Debian GNU/kFreeBSD jail support

This page attempts to detail my whacky adventures in to the world of GNU/kFreeBSD jails. Its current purpose is keeping all this related information in a central location. As more progress is made towards jail integration, this page will serve as a source of news and documentation.

Note: The 'implementation' described here is by no means complete, clean, final or official.

I'll start by posting some of the content from the initial emails to the list.

Steps taken

* Get the source code for the jail binary. In this case I used the fetch script from freebsd-utils (since I was using that as a testing ground).

* This next step should be considered the dirty and hackish part; I pretty much ripped out any BSD login cap related code to get a working build. A much more skilled developer with some PAM experience could probably whip up a replacement for the already small amount of code.

* Now equipped with a usable binary, you can go about your business as if you were setting up a regular FreeBSD jail manually. In my case, the base tarball from the latest GNU/kFreeBSD install disc was used to populate the jail, instead of the traditional FreeBSD source based method.

* One of the most obvious missing pieces is an equivalent to FreeBSD's jail configuration via rc.conf and the necessary init scripts for stopping/starting jails (manually or at boot). At the moment I'm using a custom /etc/init.d/jail script that reads the basic config values (dir, hostname, ip address) from /etc/jail.conf.

* Initial interaction with the environment inside the jail is done through simply executing /bin/sh instead of /etc/init.d/rc. Then apt-get install openssh-server, exit the jail shell and fire it up. Shutting down is a manual process due to the current lack of jexec.

Tasks that need attention

* Possible small modifications to the 'jail' application for PAM integration?

* Packaging of jail and jls - Preliminary unofficial jail-utils has been built.

* I can't recall the exact problem with jexec off hand but it needs some love.

* A stop/start and config script infrastructure. - As suggested, dchroot/schroot might be capable of handlings some of these functions.

* Figure out what we need for the J flag to be shown for a jailed process.

Stay tuned for progress updates.