How to set up a port to use chroot?

Chris_H

Chris_H

Greetings,

I'm looking to port a new DNS server to FreeBSD, @mod(s) before you look to move this topic to "porting", or some such other location. Please understand this is for chrooting. The actual porting questions, I'll direct to another section. :)

That said. I'm looking to add a port to dns/<my new port name here>. But I am looking for the best solution for automating the install to require a chroot(8), and was hoping someone might throw me a bone (or two). :)

I'm looking in ports/Mk, and I see there are a couple of clues in bsd.destdir.mk. Any other pointers/suggestions greatly appreciated.

Thanks.

--chris
 
The BIND rc(8) script /etc/rc.d/named should give you some pointers. You should make sure that the program has access to resources it needs even under chroot(1) so that a reload of configuration is possible without restarting the daemon, assuming the program does support such reload of configuration with for example SIGHUP signal.

There's no direct support for chroot(1) in the ports(7) infrastructure yet because chroot(1)ing an arbitrary daemon isn't as simple as it sounds.
 
The main problem you'll run into with chroot(8) is dynamic loading (e.g. libc) when the binary is executed. You therefore might have to use chroot(2) after the process is started, but that would require it to run as root initially. Your other two options are static linking or a chroot with a minimal base system in it. If you go for the latter, you might as well just recommend that the user set up a full jail for it.

Kevin Barry
 
kpa said:
The BIND rc(8) script /etc/rc.d/named should give you some pointers. You should make sure that the program has access to resources it needs even under chroot(1) so that a reload of configuration is possible without restarting the daemon, assuming the program does support such reload of configuration with for example SIGHUP signal.

There's no direct support for chroot(1) in the ports(7) infrastructure yet because chroot(1)ing an arbitrary daemon isn't as simple as it sounds.
Click to expand...

Greetings @kpa,

Funny you should mention BIND. I was just looking through /usr/src/contrib/bind9. Because, I was hoping to discover the differences between the "ports" version and the version that comes with "base". Knowing that the former uses --prefix=/usr, where the latter uses (I believe) --prefix=/usr/local. As I recall, that's the primary difference between base vs. ports.

Thanks for the pointer(s). I'll give 'em a look.

--chris
 
Last edited by a moderator:
ta0kira said:
The main problem you'll run into with chroot(8) is dynamic loading (e.g. libc) when the binary is executed. You therefore might have to use chroot(2) after the process is started, but that would require it to run as root initially. Your other two options are static linking or a chroot with a minimal base system in it. If you go for the latter, you might as well just recommend that the user set up a full jail for it.

Kevin Barry
Click to expand...

Greetings @ta0kira,

Thanks for taking the time to reply. Greatly appreciate the pointers. I guess I'll see if it/what it complains about (hopefully nothing), and then apply one of your given choices, given the reaction.

Thanks again.

--chris
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top