In FreeBSD, we *do* have a compelling case for installing a small subset of the base system: service jails (or ?containerised applications? as the kids are calling them). We want to be able to install, for example, owncloud and nginx or ejabberd in a jail with only the bare minimum required for them to start and run. We want updates to these jails to be fast and we want disk usage (and install time) to be low. In such a jail, I want a shell, the parts of sbin needed to do network setup, the libraries that these ports depend on, *and nothing else*. We?re still a way away from doing that.
Would be great to be able to do this via something like 'make installworld -DMINJAIL DESTDIR=...' and end-up with a bare-bones, secure jail. We've done something like that in the past by: Roger chroot $jail && rm -rf \ /media /mnt /modules /proc /rescue /boot /cdrom /usr/src /usr/obj /bin/chio /bin/rcp /bin/rmail /etc/amd.map /etc/apmd.conf /etc/bluetooth /etc/bluetooth/ /etc/defaults/bluetooth.device.conf /etc/defaults/devfs.rules /etc/defaults/pccard.conf /etc/devd.conf /etc/devfs.conf /etc/dhclient.conf /etc/disktab /etc/hosts.lpd /etc/isdn/ /etc/namedb /etc/nsmb.conf /etc/ntp /etc/pccard_ether /etc/pf.conf /etc/pf.os /etc/phones /etc/ppp /etc/ppp/ /etc/printcap /etc/rc.firewall /etc/rc.firewall6 /etc/rc.initdiskless /etc/rc.resume /etc/rc.suspend /etc/remote /etc/rmt /etc/security /etc/usbd.conf /kernel.GENERIC /lib/geom/ /lib/libatm.so.2 /lib/libcam.so.2 /lib/libgeom.so.2 /lib/libpcap.so.4 /sbin/adjkerntz /sbin/atacontrol /sbin/atm /sbin/atmconfig /sbin/badsect /sbin/bsdlabel /sbin/camcontrol /sbin/ccdconfig /sbin/clri /sbin/comcontrol /sbin/conscontrol /sbin/devd /sbin/devfs /sbin/dhclient /sbin/dhclient-script /sbin/disklabel /sbin/dmesg /sbin/dump /sbin/dumpfs /sbin/dumpon /sbin/fastboot /sbin/fasthalt /sbin/fdisk /sbin/ffsinfo /sbin/fore_dnld /sbin/fsck /sbin/fsck_4.2bsd /sbin/fsck_ffs /sbin/fsck_msdosfs /sbin/fsck_ufs /sbin/fsdb /sbin/fsirand /sbin/g* /sbin/gbde /sbin/gcache /sbin/gconcat /sbin/geli /sbin/geom /sbin/ggatec /sbin/ggated /sbin/ggatel /sbin/gjournal /sbin/glabel /sbin/gmirror /sbin/gmultipath /sbin/gnop /sbin/gpart /sbin/graid /sbin/graid3 /sbin/growfs /sbin/gsched /sbin/gshsec /sbin/gstripe /sbin/gvinum /sbin/gvirstor /sbin/halt /sbin/ilmid /sbin/init /sbin/ip6fw /sbin/ipf /sbin/ipfs /sbin/ipfstat /sbin/ipftest /sbin/ipfw /sbin/ipmon /sbin/ipnat /sbin/ippool /sbin/ipresend /sbin/kldconfig /sbin/kldload /sbin/kldstat /sbin/kldunload /sbin/mdconfig /sbin/mdmfs /sbin/mknod /sbin/mksnap_ffs /sbin/mount /sbin/mount_cd9660 /sbin/mount_devfs /sbin/mount_ext2fs /sbin/mount_fdescfs /sbin/mount_linprocfs /sbin/mount_linsysfs /sbin/mount_mfs /sbin/mount_msdosfs /sbin/mount_nfs /sbin/mount_nfs4 /sbin/mount_ntfs /sbin/mount_nullfs /sbin/mount_procfs /sbin/mount_reiserfs /sbin/mount_std /sbin/mount_udf /sbin/mount_umapfs /sbin/mount_unionfs /sbin/natd /sbin/newfs /sbin/newfs_msdos /sbin/nextboot /sbin/nfsiod /sbin/nos-tun /sbin/pfctl /sbin/pflogd /sbin/ping /sbin/ping6 /sbin/poweroff /sbin/quotacheck /sbin/raidctl /sbin/rdump /sbin/reboot /sbin/restore /sbin/route /sbin/routed /sbin/rrestore /sbin/rtquery /sbin/rtsol /sbin/savecore /sbin/sconfig /sbin/setkey /sbin/shutdown /sbin/slattach /sbin/spppcontrol /sbin/startslip /sbin/sunlabel /sbin/swapctl /sbin/swapoff /sbin/swapon /sbin/tunefs /sbin/umount /usr/bin/bthost /usr/bin/btsockstat /usr/bin/ftp /usr/bin/lastcomm /usr/bin/lp /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm /usr/bin/lsvfs /usr/bin/mt /usr/bin/ncplist /usr/bin/ncplogin /usr/bin/ncplogout /usr/bin/nfsstat /usr/bin/pawd /usr/bin/pr /usr/bin/quota /usr/bin/rfcomm_spdd /usr/bin/scp /usr/bin/sftp /usr/bin/showmount /usr/bin/sscop /usr/bin/stdbuf /usr/bin/tcopy /usr/bin/tip /usr/bin/truss /usr/bin/usbhidaction /usr/bin/usbhidctl /usr/bin/vmstat /usr/bin/wall /usr/bin/write /usr/bin/yp* /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh /usr/bin/yppasswd /usr/games/ /usr/include/altq/ /usr/include/bluetooth.h /usr/include/bsm/ /usr/include/cam/ /usr/include/camlib.h /usr/include/dev/ /usr/include/fs/ /usr/include/geom/ /usr/include/isofs/ /usr/include/libatm.h /usr/include/libgeom.h /usr/include/libufs.h /usr/include/net80211/ /usr/include/netatalk/ /usr/include/netatm/ /usr/include/netnatm/ /usr/include/netncp/ /usr/include/pcap-int.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/include/pccard/ /usr/include/ufs/ /usr/lib/libatm.a /usr/lib/libatm.so /usr/lib/libatm_p.so /usr/lib/libbluetooth.a /usr/lib/libbluetooth.so /usr/lib/libbluetooth.so.2 /usr/lib/libbluetooth_p.a /usr/lib/libbluetooth_p.so /usr/lib/libcam.a /usr/lib/libcam.so /usr/lib/libcam_p.a /usr/lib/libgeom.a /usr/lib/libgeom.so /usr/lib/libgeom_p.a /usr/lib/libncp.a /usr/lib/libncp.so /usr/lib/libncp.so.2 /usr/lib/libncp_p.a /usr/lib/libngatm.a /usr/lib/libngatm.so /usr/lib/libngatm.so.2 /usr/lib/libngatm_p.a /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap_p.a /usr/lib/libusbhid.a /usr/lib/libusbhid.so /usr/lib/libusbhid.so.1 /usr/lib/libusbhid_p.a /usr/lib/libvgl.a /usr/lib/libvgl.so /usr/lib/libvgl.so.4 /usr/lib/libvgl_p.a /usr/lib/snmp_atm.so /usr/lib/snmp_atm.so.4 /usr/lib/snmp_pf.so /usr/lib/snmp_pf.so.4 /usr/libexec/bootpd /usr/libexec/bootpgw /usr/libexec/lpr /usr/libexec/ntalkd /usr/libexec/pppoed /usr/libexec/rbootd /usr/libexec/rpc.rquotad /usr/libexec/rpc.rstatd /usr/libexec/rpc.ruserd /usr/libexec/rpc.rwalld /usr/libexec/rpc.sprayd /usr/libexec/sendmail /usr/sbin/IPXrouted /usr/sbin/ac /usr/sbin/accton /usr/sbin/acpiconf /usr/sbin/acpidb /usr/sbin/acpidump /usr/sbin/amd /usr/sbin/amq /usr/sbin/ancontrol /usr/sbin/apm /usr/sbin/apmd /usr/sbin/arlcontrol /usr/sbin/arp /usr/sbin/asf /usr/sbin/ath3kfw /usr/sbin/atmarpd /usr/sbin/audit /usr/sbin/auditd /usr/sbin/auditreduce /usr/sbin/authpf /usr/sbin/bcmfw /usr/sbin/boot0cfg /usr/sbin/bootparamd /usr/sbin/bootpef /usr/sbin/bootptest /usr/sbin/bt3cfw /usr/sbin/bthidcontrol /usr/sbin/bthidd /usr/sbin/btxld /usr/sbin/burncd /usr/sbin/callbootd /usr/sbin/cdcontrol /usr/sbin/config /usr/sbin/dconschat /usr/sbin/digictl /usr/sbin/diskinfo /usr/sbin/dtmfdecode /usr/sbin/dtruss /usr/sbin/edquota /usr/sbin/faithd /usr/sbin/fdcontrol /usr/sbin/fdformat /usr/sbin/fdread /usr/sbin/fdwrite /usr/sbin/fixmount /usr/sbin/flowctl /usr/sbin/fsinfo /usr/sbin/fwcontrol /usr/sbin/gstat /usr/sbin/hccontrol /usr/sbin/hcsecd /usr/sbin/hcseriald /usr/sbin/hlfsd /usr/sbin/hostapd /usr/sbin/hostapd_cli /usr/sbin/iasl /usr/sbin/ifmcstat /usr/sbin/ip6addrctl /usr/sbin/ipftest /usr/sbin/ipresend /usr/sbin/ipsend /usr/sbin/iptest /usr/sbin/isdnd /usr/sbin/isdndebug /usr/sbin/isdndecode /usr/sbin/isdnmonitor /usr/sbin/isdnphone /usr/sbin/isdntel /usr/sbin/isdntellctl /usr/sbin/isdntrace /usr/sbin/ispcvt /usr/sbin/jail /usr/sbin/jexec /usr/sbin/jls /usr/sbin/kbdcontrol /usr/sbin/kbdmap /usr/sbin/kernbb /usr/sbin/kgmon /usr/sbin/kgzip /usr/sbin/kldxref /usr/sbin/l2control /usr/sbin/l2ping /usr/sbin/lpc /usr/sbin/lpd /usr/sbin/lptcontrol /usr/sbin/lptest /usr/sbin/mailwrapper /usr/sbin/map-mbone /usr/sbin/memcontrol /usr/sbin/mixer /usr/sbin/mk-amd-map /usr/sbin/mld6query /usr/sbin/mlxcontrol /usr/sbin/mount_nwfs /usr/sbin/mount_portalfs /usr/sbin/mount_smbfs /usr/sbin/mountd /usr/sbin/moused /usr/sbin/mptable /usr/sbin/mrinfo /usr/sbin/mrouted /usr/sbin/mtest /usr/sbin/mtrace /usr/sbin/ndis_events /usr/sbin/ndiscvt /usr/sbin/ndisgen /usr/sbin/ndp /usr/sbin/nfsd /usr/sbin/ngctl /usr/sbin/nghook /usr/sbin/ntpdate /usr/sbin/pcardc /usr/sbin/pcardd /usr/sbin/pciconf /usr/sbin/pkg /usr/sbin/pmccontrol /usr/sbin/pmcstat /usr/sbin/pnpinfo /usr/sbin/powerd /usr/sbin/ppp /usr/sbin/pppctl /usr/sbin/pppd /usr/sbin/pppstats /usr/sbin/praudit /usr/sbin/procctl /usr/sbin/pstat /usr/sbin/quot /usr/sbin/quotaoff /usr/sbin/quotaon /usr/sbin/rarpd /usr/sbin/raycontrol /usr/sbin/reqquota /usr/sbin/rfcomm_pppd /usr/sbin/rip6query /usr/sbin/rmt /usr/sbin/route6d /usr/sbin/rpc.lockd /usr/sbin/rpc.statd /usr/sbin/rpc.umntall /usr/sbin/rpc.yppasswdd /usr/sbin/rpc.ypupdated /usr/sbin/rpc.ypxfrd /usr/sbin/rrenumd /usr/sbin/rtadvctl /usr/sbin/rtadvd /usr/sbin/rtprio /usr/sbin/rtsold /usr/sbin/sa /usr/sbin/sade /usr/sbin/scon /usr/sbin/scspd /usr/sbin/sdpcontrol /usr/sbin/sdpd /usr/sbin/sicontrol /usr/sbin/sliplogin /usr/sbin/slstat /usr/sbin/snapinfo /usr/sbin/spkrtest /usr/sbin/spray /usr/sbin/swapinfo /usr/sbin/sysinstall /usr/sbin/tcpdrop /usr/sbin/tcpdump /usr/sbin/tcpslice /usr/sbin/timedc /usr/sbin/traceroute /usr/sbin/traceroute6 /usr/sbin/trpt /usr/sbin/usbd /usr/sbin/usbdevs /usr/sbin/usbdump /usr/sbin/vidcontrol /usr/sbin/vidfont /usr/sbin/vnconfig /usr/sbin/watchdog /usr/sbin/watchdogd /usr/sbin/wicontrol /usr/sbin/wire-test /usr/sbin/wlconfig /usr/sbin/wpa_cli /usr/sbin/wpa_supplicant /usr/sbin/zhack /usr/sbin/zzz /usr/share/doc/ /usr/share/examples/ /usr/share/games/ /usr/share/info/ /usr/share/isdn/ /usr/share/man /usr/share/misc/fonts/ /usr/share/misc/keycap.pcvt /usr/share/misc/pci_vendors /usr/share/misc/pcvtfonts/ /usr/share/misc/scsi_modes /usr/share/misc/usb_hid_usages /usr/share/misc/windrv_stub.c /usr/share/pcvt/ /usr/share/syscons/ /var/account/ /var/db/ipf/ /var/games/ usr/libexec/lpr usr/libexec/sftp-server _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
