Centos How i build a chroot for Postfix/Mysql/Apache

Portal Home > Knowledgebase > Articles Database > Centos How i build a chroot for Postfix/Mysql/Apache

Posted by Slatko, 05-15-2011, 03:11 PM
Hello I use Centos 5.4 on an Vserver. Now i want try to make the mail-server(postfix/Dovecot/clamav/etc.) in an own Jail/chroot. The Mysql in an own Jail/chroot, and apache with modsecurity in an own Jail/chroot. I search with goole but i dont find the right answer. How i build an chroot? How i find out what files must be copy in the chroot? After copy files in chroot can i deinstall the program than in main system? thanks
Posted by wartungsfenster, 05-15-2011, 03:57 PM
there's an easy and a hard way. it feels too much to explain the hard way (using ldd to build the most minimal chroot) the easy way would be to use the --root option for rpm to install stuff into the to-be-chroot instead of the base system. note that doesn't work using yum, that means the next little hurdle is that you'll have to manually add a lot of rpms to this chroot. start with the one callled "setup" and "filesystem" and also look for the utility "pkgorder" from anaconda-runtime. Err yeah, and expect it to take a few days till you got it done. Last: - If I were you I'd go and try to use FreeBSD jails instead. - CentOS 5.4 is horribly outdated. edit: i wonder if there's a script to do all that, but i unfortunately don't know it. "rpmstrap" is the closest to this that I know of.
Posted by wartungsfenster, 05-15-2011, 04:01 PM
And a moment later I remembered that I used to do chroot installs with Yum... Found this and I think it will work for you. http://prefetch.net/articles/yumchrootlinux.html The difference between yum and rpm chrooting is that with rpm you can disable dependencies and get a really really small chroot, wheres using yum means something a little larger. rgds Flo
Posted by Slatko, 05-15-2011, 04:30 PM
Danke für deine Hilfe. What makes FreeBSD easyer for building an chroot?
Posted by david510, 05-16-2011, 09:00 AM
You can use mod_chroot for chroot apache environment.
Posted by wartungsfenster, 05-16-2011, 05:26 PM
The effort is about the same, but you get more from it - instead of a plain chroot you use jails where even root processes are heavily restricted. But hmm, just try the yum chroot for a start and then see if you need more. mod_chroot is probably just moving the apache process to a different directory after start, which is not as robust. But far better than (i guess) 70% of apache installs.