Odd Red Dog

Setting up a chrooted Erlang jail on OpenBSD 5.3

23 June 2013

Here are some instructions on how to chroot an Erlang VM on OpenBSD 5.3. My ultimate goal is to eventually run YAWS or some other web server on it.

This assumes the following:

  • The chroot will go under /tmp/chroot. Obviously this is only for demonstration purposes so change it accordingly.
  • Erlang was already compiled and is ready to install (i.e. using gmake install ...).
  • The user that will actually run the chroot is web
  • We want just enough of an Erlang runtime environment to be able to issue a HTTPS request to www.google.com. It is possible I skipped over some other shared library that you might need.
  • It might be a good idea to try to run the actual chroot in some virtual file system or another partition so that the main partitions are protected in case the file system gets filled up.

Steps

$ su - # Enter root shell
$ adduser # Then enter details for the web user
$ cd /tmp
$ mkdir chroot
$ cd chroot
$ mkdir -p dev etc usr/lib usr/libexec var/log bin usr/local usr/bin
$ cd dev
$ /dev/MAKEDEV std random
$ rm console klog kmem ksyms mem xf86
$ cd ../etc
$ cp /etc/{hosts,resolv.conf,localtime} .
$ cd ..
$ cp /bin/ksh bin
$ cp /bin/sh bin
$ # cd to where erlang was compiled
$ gmake install DESTDIR=/tmp/chroot
$ cd /tmp/chroot
$ cp /usr/lib/libm.so.7.1 usr/lib
$ cp /usr/lib/libc.so.66.2 usr/lib
$ cp /usr/libexec/ld.so usr/libexec
$ cp /usr/lib/libutil.so.11.4 usr/lib
$ cp /usr/lib/libncurses.so.12.1 usr/lib
$ cp /usr/lib/libpthread.so.17.0 usr/lib
$ cp /usr/lib/libssl.so.19.0 usr/lib
$ cp /usr/bin/sed usr/bin
$ cd ..

Then the moment of thruth:

$ chroot -u web chroot usr/local/bin/erl
$ Ehell V5.10.3  (abort with ^G)
$ 1> application:start(asn1).
$ ok
$ 2> application:start(crypto).
$ ok
$ 3> application:start(public_key).
$ ok
$ 4> application:start(ssl).
$ ok
$ 5> application:start(inets).
$ ok
$ 6> httpc:request("https://www.google.com").