Hello, although my question may be out of topic, I kindly ask for your help. I am working on the Google summer of code project to enhance the HackageDB website, especially by a tool to automatically generate Haddock documentation. For this to work, it is necessary to set up a chroot jail, in which packages are unpacked, configured and Haddock documentation is build. Some packages also need to be build, which could include running untrustable code. Up to now, I considered several ideas to set up a chroot jail, but they all do not fully satisfy my needs or I could not test them on my machine. Here are my proposals for setting up a chroot environment: 1) use a hand-written script 2) use makejail, jail, jailkit (or a similar tool) 3) use debootstrap 4) use dpkg to install necessary debian packages My distribution is gentoo, which is why I did not test 3). However, I thought that 4) is suitable, although it's very tedious. In fact, it seems to me like rewriting parts of debian installers. Option 1) is just not maintainable. Finally, 2) seems to be of use just for servers like ssh or ftp. I haven't tested it, but I doubt it will work in an environment with several different applications like ghc, haddock, cpphs, happy, ... Does anyone have an idea how to (automatically, maintainably) set up a chroot jail for this particular situation? I'm grateful for any help. Thanks, Sascha
[..] 4) use dpkg to install necessary debian packages
5) Use the gentoo portage sandbox ( thus generate a gentoo package for each documention package (will work on gentoo only ) 6) use uml (use mode linux) and any distro you like (would need much more disk space) - would be overkill but would work fine.. Sorry. I have no experience with that. The t2-project.org does have somehting simlar as well (don't know which kind though) Marc Weber
On Wed, 2007-06-13 at 21:55 +0200, Marc Weber wrote:
[..] 4) use dpkg to install necessary debian packages
5) Use the gentoo portage sandbox ( thus generate a gentoo package for each documention package (will work on gentoo only )
The gentoo sandbox program does not mean one has to generate gentoo packages. It's a fairly self contained program. Note that the sandbox is not a chroot jail. It's kind of a supervisor for child processes that enforces a policy (given in a config file) for access to the file system. The gentoo package builder tool uses that to allow a build process to have read only access to the entire file system and write access to just the build directory (and sub-directories). As I understand it, it works using the linux kernel's ptrace mechanism to intercept and check syscalls against the security policy. I'm sure sandbox works on any linux system, not just gentoo, so it might be a good solution for HaskageDB. I expect it'd use more or less the same kind of security policy that the gentoo package build tools use, ie read only to the whole system and read/write for the specific build directory (and directory where the installed image/docs is put). Duncan
On Wed, Jun 13, 2007 at 08:52:15AM +0200, Sascha Böhme wrote:
Hello,
although my question may be out of topic, I kindly ask for your help.
I am working on the Google summer of code project to enhance the HackageDB website, especially by a tool to automatically generate Haddock documentation. For this to work, it is necessary to set up a chroot jail, in which packages are unpacked, configured and Haddock documentation is build. Some packages also need to be build, which could include running untrustable code.
Up to now, I considered several ideas to set up a chroot jail, but they all do not fully satisfy my needs or I could not test them on my machine.
Here are my proposals for setting up a chroot environment:
1) use a hand-written script
2) use makejail, jail, jailkit (or a similar tool)
3) use debootstrap
4) use dpkg to install necessary debian packages
My distribution is gentoo, which is why I did not test 3). However, I
I definitely recall hearing debootstrap runs on Solaris. Gentoo, being still a Linux/glibc system, is thus almost certainly supported. Stefan
participants (4)
-
Duncan Coutts -
Marc Weber -
Sascha Böhme -
Stefan O'Rear