FreeBSD 8: Jail custom world src.conf

[klabacita]

Hi my friends, I start working with jails, I have already 3 running, my goal is to have www, spam, mail, dns(bind) on each one.

Now, exist the file src.conf where I can remove parts of the whole system, I want to remove the most code as possible(security reasons) to have just what I need for my jails.

I would like to know if my src.conf is good or I forget to add something or maybe I exaggerate with my file, any comments and recommendation will be very appreciated:

WITHOUT_APM="yes"  
WITHOUT_ATM="yes"
WITHOUT_ASSERT_DEBUG="yes"
WITHOUT_AT="yes"
WITHOUT_AUTHPF="yes"
WITHOUT_BIND="yes"
WITHOUT_BLUETOOTH="yes"
WITHOUT_BOOT="yes"
WITHOUT_CALENDAR="yes"
WITHOUT_CDDL="yes"
WITHOUT_CVS="yes"
WITHOUT_DICT="yes"
WITHOUT_EXAMPLES="yes"
WITHOUT_FLOPPY="yes"
WITHOUT_FREEBSD_UPDATE="yes"
WITHOUT_GAMES="yes"
WITHOUT_GPIB="yes"
WITHOUT_GSSAPI="yes"
WITHOUT_INET6="yes"
WITHOUT_HTML="yes"
WITHOUT_IPFILTER="yes"
WITHOUT_IPFW="yes"
WITHOUT_IPX="yes"
WITHOUT_JAIL="yes"
WITHOUT_KERBEROS="yes"
WITHOUT_KVM="yes"
WITHOUT_LPR="yes"
WITHOUT_MAILWRAPPER="yes"
WITHOUT_MAN="yes"
WITHOUT_NDIS="yes"
WITHOUT_NIS="yes"
WITHOUT_PF="yes"
WITHOUT_PPP="yes"
WITHOUT_PMC="yes"
WITHOUT_PROFILE="yes"
WITHOUT_QUOTAS="yes"
WITHOUT_RCMDS="yes"
WITHOUT_RCS="yes"
WITHOUT_SENDMAIL="yes"
WITHOUT_SHAREDOCS="yes"
WITHOUT_SYSCONS="yes"
WITHOUT_SYSINSTALL="yes"
WITHOUT_TELNET="yes"
WITHOUT_USB="yes"
WITHOUT_WIRELESS="yes"
WITHOUT_WPA_SUPPLICANT_EAPOL="yes"

For my dns server I would just remove:

WITHOUT_BIND="yes"

Do I need something more for bind?

Running FreeBSD 8.x, thanks all for your time!!!

 

[SirDice]

It's easier to start with a "fat" jail, then remove options until it breaks.

 

[klabacita]

Is what I had been doing this days, just wondering if someone have experienced and maybe give me some tips about what options in src.conf could affect some service like:

postfix, dovecot, apache22, mysql, spam.

Thanks!!!

 

[SirDice]

Here's what I use, I saved it as /etc/src.conf.internetz

#WITHOUT_ACPI=       true    # do not build acpiconf(8) and related programs
WITHOUT_BOOT=       true    # do not build boot blocks and loader
WITHOUT_BLUETOOTH=  true    # do not build Bluetooth related stuff
WITHOUT_FORTRAN=    true    # do not build g77 and related libraries
WITHOUT_GDB=        true    # do not build GDB
WITHOUT_GPIB=       true    # do not build GPIB support
WITHOUT_I4B=        true    # do not build isdn4bsd package
WITHOUT_IPFILTER=   true    # do not build IP Filter package
WITHOUT_PF=         true    # do not build PF firewall package
WITHOUT_AUTHPF=     true    # do not build and install authpf (setuid/gid)
#WITHOUT_KERBEROS=   true    # do not build and install Kerberos 5 (KTH Heimdal)
WITHOUT_LPR=        true    # do not build lpr and related programs
WITHOUT_MAILWRAPPER=true    # do not build the mailwrapper(8) MTA selector
WITHOUT_MODULES=    true    # do not build modules with the kernel
WITHOUT_SHAREDOCS=  true    # do not build the 4.4BSD legacy docs
WITHOUT_NETCAT=     true    # do not build netcat
#WITHOUT_NIS=        true    # do not build NIS support and related programs
WITHOUT_SENDMAIL=   true    # do not build sendmail and related programs
#WITHOUT_USB=        true    # do not build usbd(8) and related programs
WITHOUT_VINUM=      true    # do not build Vinum utilities
WITHOUT_ATM=        true    # do not build ATM related programs and libraries
#WITHOUT_CRYPT=      true    # do not build any crypto code
WITHOUT_GAMES=      true    # do not build games (games/ subdir)
#WITHOUT_INFO=       true    # do not make or install info files
WITHOUT_MAN=        true    # do not build manual pages
WITHOUT_PROFILE=    true    # Avoid compiling profiled libraries

# BIND OPTIONS
WITHOUT_BIND=               true    # Do not build any part of BIND
WITHOUT_BIND_DNSSEC=        true    # Do not build dnssec-keygen, dnssec-signzone
WITHOUT_BIND_ETC=           true    # Do not install files to /etc/namedb
#WITHOUT_BIND_LIBS_LWRES=    true    # Do not install the lwres library
WITHOUT_BIND_MTREE=         true    # Do not run mtree to create chroot directories
WITHOUT_BIND_NAMED=         true    # Do not build named, rndc, lwresd, etc.

There's probably more to remove but this seems to work fine. Use it like:
# cd /usr/src && make installworld DESTDIR=/jail/j1/ SRCCONF=/etc/src.conf.internetz

 

[klabacita]

Good I see that I can remove more code here, your file is running FBSD 8? I see some options that don't remember in the man src.conf file.

Thanks!!!

 

[SirDice]

Yes, I'm running 8-stable. There might be some things left over from 7-stable though. I haven't looked at it after the upgrade. Everything seems to work just fine.

 

[graudeejs]

Here's what I use for my jails.
Currently I have no problems

# This is src.conf for jails
WITHOUT_ACCT="YES"					# ok
WITHOUT_ACPI="YES"					# ok
WITHOUT_AMD="YES"					# ok
WITHOUT_APM="YES"					# ok
WITHOUT_ASSERT_DEBUG="YES"				# ok
WITHOUT_AT="YES"					# ok
WITHOUT_ATM="YES"					# ok
WITHOUT_AUDIT="YES"					# ok
WITHOUT_AUTHPF="YES"					# ok
WITHOUT_BIND="YES"					# ok
WITHOUT_BIND_DNSSEC="YES"				# ok
WITHOUT_BIND_ETC="YES"					# ok
WITHOUT_BIND_LIBS_LWRES="YES"				# ok
WITHOUT_BIND_MTREE="YES"				# ok
WITHOUT_BIND_NAMED="YES"				# ok
WITHOUT_BIND_UTILS="YES"				# ok
WITHOUT_BLUETOOTH="YES"					# ok
WITHOUT_BOOT="YES"					# ol
WITHOUT_BSD_CPIO="YES"					# ok
WITHOUT_BSNMP="YES"					# ok
# WITHOUT_BZIP2="YES"					# ok
WITHOUT_CALENDAR="YES"					# ok
WITHOUT_CDDL="YES"					# ok
# WITHOUT_CPP="YES"					# ok
# WITHOUT_CRYPT="YES"					# ok, if uncommented no openssl and no openssh
WITHOUT_CTM="YES"					# ok
WITHOUT_CVS="YES"					# ok
# WITHOUT_CXX="YES"					# ok
WITHOUT_DICT="YES"					# ok
# WITHOUT_DYNAMICROOT="YES"				# ok
WITHOUT_EXAMPLES="YES"					# ok
WITHOUT_FLOPPY="YES"					# ok
WITHOUT_FORTH="YES"					# ok
# WITHOUT_FP_LIBC="YES"					# ok
WITHOUT_FREEBSD_UPDATE="YES"				# ok
WITHOUT_GAMES="YES"					# ok
# WITHOUT_GCOV="YES"					# ok
WITHOUT_GDB="YES"					# ok
# WITHOUT_GNU="YES"					# ok
# WITHOUT_GNU_GREP="YES"				# ok
WITHOUT_GPIB="YES"					# ok
# WITHOUT_GROFF="YES"					# pl
WITHOUT_GSSAPI="YES"					# ok
WITHOUT_HTML="YES"					# ok
# WITH_IDEA="YES"					# might be illigal to use
WITHOUT_INET6="YES"					# ok
# WITHOUT_INFO="YES"					# Some ports fail to build without
# WITHOUT_INSTALLLIB="YES"				# fails to build if uncommented
WITHOUT_IPFILTER="YES"					# ok
WITHOUT_IPFW="YES"					# ok
WITHOUT_IPX="YES"					# ok
WITHOUT_JAIL="YES"					# ok
WITHOUT_KERBEROS="YES"					# ok
WITHOUT_KVM="YES"					# ok
WITHOUT_LEGACY_CONSOLE="YES"				# ok
WITHOUT_LIB32="YES"					# ok so far, fails to build if selected, don't know why
# WITHOUT_LIBPTHREAD="YES"				# ok. seams that this can be removed, but ....
# WITHOUT_LIBTHR="YES"					# ok. seams that this can be removed, but ....
# WITHOUT_LOCALES="YES"					# ok
WITHOUT_LOCATE="YES"					# ok
WITHOUT_LPR="YES"					# ok
# WITHOUT_MAIL="YES"					# ok
WITHOUT_MAILWRAPPER="YES"				# ok, at least seams so
# WITHOUT_MAKE="YES"					# ok
WITHOUT_MAN="YES"					# ok
WITHOUT_NCP="YES"					# ok
WITHOUT_NDIS="YES"					# ok
WITHOUT_NETCAT="YES"					# ok
# WITHOUT_NETGRAPH="YES"				# ok		???
WITHOUT_NIS="YES"					# ok
WITHOUT_NLS="YES"					# ok
WITHOUT_NLS_CATALOGS="YES"				# ok
WITHOUT_NS_CACHING="YES"				# ok
WITHOUT_NTP="YES"					# ok
# WITHOUT_OBJC="YES"					# ok
# WITHOUT_OPENSSH="YES"					# ok
# WITHOUT_OPENSSL="YES"					# ok
# WITHOUT_PAM="YES"					# ok
WITHOUT_PF="YES"					# ok
# WITHOUT_PKGTOOLS="YES"				# ok
WITHOUT_PMC="YES"					# ok
WITHOUT_PORTSNAP="YES"					# ok
WITHOUT_PPP="YES"					# ok
WITHOUT_PROFILE="YES"					# ok
WITHOUT_QUOTAS="YES"					# ok
WITHOUT_RCMDS="YES"					# ok
WITHOUT_RCS="YES"					# ok
WITHOUT_RESCUE="YES"					# ok
WITHOUT_ROUTED="YES"					# ok
WITHOUT_SENDMAIL="YES"					# ok
# WITHOUT_SETUID_LOGIN="YES"				# ok
WITHOUT_SHAREDOCS="YES"					# ok
# WITHOUT_SSP="YES"					# ok, good thing to build
# WITHOUT_SYMVER="YES"					# ok
WITHOUT_SYSCONS="YES"					# ok
WITHOUT_SYSINSTALL="YES"				# ok
# WITHOUT_TCSH="YES"					# ok
WITHOUT_TELNET="YES"					# ok
# WITHOUT_TEXTPROC="YES"				# ok
# WITHOUT_TOOLCHAIN="YES"				# ok
WITHOUT_USB="YES"					# ok
WITHOUT_WIRELESS="YES"					# ok
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"			# ok
WITHOUT_ZFS="YES"					# ok
# WITHOUT_ZONEINFO="YES"				# ok

fresh jail on zfs with compression=on takes ~65MB

 

[nbari]

Can not install portupgrade /ruby18

This is my current src.conf for a jail on a server with freebsd 8.1 amd64

# src for jail
WITHOUT_ACCT="YES"
WITHOUT_ACPI="YES"
WITHOUT_AMD="YES"
WITHOUT_APM="YES"
WITHOUT_ASSERT_DEBUG="YES"
WITHOUT_AT="YES"
WITHOUT_ATM="YES"
WITHOUT_AUDIT="YES"
WITHOUT_AUTHPF="YES"
WITHOUT_BIND_DNSSEC="YES"
WITHOUT_BIND_ETC="YES"  
WITHOUT_BIND_LIBS_LWRES="YES"   
WITHOUT_BIND_MTREE="YES"
WITHOUT_BIND_NAMED="YES"
WITHOUT_BLUETOOTH="YES" 
WITHOUT_BOOT="YES"
WITHOUT_BSD_CPIO="YES"  
WITHOUT_BSNMP="YES"
WITHOUT_CALENDAR="YES"
WITHOUT_CDDL="YES"
WITHOUT_CTM="YES"
WITHOUT_CVS="YES"
WITHOUT_DICT="YES"
WITHOUT_EXAMPLES="YES"  
WITHOUT_FLOPPY="YES"
WITHOUT_FORTH="YES"
WITHOUT_FREEBSD_UPDATE="YES"
WITHOUT_GAMES="YES"
WITHOUT_GDB="YES"
WITHOUT_GPIB="YES"
WITHOUT_GSSAPI="YES"
WITHOUT_HTML="YES"
WITHOUT_INET6="YES"
WITHOUT_IPFILTER="YES"  
WITHOUT_IPFW="YES"
WITHOUT_IPX="YES"
WITHOUT_JAIL="YES"
WITHOUT_KERBEROS="YES"  
WITHOUT_KVM="YES"
WITHOUT_LEGACY_CONSOLE="YES"
WITHOUT_LIB32="YES"
WITHOUT_LPR="YES"
WITHOUT_MAIL="YES"
WITHOUT_MAILWRAPPER="YES"
WITHOUT_MAN="YES"
WITHOUT_NCP="YES"
WITHOUT_NDIS="YES"
WITHOUT_NETCAT="YES"
WITHOUT_NIS="YES"
WITHOUT_NLS="YES"
WITHOUT_NLS_CATALOGS="YES"
WITHOUT_NS_CACHING="YES"
WITHOUT_NTP="YES"
WITHOUT_PF="YES"
WITHOUT_PMC="YES"
WITHOUT_PPP="YES"
WITHOUT_PROFILE="YES"   
WITHOUT_QUOTAS="YES"
WITHOUT_RCMDS="YES"
WITHOUT_RCS="YES"
WITHOUT_RESCUE="YES"
WITHOUT_ROUTED="YES"
WITHOUT_SENDMAIL="YES"  
WITHOUT_SHAREDOCS="YES" 
WITHOUT_SYSCONS="YES"   
WITHOUT_SYSINSTALL="YES"
WITHOUT_TELNET="YES"
WITHOUT_USB="YES"
WITHOUT_WIRELESS="YES"  
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"
WITHOUT_ZFS="YES"

WITHOUT_MAIL is causing problems since is not installing fmt also ruby18 exists when installing the port, any idea of what to remove or add for fix the problem?

 

[nbari]

solved removing WITHOUT_BSD_CPIO="YES"

fixed removing this line: WITHOUT_BSD_CPIO="YES"

This is my current src.conf for a jail on a server with freebsd 8.1 amd64

# src for jail
WITHOUT_ACCT="YES"
WITHOUT_ACPI="YES"
WITHOUT_AMD="YES"
WITHOUT_APM="YES"
WITHOUT_ASSERT_DEBUG="YES"
WITHOUT_AT="YES"
WITHOUT_ATM="YES"
WITHOUT_AUDIT="YES"
WITHOUT_AUTHPF="YES"
WITHOUT_BIND_DNSSEC="YES"
WITHOUT_BIND_ETC="YES"  
WITHOUT_BIND_LIBS_LWRES="YES"   
WITHOUT_BIND_MTREE="YES"
WITHOUT_BIND_NAMED="YES"
WITHOUT_BLUETOOTH="YES" 
WITHOUT_BOOT="YES"
WITHOUT_BSD_CPIO="YES"  
WITHOUT_BSNMP="YES"
WITHOUT_CALENDAR="YES"
WITHOUT_CDDL="YES"
WITHOUT_CTM="YES"
WITHOUT_CVS="YES"
WITHOUT_DICT="YES"
WITHOUT_EXAMPLES="YES"  
WITHOUT_FLOPPY="YES"
WITHOUT_FORTH="YES"
WITHOUT_FREEBSD_UPDATE="YES"
WITHOUT_GAMES="YES"
WITHOUT_GDB="YES"
WITHOUT_GPIB="YES"
WITHOUT_GSSAPI="YES"
WITHOUT_HTML="YES"
WITHOUT_INET6="YES"
WITHOUT_IPFILTER="YES"  
WITHOUT_IPFW="YES"
WITHOUT_IPX="YES"
WITHOUT_JAIL="YES"
WITHOUT_KERBEROS="YES"  
WITHOUT_KVM="YES"
WITHOUT_LEGACY_CONSOLE="YES"
WITHOUT_LIB32="YES"
WITHOUT_LPR="YES"
WITHOUT_MAIL="YES"
WITHOUT_MAILWRAPPER="YES"
WITHOUT_MAN="YES"
WITHOUT_NCP="YES"
WITHOUT_NDIS="YES"
WITHOUT_NETCAT="YES"
WITHOUT_NIS="YES"
WITHOUT_NLS="YES"
WITHOUT_NLS_CATALOGS="YES"
WITHOUT_NS_CACHING="YES"
WITHOUT_NTP="YES"
WITHOUT_PF="YES"
WITHOUT_PMC="YES"
WITHOUT_PPP="YES"
WITHOUT_PROFILE="YES"   
WITHOUT_QUOTAS="YES"
WITHOUT_RCMDS="YES"
WITHOUT_RCS="YES"
WITHOUT_RESCUE="YES"
WITHOUT_ROUTED="YES"
WITHOUT_SENDMAIL="YES"  
WITHOUT_SHAREDOCS="YES" 
WITHOUT_SYSCONS="YES"   
WITHOUT_SYSINSTALL="YES"
WITHOUT_TELNET="YES"
WITHOUT_USB="YES"
WITHOUT_WIRELESS="YES"  
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"
WITHOUT_ZFS="YES"

WITHOUT_MAIL is causing problems since is not installing fmt also ruby18 exists when installing the port, any idea of what to remove or add for fix the problem?

 

[Noodle]

Hi All,

Thanks for information. I'm using information from here to build my minimum jails for some applications. But recent update give me wired issue.

After I [cmd=]make buildworld[/cmd] and then [cmd=]make installworld DESTDIR=<jail mroot> SRCCONF=/root/src.conf.internetz[/cmd] pam_unix.so has missing dependent file.

ldd /usr/lib/pam_unix.so

pam_unix.so:
	libutil.so.8 => /lib/libutil.so.8 (0x800c00000)
	libcrypt.so.5 => /lib/libcrypt.so.5 (0x800d10000)
	libypclnt.so.4 => /usr/lib/libypclnt.so.4 (0x800e29000)
	libpam.so.5 => /usr/lib/libpam.so.5 (0x800f2e000)
	libc.so.7 => /lib/libc.so.7 (0x800647000)

But if

WITHOUT_NIS="YES"

it will not install /usr/lib/libypclnt.so.4. Any idea?

Thanks

Noodle

 

[Noodle]

Looks like fully buildworld but installworld without NIS will give this issue. I rebuild with same src.conf and install it. Even from outside jail, it still show dependency on libypclnt.so.4, but it didn't show inside jail, and jail works fine now.

 

[mk]

@Noodle yp == yellow pages, the other name for NIS, so without NIS you don't have libypclnt.so.

 

[vivek]

My /etc/jail.make.conf that worked with apache / postfix and other internet servers

 NO_ACPI=true # do not build acpiconf(8) and related programs
NO_ATM=true # do not build ATM related programs and libraries
NO_AUTHPF=true # do not build and install authpf (setuid/gid)
NO_BLUETOOTH=true # do not build Bluetooth related stuff
NO_BOOT=true # do not build boot blocks and loader
NO_CVS= # do not build CVS
NO_FORTRAN=true # do not build g77 and related libraries
NO_GAMES=true # do not build games (games/ subdir)
NO_GDB=true # do not build GDB
NO_GPIB=true # do not build GPIB support
NO_I4B=true # do not build isdn4bsd package
#NO_INFO=true # do not make or install info files
NO_IPFILTER=true # do not build IP Filter package
NO_KERBEROS=true # do not build and install Kerberos 5 (KTH Heimdal)
NO_LPR=true # do not build lpr and related programs
NO_MAN=true # do not build manual pages
NO_MODULES=true # do not build modules with the kernel
NO_NETCAT=true # do not build netcat
NO_NIS=true # do not build NIS support and related programs.
NO_NLS_CATALOGS= # do not build NLS catalog support for csh(1)
NO_OBJC=true # do not build Objective C support
NO_OPENSSH=true # do not build OpenSSH
NO_PF=true # do not build PF firewall package
NO_PROFILE=true # Avoid compiling profiled libraries
NO_RCMDS=true # do not build or install BSD r* commands (rsh, etc).
NO_SENDMAIL=true # do not build sendmail and related programs
NO_SHAREDOCS=true # do not build the 4.4BSD legacy docs
NO_USB=true # do not build usbd(8) and related programs
PPP_NO_NAT=true # do not build with NAT support (see make.conf(5))
PPP_NO_NETGRAPH=true # do not build with Netgraph support
PPP_NO_RADIUS=true # do not build with RADIUS support
PPP_NO_SUID=true # build with normal permissions
#NO_BIND= # Do not build any part of BIND
NO_BIND_DNSSEC=true # Do not build dnssec-keygen, dnssec-signzone
NO_BIND_ETC=true # Do not install files to /etc/namedb
NO_BIND_LIBS_LWRES=true # Do not install the lwres library
NO_BIND_MTREE=true # Do not run mtree to create chroot directories
NO_BIND_NAMED=true # Do not build named, rndc, lwresd, etc.
#NO_BIND_UTILS= # Do not build dig, host, nslookup, nsupdate
WITH_BIND_LIBS= # Install the BIND libs and include files
NO_NCP=true
NO_NS_CACHING=true
NO_RCMDS=true
NO_RCS=true
NO_RESCUE=true
NO_SETUID_LOGIN=true
NO_SHAREDOCS=true
NO_WPA_SUPPLICANT_EAPOL=true
NO_ZFS=true
NO_SYSCONS=true
NO_ASSERT_DEBUG=true
NO_CALENDAR=true
NO_CDDL=true
NO_HTML=true

Pass it as

# set $D first ;)
make world DESTDIR=$D __MAKE_CONF=/etc/jail.make.conf
make distribution DESTDIR=$D __MAKE_CONF=/etc/jail.make.conf

 

[SirDice]

Vivek, that way is deprecated. See src.conf(5).

 

[vivek]

Thanks SirDice! The problem is we got lots of older server here running 7.x and 6.x too

 

[SirDice]

It should still work but I don't think it's a good idea to suggest it to new users.

 

[vivek]

Agreed, but what if you need different type of personality jails (e.g., network server only or desktop only)? You can always use jail.desktop.conf and jail.network.server.conf file without messing with a single file.