Re: [CFT] packaging the base system with pkg(8)

From: Roger Marquis <marquis_at_roble.com>
Date: Tue, 8 Mar 2016 10:23:33 -0800 (PST)
> In FreeBSD, we *do* have a compelling case for installing a small subset of
> the base system: service jails (or ?containerised applications? as the kids
> are calling them). We want to be able to install, for example, owncloud and
> nginx or ejabberd in a jail with only the bare minimum required for them to
> start and run. We want updates to these jails to be fast and we want disk
> usage (and install time) to be low. In such a jail, I want a shell, the
> parts of sbin needed to do network setup, the libraries that these ports
> depend on, *and nothing else*. We?re still a way away from doing that.

Would be great to be able to do this via something like 'make
installworld -DMINJAIL DESTDIR=...' and end-up with a bare-bones, secure
jail.  We've done something like that in the past by:

Roger


chroot $jail && rm -rf \
  /media /mnt /modules /proc /rescue /boot /cdrom /usr/src /usr/obj /bin/chio /bin/rcp
  /bin/rmail /etc/amd.map /etc/apmd.conf /etc/bluetooth /etc/bluetooth/
  /etc/defaults/bluetooth.device.conf /etc/defaults/devfs.rules
  /etc/defaults/pccard.conf /etc/devd.conf /etc/devfs.conf /etc/dhclient.conf
  /etc/disktab /etc/hosts.lpd /etc/isdn/ /etc/namedb /etc/nsmb.conf /etc/ntp
  /etc/pccard_ether /etc/pf.conf /etc/pf.os /etc/phones /etc/ppp /etc/ppp/
  /etc/printcap /etc/rc.firewall /etc/rc.firewall6 /etc/rc.initdiskless /etc/rc.resume
  /etc/rc.suspend /etc/remote /etc/rmt /etc/security /etc/usbd.conf /kernel.GENERIC
  /lib/geom/ /lib/libatm.so.2 /lib/libcam.so.2 /lib/libgeom.so.2 /lib/libpcap.so.4
  /sbin/adjkerntz /sbin/atacontrol /sbin/atm /sbin/atmconfig /sbin/badsect
  /sbin/bsdlabel /sbin/camcontrol /sbin/ccdconfig /sbin/clri /sbin/comcontrol
  /sbin/conscontrol /sbin/devd /sbin/devfs /sbin/dhclient /sbin/dhclient-script
  /sbin/disklabel /sbin/dmesg /sbin/dump /sbin/dumpfs /sbin/dumpon /sbin/fastboot
  /sbin/fasthalt /sbin/fdisk /sbin/ffsinfo /sbin/fore_dnld /sbin/fsck
  /sbin/fsck_4.2bsd /sbin/fsck_ffs /sbin/fsck_msdosfs /sbin/fsck_ufs /sbin/fsdb
  /sbin/fsirand /sbin/g* /sbin/gbde /sbin/gcache /sbin/gconcat /sbin/geli /sbin/geom
  /sbin/ggatec /sbin/ggated /sbin/ggatel /sbin/gjournal /sbin/glabel /sbin/gmirror
  /sbin/gmultipath /sbin/gnop /sbin/gpart /sbin/graid /sbin/graid3 /sbin/growfs
  /sbin/gsched /sbin/gshsec /sbin/gstripe /sbin/gvinum /sbin/gvirstor /sbin/halt
  /sbin/ilmid /sbin/init /sbin/ip6fw /sbin/ipf /sbin/ipfs /sbin/ipfstat /sbin/ipftest
  /sbin/ipfw /sbin/ipmon /sbin/ipnat /sbin/ippool /sbin/ipresend /sbin/kldconfig
  /sbin/kldload /sbin/kldstat /sbin/kldunload /sbin/mdconfig /sbin/mdmfs /sbin/mknod
  /sbin/mksnap_ffs /sbin/mount /sbin/mount_cd9660 /sbin/mount_devfs /sbin/mount_ext2fs
  /sbin/mount_fdescfs /sbin/mount_linprocfs /sbin/mount_linsysfs /sbin/mount_mfs
  /sbin/mount_msdosfs /sbin/mount_nfs /sbin/mount_nfs4 /sbin/mount_ntfs
  /sbin/mount_nullfs /sbin/mount_procfs /sbin/mount_reiserfs /sbin/mount_std
  /sbin/mount_udf /sbin/mount_umapfs /sbin/mount_unionfs /sbin/natd /sbin/newfs
  /sbin/newfs_msdos /sbin/nextboot /sbin/nfsiod /sbin/nos-tun /sbin/pfctl /sbin/pflogd
  /sbin/ping /sbin/ping6 /sbin/poweroff /sbin/quotacheck /sbin/raidctl /sbin/rdump
  /sbin/reboot /sbin/restore /sbin/route /sbin/routed /sbin/rrestore /sbin/rtquery
  /sbin/rtsol /sbin/savecore /sbin/sconfig /sbin/setkey /sbin/shutdown /sbin/slattach
  /sbin/spppcontrol /sbin/startslip /sbin/sunlabel /sbin/swapctl /sbin/swapoff
  /sbin/swapon /sbin/tunefs /sbin/umount /usr/bin/bthost /usr/bin/btsockstat
  /usr/bin/ftp /usr/bin/lastcomm /usr/bin/lp /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm
  /usr/bin/lsvfs /usr/bin/mt /usr/bin/ncplist /usr/bin/ncplogin /usr/bin/ncplogout
  /usr/bin/nfsstat /usr/bin/pawd /usr/bin/pr /usr/bin/quota /usr/bin/rfcomm_spdd
  /usr/bin/scp /usr/bin/sftp /usr/bin/showmount /usr/bin/sscop /usr/bin/stdbuf
  /usr/bin/tcopy /usr/bin/tip /usr/bin/truss /usr/bin/usbhidaction /usr/bin/usbhidctl
  /usr/bin/vmstat /usr/bin/wall /usr/bin/write /usr/bin/yp* /usr/bin/ypchfn
  /usr/bin/ypchpass /usr/bin/ypchsh /usr/bin/yppasswd /usr/games/ /usr/include/altq/
  /usr/include/bluetooth.h /usr/include/bsm/ /usr/include/cam/ /usr/include/camlib.h
  /usr/include/dev/ /usr/include/fs/ /usr/include/geom/ /usr/include/isofs/
  /usr/include/libatm.h /usr/include/libgeom.h /usr/include/libufs.h
  /usr/include/net80211/ /usr/include/netatalk/ /usr/include/netatm/
  /usr/include/netnatm/ /usr/include/netncp/ /usr/include/pcap-int.h
  /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/include/pccard/
  /usr/include/ufs/ /usr/lib/libatm.a /usr/lib/libatm.so /usr/lib/libatm_p.so
  /usr/lib/libbluetooth.a /usr/lib/libbluetooth.so /usr/lib/libbluetooth.so.2
  /usr/lib/libbluetooth_p.a /usr/lib/libbluetooth_p.so /usr/lib/libcam.a
  /usr/lib/libcam.so /usr/lib/libcam_p.a /usr/lib/libgeom.a /usr/lib/libgeom.so
  /usr/lib/libgeom_p.a /usr/lib/libncp.a /usr/lib/libncp.so /usr/lib/libncp.so.2
  /usr/lib/libncp_p.a /usr/lib/libngatm.a /usr/lib/libngatm.so /usr/lib/libngatm.so.2
  /usr/lib/libngatm_p.a /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap_p.a
  /usr/lib/libusbhid.a /usr/lib/libusbhid.so /usr/lib/libusbhid.so.1
  /usr/lib/libusbhid_p.a /usr/lib/libvgl.a /usr/lib/libvgl.so /usr/lib/libvgl.so.4
  /usr/lib/libvgl_p.a /usr/lib/snmp_atm.so /usr/lib/snmp_atm.so.4 /usr/lib/snmp_pf.so
  /usr/lib/snmp_pf.so.4 /usr/libexec/bootpd /usr/libexec/bootpgw /usr/libexec/lpr
  /usr/libexec/ntalkd /usr/libexec/pppoed /usr/libexec/rbootd /usr/libexec/rpc.rquotad
  /usr/libexec/rpc.rstatd /usr/libexec/rpc.ruserd /usr/libexec/rpc.rwalld
  /usr/libexec/rpc.sprayd /usr/libexec/sendmail /usr/sbin/IPXrouted /usr/sbin/ac
  /usr/sbin/accton /usr/sbin/acpiconf /usr/sbin/acpidb /usr/sbin/acpidump
  /usr/sbin/amd /usr/sbin/amq /usr/sbin/ancontrol /usr/sbin/apm /usr/sbin/apmd
  /usr/sbin/arlcontrol /usr/sbin/arp /usr/sbin/asf /usr/sbin/ath3kfw /usr/sbin/atmarpd
  /usr/sbin/audit /usr/sbin/auditd /usr/sbin/auditreduce /usr/sbin/authpf
  /usr/sbin/bcmfw /usr/sbin/boot0cfg /usr/sbin/bootparamd /usr/sbin/bootpef
  /usr/sbin/bootptest /usr/sbin/bt3cfw /usr/sbin/bthidcontrol /usr/sbin/bthidd
  /usr/sbin/btxld /usr/sbin/burncd /usr/sbin/callbootd /usr/sbin/cdcontrol
  /usr/sbin/config /usr/sbin/dconschat /usr/sbin/digictl /usr/sbin/diskinfo
  /usr/sbin/dtmfdecode /usr/sbin/dtruss /usr/sbin/edquota /usr/sbin/faithd
  /usr/sbin/fdcontrol /usr/sbin/fdformat /usr/sbin/fdread /usr/sbin/fdwrite
  /usr/sbin/fixmount /usr/sbin/flowctl /usr/sbin/fsinfo /usr/sbin/fwcontrol
  /usr/sbin/gstat /usr/sbin/hccontrol /usr/sbin/hcsecd /usr/sbin/hcseriald
  /usr/sbin/hlfsd /usr/sbin/hostapd /usr/sbin/hostapd_cli /usr/sbin/iasl
  /usr/sbin/ifmcstat /usr/sbin/ip6addrctl /usr/sbin/ipftest /usr/sbin/ipresend
  /usr/sbin/ipsend /usr/sbin/iptest /usr/sbin/isdnd /usr/sbin/isdndebug
  /usr/sbin/isdndecode /usr/sbin/isdnmonitor /usr/sbin/isdnphone /usr/sbin/isdntel
  /usr/sbin/isdntellctl /usr/sbin/isdntrace /usr/sbin/ispcvt /usr/sbin/jail
  /usr/sbin/jexec /usr/sbin/jls /usr/sbin/kbdcontrol /usr/sbin/kbdmap /usr/sbin/kernbb
  /usr/sbin/kgmon /usr/sbin/kgzip /usr/sbin/kldxref /usr/sbin/l2control
  /usr/sbin/l2ping /usr/sbin/lpc /usr/sbin/lpd /usr/sbin/lptcontrol /usr/sbin/lptest
  /usr/sbin/mailwrapper /usr/sbin/map-mbone /usr/sbin/memcontrol /usr/sbin/mixer
  /usr/sbin/mk-amd-map /usr/sbin/mld6query /usr/sbin/mlxcontrol /usr/sbin/mount_nwfs
  /usr/sbin/mount_portalfs /usr/sbin/mount_smbfs /usr/sbin/mountd /usr/sbin/moused
  /usr/sbin/mptable /usr/sbin/mrinfo /usr/sbin/mrouted /usr/sbin/mtest
  /usr/sbin/mtrace /usr/sbin/ndis_events /usr/sbin/ndiscvt /usr/sbin/ndisgen
  /usr/sbin/ndp /usr/sbin/nfsd /usr/sbin/ngctl /usr/sbin/nghook /usr/sbin/ntpdate
  /usr/sbin/pcardc /usr/sbin/pcardd /usr/sbin/pciconf /usr/sbin/pkg
  /usr/sbin/pmccontrol /usr/sbin/pmcstat /usr/sbin/pnpinfo /usr/sbin/powerd
  /usr/sbin/ppp /usr/sbin/pppctl /usr/sbin/pppd /usr/sbin/pppstats /usr/sbin/praudit
  /usr/sbin/procctl /usr/sbin/pstat /usr/sbin/quot /usr/sbin/quotaoff
  /usr/sbin/quotaon /usr/sbin/rarpd /usr/sbin/raycontrol /usr/sbin/reqquota
  /usr/sbin/rfcomm_pppd /usr/sbin/rip6query /usr/sbin/rmt /usr/sbin/route6d
  /usr/sbin/rpc.lockd /usr/sbin/rpc.statd /usr/sbin/rpc.umntall
  /usr/sbin/rpc.yppasswdd /usr/sbin/rpc.ypupdated /usr/sbin/rpc.ypxfrd
  /usr/sbin/rrenumd /usr/sbin/rtadvctl /usr/sbin/rtadvd /usr/sbin/rtprio
  /usr/sbin/rtsold /usr/sbin/sa /usr/sbin/sade /usr/sbin/scon /usr/sbin/scspd
  /usr/sbin/sdpcontrol /usr/sbin/sdpd /usr/sbin/sicontrol /usr/sbin/sliplogin
  /usr/sbin/slstat /usr/sbin/snapinfo /usr/sbin/spkrtest /usr/sbin/spray
  /usr/sbin/swapinfo /usr/sbin/sysinstall /usr/sbin/tcpdrop /usr/sbin/tcpdump
  /usr/sbin/tcpslice /usr/sbin/timedc /usr/sbin/traceroute /usr/sbin/traceroute6
  /usr/sbin/trpt /usr/sbin/usbd /usr/sbin/usbdevs /usr/sbin/usbdump
  /usr/sbin/vidcontrol /usr/sbin/vidfont /usr/sbin/vnconfig /usr/sbin/watchdog
  /usr/sbin/watchdogd /usr/sbin/wicontrol /usr/sbin/wire-test /usr/sbin/wlconfig
  /usr/sbin/wpa_cli /usr/sbin/wpa_supplicant /usr/sbin/zhack /usr/sbin/zzz
  /usr/share/doc/ /usr/share/examples/ /usr/share/games/ /usr/share/info/
  /usr/share/isdn/ /usr/share/man /usr/share/misc/fonts/ /usr/share/misc/keycap.pcvt
  /usr/share/misc/pci_vendors /usr/share/misc/pcvtfonts/ /usr/share/misc/scsi_modes
  /usr/share/misc/usb_hid_usages /usr/share/misc/windrv_stub.c /usr/share/pcvt/
  /usr/share/syscons/ /var/account/ /var/db/ipf/ /var/games/ usr/libexec/lpr
  usr/libexec/sftp-server
Received on Tue Mar 08 2016 - 17:24:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:03 UTC