From owner-freebsd-ports@freebsd.org Tue Nov 27 08:25:27 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C516113F218 for ; Tue, 27 Nov 2018 08:25:27 +0000 (UTC) (envelope-from SRS0=l07B=OG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id EA8836AC80 for ; Tue, 27 Nov 2018 08:25:26 +0000 (UTC) (envelope-from SRS0=l07B=OG=quip.cz=000.fbsd@elsa.codelab.cz) Received: by mailman.ysv.freebsd.org (Postfix) id AE6C6113F217; Tue, 27 Nov 2018 08:25:26 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B9BB113F216 for ; Tue, 27 Nov 2018 08:25:26 +0000 (UTC) (envelope-from SRS0=l07B=OG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A529E6AC7E for ; Tue, 27 Nov 2018 08:25:25 +0000 (UTC) (envelope-from SRS0=l07B=OG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id D93652845A; Tue, 27 Nov 2018 09:25:23 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0A7CE28462; Tue, 27 Nov 2018 09:25:10 +0100 (CET) Subject: Re: packages and base jails To: Eugene Grosbein , "Michael W. Lucas" , ports@freebsd.org References: <20181126202407.GA95942@mail.michaelwlucas.com> <3348f9bf-8fb3-e6a7-6878-15e1fcfed62d@grosbein.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Tue, 27 Nov 2018 09:25:09 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <3348f9bf-8fb3-e6a7-6878-15e1fcfed62d@grosbein.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: EA8836AC80 X-Spamd-Result: default: False [-3.34 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FORGED_RECIPIENTS_FORWARDING(0.00)[]; FORWARDED(0.00)[ports@mailman.ysv.freebsd.org]; TO_DN_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[5.0.0.0.0.5.0.0.0.0.0.0.0.0.0.0.a.6.0.2.4.5.2.2.0.0.9.1.1.0.0.2.list.dnswl.org : 127.0.9.2]; MX_GOOD(-0.01)[cached: elsa.codelab.cz]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; FORGED_SENDER(0.00)[000.fbsd@quip.cz,SRS0=l07B=OG=quip.cz=000.fbsd@elsa.codelab.cz]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[209.16.49.86.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; IP_SCORE(-3.64)[ip: (-9.87), ipnet: 2001:1900:2254::/48(-4.69), asn: 10310(-3.53), country: US(-0.09)]; ASN(0.00)[asn:10310, ipnet:2001:1900:2254::/48, country:US]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=l07B=OG=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[]; FORGED_RECIPIENTS(0.00)[eugen@grosbein.net ..,freebsd-ports@freebsd.org]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN(2.50)[]; RCVD_COUNT_FIVE(0.00)[6]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FORGED_SENDER_FORWARDING(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; R_SPF_NA(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 08:25:27 -0000 Eugene Grosbein wrote on 2018/11/27 00:42: > 27.11.2018 3:24, Michael W. Lucas wrote: >> >> Hi, >> >> I'm writing a book on jails and am looking for BCP. I'd like to >> present either "This is the approved solution and should work" or >> "these are the gotchas with any of these, choose your pain." >> >> Folks want base jails to include packages, but also want to install >> additional packages--which won't happen if /usr/local is mounted >> read-only in the base jail. Trawling around the Net I see a couple >> options. Both involve the primary jail using a different package >> repo. The overlay jail uses the standard package repo. >> >> 1) primary jail uses a repo with PREFIX=/usr/pkg or /opt. Works in my >> simple use cases once I set ldconfig directories in rc.conf, but I'm >> told programs like pkgconfig can go sideways. >> >> 2) base jail repo uses with PREFIX=/. Utterly violates separation of >> base and pkg, but everything should find everything out of the >> box. Again, seems to work in my wimpy use cases. >> >> Is there an option that should work? Or is a matter of choosing >> between horrors? > > Not sure I understand the problem which I don't have using sysutils/ezjail > that uses base jail situated in /usr/local/j/basejail in my case. > > For each distinct jail instance, it null-mounts it read-only > to /usr/local/j/${JAILNAME}/basejail and /usr/local/j/${JAILNAME} it jail's root. > Inside this root, /bin is symlink to /basejail/bin, and /boot, /libexec, /rescue > and /sbin are similar symlinks, so are /usr/{bin|include|lib|lib32|libdata|libexec|ports|sbin|share} > all symlinks to corresponding directories inside ro-mounted /basejail/usr/... > > But not /usr/local nor /usr/{src|obj}, if that matters. So each jail have its own > set of packages or even ports if I choose to null-mount host's /usr/ports readonly > to /usr/local/j/${JAILNAME}/basejail/usr/ports and write to jail's /etc/make.conf: I guess Michael wants to have some packages installed in shared basejail (packages common to all jails) and some packages later installed separately in jails. And this is something that I would never do. :) But you can try some union fs overlay on top of shared /usr/local. But again - I will not do this in production environment. Miroslav Lachman