
I then ran "sudo ln -sf /usr/share/zoneinfo/EST5EDT /home/chroot/ports-amd64/etc/localtime" so the chroot has the same time as the "host" system. In my /etc/profile.local, I have the ability to override the system hostname in the PS1 prompt, so I edited the profile.local file to have "export HOSTNAME=amd64jail". That way, I can easily distinguish between shells in the chroot and shells directly to the host. Then, I edited /home/chroot/ports-amd64/etc/group and added the portsamd64 user to the wheel group. This way, portsamd64 can use sudo within the chroot but not outside of it.
cd /etc cp group hostname.* master.passwd mk.conf \ motd mygate myname passwd profile profile.local \ pwd.db resolv.conf sh_aliases spwd.db sudoers \ /home/chroot/ports-amd64/etc/
Then, I set up /etc/ssh/sshd_config with the following configuration:
Match User portsamd64 ChrootDirectory /home/chroot/ports-amd64
and restarted sshd.
Now I was able to ssh to my chroot as portsamd64. When logged in, I see the other processes that are running on the system, but cannot affect the parent of the chroot's filesystem. I created /var/run/dev.db by running "sudo dev_mkdb" and I created /var/run/ld.so.hints by running "sudo ldconfig /usr/lib /usr/local/lib /usr/X11R6/lib". So, I just checked out the ports tree and built some ports.
I'm sure there are potential security problems with this configuration. I am not using this for security, but for convenience.
Cool. I am wondering if the same basic idea could be used to populate the chroot of OpenBSD's httpd?
ReplyDeleteThe problem I always have when attempting to run httpd with chroot is that lots of stuff I want to use aren't in the the chroot. I'd like to be able to set up a way where I could install perl, mod_perl, wordpress, etc. easily, but all within the chroot jail of httpd.