Installing Trimmed-Down Userland To FreeBSD Jails
For obvious reasons there is a lot of howto’s on FreeBSD jails. One of the IMHO best is, besides the man page ;-), at section6wiki.
While the howto explains everything you need to get started, I was fiddling around with a way to install a trimmed-down userland to a jail without editing or moving around /etc/make.conf. The reason to do this is simple: The system in question was not solely decicated to running jails and I wanted to avoid the toolchain within the jails at any cost. So I basically looked only for a simple and fast way to install the userland without tampering with my existing configuration.
‘man jail’ lists dozens of variables that can be put into /etc/make.conf to enable or disable certain features. A current list can also be found at /usr/share/examples/etc/make.conf. I’d recommend to take your options out of the example make.conf, as the man page is not always up to date.
If you don’t want to alter your existing /etc/make.conf (not even moving files around or such), the only way for a simple and straight forward install is by passing environment variables to ‘make’, eg.
make installworld DESTDIR=/my/path/to/jail NO_TOOLCHAIN=yes NO_BLUETOOTH=yes NO_BOOT=yes NO_CXX=yes NO_FORTRAN=yes NO_GDB=yes NO_GPIB=yes NO_I4B=yes NOINET6=yes NOATM=yes NO_USB=yes NO_LPR=yes NO_ACPI=yes NO_VINUM=yes NO_MAN=yes NO_SHAREDOCS=yes NO_GAMES=yes NO_INFO=yes NO_SHARE=yes NO_SENDMAIL=yes NO_BIND=yes NO_AUTHPF=yes NO_CVS=yes NO_PF=yes NO_IPFILTER=yes NO_MAILWRAPPER=yes NO_NIS=yes NO_NETCAT=yes
Of course the same environment variables must be used when running ‘make distribution’ from /usr/src/etc.
This will install a trimmed down userland to a jail of around 60 MB, leaving me most tools at hand while omitting the more specialized ones usually not needed within a jail.
Take care though when installing a jail like this from your host’s source tree. If you are building jails on a regurlar basis, it maybe better to have a second source tree around for building jails.
If you are using your host’s regurlar source tree, I’d recommend to first to a regurlar (eg. non-altered) ‘make buildworld’ and running ‘make installworld’ with the parameters given above later on. This will allow usage of the source tree for both your host and any subsequent jails.
Special attention must be given to the exclude parameters in this case though, as there are some dependencies which must be fulfilled. This is why you cannot exclude some subsets during ‘make installworld’ after running a full-fledged ‘make buildworld’.
If you are testing things out it may be best to temporarily disable kernel securelevel, otherwise you won’t be able to delete the files from the jail tree due to ‘system immutable’ flags on some files within the tree. The same holds true when you try to update an existing jail.
You can circumvent this requirement however if you choose to install your jails within loop-back mounted disk images, which might be a good idea for limiting disk quota anyway.