Makejail employs short configuration files to help administrators create and maintain chroot jails.
You have to understand how it is designed to make it work efficiently.
To have an idea of how the configuration files look like, have a look at these examples (shipped in the tarball): apache, bind, mysqld, ntpd, postgresql and sshd
To have an idea of the actions done, look at these log files: apache on OpenBSD 3.0, bind on GNU/Linux Debian woody.
The list of these files is built from several sources:
- the main method is to trace what files the daemon attempts to access, add them into the jail and restart again until no further file is found.
- a list of files manually given in the configuration file.
- the files which belongs to a package and eventually the packages it requires.
When a file is added into the jail:
- the shared librairies it needs (given by ldd) are added too.
- upper directories are created if needed.
- if the file is a symbolic link, the target is added too.
- all the checks to determine what files a file needs are recursive.
- all files are copied maintaining the originals' ownerships and permissions.
Some files are handled with a special method:
- when the file is below /proc, the procfs filesystem is mounted inside the jail.
- when the file is a socket, it's not copied.
- when the file is the shared library cache, it's not copied, ldconfig is run at the end.
The steps of makejail are:
- eventually remove the files in the jail first.
- if you specified some packages, add all the files which belongs to them.
- if you specified some paths to include, add the files matching these patterns.
- start the daemon inside the jail, and trace it with strace, add the files it attempts to open which exist outside the jail, kill it and start again until no more file is found.
- start the daemon inside the jail, and trace it while running some test processes outside the jail, see with strace what files the daemon attempts to open.