FreeBSD 8: Jail custom world src.conf

Hi my friends, I start working with jails, I have already 3 running, my goal is to have www, spam, mail, dns(bind) on each one.

Now, exist the file src.conf where I can remove parts of the whole system, I want to remove the most code as possible(security reasons) to have just what I need for my jails.

I would like to know if my src.conf is good or I forget to add something or maybe I exaggerate with my file, any comments and recommendation will be very appreciated:

Code:
WITHOUT_APM="yes"  
WITHOUT_ATM="yes"
WITHOUT_ASSERT_DEBUG="yes"
WITHOUT_AT="yes"
WITHOUT_AUTHPF="yes"
WITHOUT_BIND="yes"
WITHOUT_BLUETOOTH="yes"
WITHOUT_BOOT="yes"
WITHOUT_CALENDAR="yes"
WITHOUT_CDDL="yes"
WITHOUT_CVS="yes"
WITHOUT_DICT="yes"
WITHOUT_EXAMPLES="yes"
WITHOUT_FLOPPY="yes"
WITHOUT_FREEBSD_UPDATE="yes"
WITHOUT_GAMES="yes"
WITHOUT_GPIB="yes"
WITHOUT_GSSAPI="yes"
WITHOUT_INET6="yes"
WITHOUT_HTML="yes"
WITHOUT_IPFILTER="yes"
WITHOUT_IPFW="yes"
WITHOUT_IPX="yes"
WITHOUT_JAIL="yes"
WITHOUT_KERBEROS="yes"
WITHOUT_KVM="yes"
WITHOUT_LPR="yes"
WITHOUT_MAILWRAPPER="yes"
WITHOUT_MAN="yes"
WITHOUT_NDIS="yes"
WITHOUT_NIS="yes"
WITHOUT_PF="yes"
WITHOUT_PPP="yes"
WITHOUT_PMC="yes"
WITHOUT_PROFILE="yes"
WITHOUT_QUOTAS="yes"
WITHOUT_RCMDS="yes"
WITHOUT_RCS="yes"
WITHOUT_SENDMAIL="yes"
WITHOUT_SHAREDOCS="yes"
WITHOUT_SYSCONS="yes"
WITHOUT_SYSINSTALL="yes"
WITHOUT_TELNET="yes"
WITHOUT_USB="yes"
WITHOUT_WIRELESS="yes"
WITHOUT_WPA_SUPPLICANT_EAPOL="yes"

For my dns server I would just remove:

Code:
WITHOUT_BIND="yes"

Do I need something more for bind?

Running FreeBSD 8.x, thanks all for your time!!! :)
 
It's easier to start with a "fat" jail, then remove options until it breaks.
 
Is what I had been doing this days, just wondering if someone have experienced and maybe give me some tips about what options in src.conf could affect some service like:

postfix, dovecot, apache22, mysql, spam.

Thanks!!!
 
Here's what I use, I saved it as /etc/src.conf.internetz

Code:
#WITHOUT_ACPI=       true    # do not build acpiconf(8) and related programs
WITHOUT_BOOT=       true    # do not build boot blocks and loader
WITHOUT_BLUETOOTH=  true    # do not build Bluetooth related stuff
WITHOUT_FORTRAN=    true    # do not build g77 and related libraries
WITHOUT_GDB=        true    # do not build GDB
WITHOUT_GPIB=       true    # do not build GPIB support
WITHOUT_I4B=        true    # do not build isdn4bsd package
WITHOUT_IPFILTER=   true    # do not build IP Filter package
WITHOUT_PF=         true    # do not build PF firewall package
WITHOUT_AUTHPF=     true    # do not build and install authpf (setuid/gid)
#WITHOUT_KERBEROS=   true    # do not build and install Kerberos 5 (KTH Heimdal)
WITHOUT_LPR=        true    # do not build lpr and related programs
WITHOUT_MAILWRAPPER=true    # do not build the mailwrapper(8) MTA selector
WITHOUT_MODULES=    true    # do not build modules with the kernel
WITHOUT_SHAREDOCS=  true    # do not build the 4.4BSD legacy docs
WITHOUT_NETCAT=     true    # do not build netcat
#WITHOUT_NIS=        true    # do not build NIS support and related programs
WITHOUT_SENDMAIL=   true    # do not build sendmail and related programs
#WITHOUT_USB=        true    # do not build usbd(8) and related programs
WITHOUT_VINUM=      true    # do not build Vinum utilities
WITHOUT_ATM=        true    # do not build ATM related programs and libraries
#WITHOUT_CRYPT=      true    # do not build any crypto code
WITHOUT_GAMES=      true    # do not build games (games/ subdir)
#WITHOUT_INFO=       true    # do not make or install info files
WITHOUT_MAN=        true    # do not build manual pages
WITHOUT_PROFILE=    true    # Avoid compiling profiled libraries

# BIND OPTIONS
WITHOUT_BIND=               true    # Do not build any part of BIND
WITHOUT_BIND_DNSSEC=        true    # Do not build dnssec-keygen, dnssec-signzone
WITHOUT_BIND_ETC=           true    # Do not install files to /etc/namedb
#WITHOUT_BIND_LIBS_LWRES=    true    # Do not install the lwres library
WITHOUT_BIND_MTREE=         true    # Do not run mtree to create chroot directories
WITHOUT_BIND_NAMED=         true    # Do not build named, rndc, lwresd, etc.

There's probably more to remove but this seems to work fine. Use it like:
# cd /usr/src && make installworld DESTDIR=/jail/j1/ SRCCONF=/etc/src.conf.internetz
 
Good I see that I can remove more code here, your file is running FBSD 8? I see some options that don't remember in the man src.conf file.

Thanks!!!
 
Yes, I'm running 8-stable. There might be some things left over from 7-stable though. I haven't looked at it after the upgrade. Everything seems to work just fine.
 
Here's what I use for my jails.
Currently I have no problems
Code:
# This is src.conf for jails
WITHOUT_ACCT="YES"					# ok
WITHOUT_ACPI="YES"					# ok
WITHOUT_AMD="YES"					# ok
WITHOUT_APM="YES"					# ok
WITHOUT_ASSERT_DEBUG="YES"				# ok
WITHOUT_AT="YES"					# ok
WITHOUT_ATM="YES"					# ok
WITHOUT_AUDIT="YES"					# ok
WITHOUT_AUTHPF="YES"					# ok
WITHOUT_BIND="YES"					# ok
WITHOUT_BIND_DNSSEC="YES"				# ok
WITHOUT_BIND_ETC="YES"					# ok
WITHOUT_BIND_LIBS_LWRES="YES"				# ok
WITHOUT_BIND_MTREE="YES"				# ok
WITHOUT_BIND_NAMED="YES"				# ok
WITHOUT_BIND_UTILS="YES"				# ok
WITHOUT_BLUETOOTH="YES"					# ok
WITHOUT_BOOT="YES"					# ol
WITHOUT_BSD_CPIO="YES"					# ok
WITHOUT_BSNMP="YES"					# ok
# WITHOUT_BZIP2="YES"					# ok
WITHOUT_CALENDAR="YES"					# ok
WITHOUT_CDDL="YES"					# ok
# WITHOUT_CPP="YES"					# ok
# WITHOUT_CRYPT="YES"					# ok, if uncommented no openssl and no openssh
WITHOUT_CTM="YES"					# ok
WITHOUT_CVS="YES"					# ok
# WITHOUT_CXX="YES"					# ok
WITHOUT_DICT="YES"					# ok
# WITHOUT_DYNAMICROOT="YES"				# ok
WITHOUT_EXAMPLES="YES"					# ok
WITHOUT_FLOPPY="YES"					# ok
WITHOUT_FORTH="YES"					# ok
# WITHOUT_FP_LIBC="YES"					# ok
WITHOUT_FREEBSD_UPDATE="YES"				# ok
WITHOUT_GAMES="YES"					# ok
# WITHOUT_GCOV="YES"					# ok
WITHOUT_GDB="YES"					# ok
# WITHOUT_GNU="YES"					# ok
# WITHOUT_GNU_GREP="YES"				# ok
WITHOUT_GPIB="YES"					# ok
# WITHOUT_GROFF="YES"					# pl
WITHOUT_GSSAPI="YES"					# ok
WITHOUT_HTML="YES"					# ok
# WITH_IDEA="YES"					# might be illigal to use
WITHOUT_INET6="YES"					# ok
# WITHOUT_INFO="YES"					# Some ports fail to build without
# WITHOUT_INSTALLLIB="YES"				# fails to build if uncommented
WITHOUT_IPFILTER="YES"					# ok
WITHOUT_IPFW="YES"					# ok
WITHOUT_IPX="YES"					# ok
WITHOUT_JAIL="YES"					# ok
WITHOUT_KERBEROS="YES"					# ok
WITHOUT_KVM="YES"					# ok
WITHOUT_LEGACY_CONSOLE="YES"				# ok
WITHOUT_LIB32="YES"					# ok so far, fails to build if selected, don't know why
# WITHOUT_LIBPTHREAD="YES"				# ok. seams that this can be removed, but ....
# WITHOUT_LIBTHR="YES"					# ok. seams that this can be removed, but ....
# WITHOUT_LOCALES="YES"					# ok
WITHOUT_LOCATE="YES"					# ok
WITHOUT_LPR="YES"					# ok
# WITHOUT_MAIL="YES"					# ok
WITHOUT_MAILWRAPPER="YES"				# ok, at least seams so
# WITHOUT_MAKE="YES"					# ok
WITHOUT_MAN="YES"					# ok
WITHOUT_NCP="YES"					# ok
WITHOUT_NDIS="YES"					# ok
WITHOUT_NETCAT="YES"					# ok
# WITHOUT_NETGRAPH="YES"				# ok		???
WITHOUT_NIS="YES"					# ok
WITHOUT_NLS="YES"					# ok
WITHOUT_NLS_CATALOGS="YES"				# ok
WITHOUT_NS_CACHING="YES"				# ok
WITHOUT_NTP="YES"					# ok
# WITHOUT_OBJC="YES"					# ok
# WITHOUT_OPENSSH="YES"					# ok
# WITHOUT_OPENSSL="YES"					# ok
# WITHOUT_PAM="YES"					# ok
WITHOUT_PF="YES"					# ok
# WITHOUT_PKGTOOLS="YES"				# ok
WITHOUT_PMC="YES"					# ok
WITHOUT_PORTSNAP="YES"					# ok
WITHOUT_PPP="YES"					# ok
WITHOUT_PROFILE="YES"					# ok
WITHOUT_QUOTAS="YES"					# ok
WITHOUT_RCMDS="YES"					# ok
WITHOUT_RCS="YES"					# ok
WITHOUT_RESCUE="YES"					# ok
WITHOUT_ROUTED="YES"					# ok
WITHOUT_SENDMAIL="YES"					# ok
# WITHOUT_SETUID_LOGIN="YES"				# ok
WITHOUT_SHAREDOCS="YES"					# ok
# WITHOUT_SSP="YES"					# ok, good thing to build
# WITHOUT_SYMVER="YES"					# ok
WITHOUT_SYSCONS="YES"					# ok
WITHOUT_SYSINSTALL="YES"				# ok
# WITHOUT_TCSH="YES"					# ok
WITHOUT_TELNET="YES"					# ok
# WITHOUT_TEXTPROC="YES"				# ok
# WITHOUT_TOOLCHAIN="YES"				# ok
WITHOUT_USB="YES"					# ok
WITHOUT_WIRELESS="YES"					# ok
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"			# ok
WITHOUT_ZFS="YES"					# ok
# WITHOUT_ZONEINFO="YES"				# ok

fresh jail on zfs with compression=on takes ~65MB
 
Can not install portupgrade /ruby18

This is my current src.conf for a jail on a server with freebsd 8.1 amd64
Code:
# src for jail
WITHOUT_ACCT="YES"
WITHOUT_ACPI="YES"
WITHOUT_AMD="YES"
WITHOUT_APM="YES"
WITHOUT_ASSERT_DEBUG="YES"
WITHOUT_AT="YES"
WITHOUT_ATM="YES"
WITHOUT_AUDIT="YES"
WITHOUT_AUTHPF="YES"
WITHOUT_BIND_DNSSEC="YES"
WITHOUT_BIND_ETC="YES"  
WITHOUT_BIND_LIBS_LWRES="YES"   
WITHOUT_BIND_MTREE="YES"
WITHOUT_BIND_NAMED="YES"
WITHOUT_BLUETOOTH="YES" 
WITHOUT_BOOT="YES"
WITHOUT_BSD_CPIO="YES"  
WITHOUT_BSNMP="YES"
WITHOUT_CALENDAR="YES"
WITHOUT_CDDL="YES"
WITHOUT_CTM="YES"
WITHOUT_CVS="YES"
WITHOUT_DICT="YES"
WITHOUT_EXAMPLES="YES"  
WITHOUT_FLOPPY="YES"
WITHOUT_FORTH="YES"
WITHOUT_FREEBSD_UPDATE="YES"
WITHOUT_GAMES="YES"
WITHOUT_GDB="YES"
WITHOUT_GPIB="YES"
WITHOUT_GSSAPI="YES"
WITHOUT_HTML="YES"
WITHOUT_INET6="YES"
WITHOUT_IPFILTER="YES"  
WITHOUT_IPFW="YES"
WITHOUT_IPX="YES"
WITHOUT_JAIL="YES"
WITHOUT_KERBEROS="YES"  
WITHOUT_KVM="YES"
WITHOUT_LEGACY_CONSOLE="YES"
WITHOUT_LIB32="YES"
WITHOUT_LPR="YES"
WITHOUT_MAIL="YES"
WITHOUT_MAILWRAPPER="YES"
WITHOUT_MAN="YES"
WITHOUT_NCP="YES"
WITHOUT_NDIS="YES"
WITHOUT_NETCAT="YES"
WITHOUT_NIS="YES"
WITHOUT_NLS="YES"
WITHOUT_NLS_CATALOGS="YES"
WITHOUT_NS_CACHING="YES"
WITHOUT_NTP="YES"
WITHOUT_PF="YES"
WITHOUT_PMC="YES"
WITHOUT_PPP="YES"
WITHOUT_PROFILE="YES"   
WITHOUT_QUOTAS="YES"
WITHOUT_RCMDS="YES"
WITHOUT_RCS="YES"
WITHOUT_RESCUE="YES"
WITHOUT_ROUTED="YES"
WITHOUT_SENDMAIL="YES"  
WITHOUT_SHAREDOCS="YES" 
WITHOUT_SYSCONS="YES"   
WITHOUT_SYSINSTALL="YES"
WITHOUT_TELNET="YES"
WITHOUT_USB="YES"
WITHOUT_WIRELESS="YES"  
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"
WITHOUT_ZFS="YES"


WITHOUT_MAIL is causing problems since is not installing fmt also ruby18 exists when installing the port, any idea of what to remove or add for fix the problem?
 
solved removing WITHOUT_BSD_CPIO="YES"

fixed removing this line: WITHOUT_BSD_CPIO="YES"

nbari said:
This is my current src.conf for a jail on a server with freebsd 8.1 amd64
Code:
# src for jail
WITHOUT_ACCT="YES"
WITHOUT_ACPI="YES"
WITHOUT_AMD="YES"
WITHOUT_APM="YES"
WITHOUT_ASSERT_DEBUG="YES"
WITHOUT_AT="YES"
WITHOUT_ATM="YES"
WITHOUT_AUDIT="YES"
WITHOUT_AUTHPF="YES"
WITHOUT_BIND_DNSSEC="YES"
WITHOUT_BIND_ETC="YES"  
WITHOUT_BIND_LIBS_LWRES="YES"   
WITHOUT_BIND_MTREE="YES"
WITHOUT_BIND_NAMED="YES"
WITHOUT_BLUETOOTH="YES" 
WITHOUT_BOOT="YES"
WITHOUT_BSD_CPIO="YES"  
WITHOUT_BSNMP="YES"
WITHOUT_CALENDAR="YES"
WITHOUT_CDDL="YES"
WITHOUT_CTM="YES"
WITHOUT_CVS="YES"
WITHOUT_DICT="YES"
WITHOUT_EXAMPLES="YES"  
WITHOUT_FLOPPY="YES"
WITHOUT_FORTH="YES"
WITHOUT_FREEBSD_UPDATE="YES"
WITHOUT_GAMES="YES"
WITHOUT_GDB="YES"
WITHOUT_GPIB="YES"
WITHOUT_GSSAPI="YES"
WITHOUT_HTML="YES"
WITHOUT_INET6="YES"
WITHOUT_IPFILTER="YES"  
WITHOUT_IPFW="YES"
WITHOUT_IPX="YES"
WITHOUT_JAIL="YES"
WITHOUT_KERBEROS="YES"  
WITHOUT_KVM="YES"
WITHOUT_LEGACY_CONSOLE="YES"
WITHOUT_LIB32="YES"
WITHOUT_LPR="YES"
WITHOUT_MAIL="YES"
WITHOUT_MAILWRAPPER="YES"
WITHOUT_MAN="YES"
WITHOUT_NCP="YES"
WITHOUT_NDIS="YES"
WITHOUT_NETCAT="YES"
WITHOUT_NIS="YES"
WITHOUT_NLS="YES"
WITHOUT_NLS_CATALOGS="YES"
WITHOUT_NS_CACHING="YES"
WITHOUT_NTP="YES"
WITHOUT_PF="YES"
WITHOUT_PMC="YES"
WITHOUT_PPP="YES"
WITHOUT_PROFILE="YES"   
WITHOUT_QUOTAS="YES"
WITHOUT_RCMDS="YES"
WITHOUT_RCS="YES"
WITHOUT_RESCUE="YES"
WITHOUT_ROUTED="YES"
WITHOUT_SENDMAIL="YES"  
WITHOUT_SHAREDOCS="YES" 
WITHOUT_SYSCONS="YES"   
WITHOUT_SYSINSTALL="YES"
WITHOUT_TELNET="YES"
WITHOUT_USB="YES"
WITHOUT_WIRELESS="YES"  
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"
WITHOUT_ZFS="YES"

WITHOUT_MAIL is causing problems since is not installing fmt also ruby18 exists when installing the port, any idea of what to remove or add for fix the problem?
 
Hi All,

Thanks for information. I'm using information from here to build my minimum jails for some applications. But recent update give me wired issue.

After I [cmd=]make buildworld[/cmd] and then [cmd=]make installworld DESTDIR=<jail mroot> SRCCONF=/root/src.conf.internetz[/cmd] pam_unix.so has missing dependent file.

ldd /usr/lib/pam_unix.so
Code:
pam_unix.so:
	libutil.so.8 => /lib/libutil.so.8 (0x800c00000)
	libcrypt.so.5 => /lib/libcrypt.so.5 (0x800d10000)
	libypclnt.so.4 => /usr/lib/libypclnt.so.4 (0x800e29000)
	libpam.so.5 => /usr/lib/libpam.so.5 (0x800f2e000)
	libc.so.7 => /lib/libc.so.7 (0x800647000)

But if
Code:
WITHOUT_NIS="YES"
it will not install /usr/lib/libypclnt.so.4. Any idea?

Thanks

Noodle
 
Looks like fully buildworld but installworld without NIS will give this issue. I rebuild with same src.conf and install it. Even from outside jail, it still show dependency on libypclnt.so.4, but it didn't show inside jail, and jail works fine now.
 
My /etc/jail.make.conf that worked with apache / postfix and other internet servers
Code:
 NO_ACPI=true # do not build acpiconf(8) and related programs
NO_ATM=true # do not build ATM related programs and libraries
NO_AUTHPF=true # do not build and install authpf (setuid/gid)
NO_BLUETOOTH=true # do not build Bluetooth related stuff
NO_BOOT=true # do not build boot blocks and loader
NO_CVS= # do not build CVS
NO_FORTRAN=true # do not build g77 and related libraries
NO_GAMES=true # do not build games (games/ subdir)
NO_GDB=true # do not build GDB
NO_GPIB=true # do not build GPIB support
NO_I4B=true # do not build isdn4bsd package
#NO_INFO=true # do not make or install info files
NO_IPFILTER=true # do not build IP Filter package
NO_KERBEROS=true # do not build and install Kerberos 5 (KTH Heimdal)
NO_LPR=true # do not build lpr and related programs
NO_MAN=true # do not build manual pages
NO_MODULES=true # do not build modules with the kernel
NO_NETCAT=true # do not build netcat
NO_NIS=true # do not build NIS support and related programs.
NO_NLS_CATALOGS= # do not build NLS catalog support for csh(1)
NO_OBJC=true # do not build Objective C support
NO_OPENSSH=true # do not build OpenSSH
NO_PF=true # do not build PF firewall package
NO_PROFILE=true # Avoid compiling profiled libraries
NO_RCMDS=true # do not build or install BSD r* commands (rsh, etc).
NO_SENDMAIL=true # do not build sendmail and related programs
NO_SHAREDOCS=true # do not build the 4.4BSD legacy docs
NO_USB=true # do not build usbd(8) and related programs
PPP_NO_NAT=true # do not build with NAT support (see make.conf(5))
PPP_NO_NETGRAPH=true # do not build with Netgraph support
PPP_NO_RADIUS=true # do not build with RADIUS support
PPP_NO_SUID=true # build with normal permissions
#NO_BIND= # Do not build any part of BIND
NO_BIND_DNSSEC=true # Do not build dnssec-keygen, dnssec-signzone
NO_BIND_ETC=true # Do not install files to /etc/namedb
NO_BIND_LIBS_LWRES=true # Do not install the lwres library
NO_BIND_MTREE=true # Do not run mtree to create chroot directories
NO_BIND_NAMED=true # Do not build named, rndc, lwresd, etc.
#NO_BIND_UTILS= # Do not build dig, host, nslookup, nsupdate
WITH_BIND_LIBS= # Install the BIND libs and include files
NO_NCP=true
NO_NS_CACHING=true
NO_RCMDS=true
NO_RCS=true
NO_RESCUE=true
NO_SETUID_LOGIN=true
NO_SHAREDOCS=true
NO_WPA_SUPPLICANT_EAPOL=true
NO_ZFS=true
NO_SYSCONS=true
NO_ASSERT_DEBUG=true
NO_CALENDAR=true
NO_CDDL=true
NO_HTML=true

Pass it as
Code:
# set $D first ;)
make world DESTDIR=$D __MAKE_CONF=/etc/jail.make.conf
make distribution DESTDIR=$D __MAKE_CONF=/etc/jail.make.conf
 
It should still work but I don't think it's a good idea to suggest it to new users.
 
Agreed, but what if you need different type of personality jails (e.g., network server only or desktop only)? You can always use jail.desktop.conf and jail.network.server.conf file without messing with a single file.
 
Back
Top