From owner-freebsd-java@FreeBSD.ORG Tue May 20 13:57:52 2008 Return-Path: Delivered-To: freebsd-java@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26B6C106566C for ; Tue, 20 May 2008 13:57:52 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8BAE58FC29 for ; Tue, 20 May 2008 13:57:51 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m4KDvndp061207; Tue, 20 May 2008 15:57:49 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m4KDvmwd061206; Tue, 20 May 2008 15:57:48 +0200 (CEST) (envelope-from olli) Date: Tue, 20 May 2008 15:57:48 +0200 (CEST) Message-Id: <200805201357.m4KDvmwd061206@lurza.secnetix.de> From: Oliver Fromme To: freebsd-java@FreeBSD.ORG, frank@harz.behrens.de In-Reply-To: <200805201225.m4KCPBF1099241@post.frank-behrens.de> X-Newsgroups: list.freebsd-java User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 20 May 2008 15:57:50 +0200 (CEST) Cc: Subject: Re: JDK minimum chroot environment X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-java@FreeBSD.ORG, frank@harz.behrens.de List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 13:57:52 -0000 Frank Behrens wrote: > Oliver Fromme wrote: > > I would like to create a chroot environment which will > > contain JDK 1.6 and a Tomcat-based application. The > > base system within the chroot (FreeBSD/amd64 7-stable) > > should be as small as possible. > > I had this in the past with JDK1.4 and FreeBSD-5/6 in a jail. It was > a minimal system, I copied only the required libraries into the jail > (dependent from ldd output). Actually I would prefer to use a jail, too, but this service needs to use several IP addresses, so I have to use chroot instead of jail. > I can not guarantee that my following statements are still true for > current systems. Please note that I used i386 and your amd64 may have > other libraries. Thank you very much for your comments. They're very helpful. > > - /usr/share except for /usr/share/misc/termcap.db (Note: I'd like to be able to open a shell prompt within the chroot, that's why i keep the termcap.) > I had only /usr/share/zoneinfo Hm. Is it required? I think it will be sufficient to have /etc/localtime for correct time zone information, but I'm not 100% sure ... Maybe the JDK stuff does strange things with the zoneinfo files? > /sbin/ldconfig may be necessary OK, I also keep /sbin/{md5,sha1,sha256}. > in /usr/sbin I had daemon and nologin OK, I also keep the pkg_* tools and a few other things. > > Will the JDK still work reliably without the above things? > > I had it working for some time. The only difficult thing was the > update of binaries on OS updates. A full jail (ezjail) is easier to > handle. Yes, I'm aware of that ... I hope OS updates within the chroot don't have to happen often. Thanks for your information! Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "I invented Ctrl-Alt-Delete, but Bill Gates made it famous." -- David Bradley, original IBM PC design team