jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
I think that's something that would go along very well with iocage. Having a base system is obviously useful, but minimizing the attack surface is always good.
One-size-fits-all solutions are more of a -fits-one thing, but even a write-up of the procedure for one of your examples would be very interesting. A lot of it would also translate over to Linux in concept, I imagine.
The devil is in the details. In theory, the procedure is approximately just
tar xvf somepackage.tar
cd somepackage
configure --prefix=/foojail
make install
but in practice, this just gets you part of the way. Each application has its own ins and outs, and there's dreary stuff like linkers and libc.
One of my primary goals has been to separate applications (the thing an OS is providing to the world) from the OS itself. This is basically a critical error that the major OS's make. If you want to set up a web server, SQL server, and DNS server on your FreeBSD host, classic strategy is that you install the packages and then twiddle with random files intermingled inside your OS. But ports has been ... ah ... "inconsistent" over the long haul, leaving systems with multiple configuration boogerfiles, and heaven help you if you run into a package that needs a newer OpenSSL major version and another package doesn't support it -- you get into the upgrade and things actually break. The smart thing is for each app to have its own SSL, and for that to have been validated to work. You can then separately update the apps.
And then there's the big one. Trying to figure out how a random Linux or FreeBSD box is doing its tricks, or what those tricks even are, can be an unpleasant experience. And let's not even talk about Apache with its nearly ten thousand lines of default configuration. How do you figure out what the differences between the default and the current configuration are, given that so many people hack on the default files?
So you compartmentalize that too. Compartmentalize all the Apache-carp over in /www/etc, where it wants to live, as part of the "defaults". But the actual webserver configuration for the thing being served is configured as an include, and lives over in /www/conf. That way the /www/etc stuff stays as untouched, and the deltas needed to make the webserver work are in /www/conf.