[nycbug-talk] jail file removal

Charles Sprickman spork
Mon Nov 28 22:41:29 EST 2005 

On Mon, 28 Nov 2005, George R. wrote:

> Charles Sprickman wrote:
>> Hi all,
>> 
>> I've been looking around for a maintained list of files that are good to 
>> remove from a jail.  So far, this is the most comprehensive list I've 
>> found.  Any opinions on this one?  Is there a better reference that I've 
>> missed?
>> 
>> http://memberwebs.com/nielsen/freebsd/jails/docs/jail_remove.html
>> 
>> Thanks,
>
> No, thank *you*. . .
>
> A number of us have had regular discussions about this topic.
>
> I have a bunch of jails on different boxes in production, and they are 
> BLOATED.

I'm aiming for something in the neighborhood of unbloating and just not 
having stuff there that I don't want people poking around in.

I've also made a bit of a list for /etc to set things immutable.  That 
probably needs more work.

> When I get a chance, I'll test out on 4.x and 5.x.
>
> Did you try this out Charles?

Yep, and it seems to have not broken anything (that I've noticed).  At the 
very least it's cut down the number of things I have to evaluate.

Your question also lead me to find something else I didn't know about.  I 
wanted to see if I could get more info from the jail startup process. 
Looking at the "jail" file in /etc/rc.d I found some debug flags.  Looking 
at /etc/defaults/rc.conf, I found these two interesting lines:

rc_debug="YES"
rc_info="YES"

That enables some pretty verbose output.  Neat stuff:

root at newida[/etc]# sh rc.d/jail start jail1
rc.d/jail: DEBUG: checkyesno: jail_enable is set to YES.
rc.d/jail: DEBUG: run_rc_command: evaluating jail_start().
Configuring jails:rc.d/jail: DEBUG: checkyesno: jail_set_hostname_allow is 
set to YES.
rc.d/jail: DEBUG: checkyesno: jail_socket_unixiproute_only is set to YES.
rc.d/jail: DEBUG: checkyesno: jail_sysvipc_allow is set to NO.
.
Starting jails:rc.d/jail: DEBUG: jail1 devfs enable: YES
rc.d/jail: DEBUG: jail1 fdescfs enable: NO
rc.d/jail: DEBUG: jail1 procfs enable: NO
[etc...]

Handy, and it logs in /var/log/messages too.

Charles

> g
>

More information about the talk mailing list