chroot.txt

jail + chroot + cblog

* Prepare the chroot

    user@devel> sudo ./chroot_cblog.sh

* Create chroot inside a jail:

    user@jail> setenv CHROOT /usr/local/chroot/cblog
    user@jail> sudo mkdir $CHROOT
    user@jail> cd $CHROOT

* Popuplate the chroot:

    user@jail> (copy chroot_cblog.tgz from devel)
    user@jail> sudo tar xzvf /path/to/chroot_cblog.tgz
    x ./
    x ./usr/
    x ./lib/
    x ./tmp/
    x ./libexec/
    x ./dev/
    x ./var/
    x ./var/run/
    x ./var/db/
    x ./libexec/ld-elf.so.1
    x ./lib/libfcgi.so.0
    x ./lib/libc.so.7
    x ./lib/libz.so.5
    x ./usr/local/
    x ./usr/local/etc/
    x ./usr/local/libexec/
    x ./usr/local/share/
    x ./usr/local/share/cblog/
    x ./usr/local/share/cblog/templates/
    x ./usr/local/share/cblog/templates/default.cs
    x ./usr/local/share/cblog/templates/rss.cs
    x ./usr/local/share/cblog/templates/atom.cs
    x ./usr/local/libexec/cgi-bin/
    x ./usr/local/libexec/cgi-bin/cblog.cgi
    x ./usr/local/etc/cblog.conf

* Configure cblog:

    user@jail> sudo mkdir $CHROOT/var/db/
    user@jail> sudo chown -R user $CHROOT/var/db
    user@jail> setenv CBLOG_CDB $CHROOT/var/db/cblog.cdb
    user@jail> cblogctl create
    user@jail> sed -e 's,db_path=.*,db_path=/var/db/cblog.cdb,' $CHROOT/usr/local/etc/cblog.conf > $CHROOT/tmp
    user@jail> sudo mv $CHROOT/tmp/cblog.conf $CHROOT/usr/local/etc

* Configure syslog:

    user@jail> grep syslogd_flags /etc/rc.conf
    syslogd_flags="-ss -l /usr/local/chroot/cblog/var/run/log"
    user@jail> sudo /etc/rc.d/syslogd restart

* Configure /dev:

We use devfs from the host because we can't manipulate /dev inside a jail

    root@host# cat bin/chroot_devfs.sh
    #!/bin/sh
    
    if [ $# -lt 1 ]; then
      echo "Usage: $0 /path/to/jail/path/to/chroot/dev"
      exit 1
    fi
    
    . /etc/rc.subr
    devfs_rulesets_from_file /etc/defaults/devfs.rules
    
    for _path in $@; do
      devfs_domount $_path devfsrules_jail
    done

Now we mount /dev inside the chroot (adjust path to jail and chroot):

    root@host# ./bin/chroot_devfs.sh /path/to/jail/usr/local/chroot/cblog/dev

* Configure spawn_fcgi:

    user@jail> cat /usr/local/etc/rc.d/spawn_cblog
    [ snip ]
    : ${spawn_cblog_enable="NO"}
    : ${spawn_cblog_app="/usr/local/libexec/cgi-bin/cblog.cgi"}
    : ${spawn_cblog_app_args=""}
    : ${spawn_cblog_pidfile="/var/run/spawn-cblog.pid"}
    : ${spawn_cblog_username="www"}
    : ${spawn_cblog_groupname="www"}
    : ${spawn_cblog_chroot_dir="/usr/local/chroot/cblog/"}
    : ${spawn_cblog_bindaddr=""}
    : ${spawn_cblog_bindport=""}
    : ${spawn_cblog_bindsocket="/tmp/cblog.sock"}
    : ${spawn_cblog_bindsocket_mode="0777"}
    : ${spawn_cblog_children="5"}
    : ${spawn_cblog_max_requests="1000"}
    : ${spawn_cblog_web_server_addrs=""}
    : ${spawn_cblog_allowed_env=""}
    : ${spawn_cblog_path_env="/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin"}
    [ snip ]

* Example configuration for nginx:

    location / {
      include      fastcgi_params;
      fastcgi_pass unix:/usr/local/chroot/cblog/tmp/cblog.sock;
    }

* Play:

    user@jail> sudo /usr/local/etc/rc.d/nginx start
    user@jail> sudo /usr/local/etc/rc.d/spawn_cblog start

* Survive reboot/restart:

Don't forget adjust paths and jail's name !

    root@host# grep _exec_ /etc/rc.conf
    jail_blog_exec_prestart0="/root/bin/chroot_devfs.sh /zfs/jail/blog/usr/local/chroot/cblog/dev"
    jail_blog_exec_poststop0="umount /zfs/jail/blog/usr/local/chroot/cblog/dev"