Date: Wed, 26 Aug 2020 02:06:26 -0700 From: David Christensen <dpchrist@holgerdanske.com> To: freebsd-questions@freebsd.org Subject: Re: Jail question: packages with relative symlinks Message-ID: <903bb601-f4d6-ed72-6cdd-6f22219e485b@holgerdanske.com> In-Reply-To: <7c3ad6a6-5ff1-5816-dc23-83d80590baac@kicp.uchicago.edu> References: <f3636f36-b6ce-3e8a-878a-bf8d5f75144d@kicp.uchicago.edu> <24d244da-43e4-9a5e-e940-3f183bc5a50e@holgerdanske.com> <9127e9ca-c6be-d007-bd82-fdf7c5508242@kicp.uchicago.edu> <7c3ad6a6-5ff1-5816-dc23-83d80590baac@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/25/20 2:30 PM, Valeri Galtsev wrote: > > > On 8/25/20 4:12 PM, Valeri Galtsev wrote: >> >> >> On 8/25/20 3:50 PM, David Christensen wrote: >>> On 2020-08-25 09:51, Valeri Galtsev wrote: >>>> Dear Experts, >>>> >>>> I've got question about jails, namely, what do you do if some >>>> package you install in jail brings relative symlink(s)? >>>> >>>> I install jails "by the book" and if relative symlinks are in >>>> /usr/local, there is no problem with those, as in jail an equivalent >>>> of /usr/local is >>>> >>>> /s/usr-local >>>> >>>> and the depth is the same as on real system. However, /etc in jail is >>>> >>>> /s/etc >>>> >>>> and if package brings relative symlink to /etc, in jail it will >>>> point nowhere. I just resolved this failure for package ca_root_nss >>>> in jail. This package places in >>>> >>>> /etc/ssl >>>> >>>> relative symlink: >>>> >>>> cert.pem --> ../../usr/local/share/certs/ca-root-nss.crt >>>> >>>> In jail, however it is situated in >>>> >>>> /s/etc/ssl >>>> >>>> so the above relative symlink points nowhere. I did a "trivial" >>>> thing, just replaced relative symlink with absolute one: >>>> >>>> cert.pem --> /usr/local/share/certs/ca-root-nss.crt >>>> >>>> ,and as this symlink is owned by the package ca_root_nss, I locked >>>> that package, to prevent it from "automagically" replacing symlink >>>> with relative if updated package is installed. >>>> >>>> This is kind of crude solution, standing next to the "hack", so I do >>>> not like what I did. >>>> >>>> >>>> I wonder, how jail experts deal with relative symlinks when some >>>> package brings it into place where filesystem depth in jail is >>>> different from real system. >>>> >>>> >>>> Thanks. >>>> Valeri >>> >>> I am no jail expert, but AIUI jails include chroot(8) functionality. >>> So, all paths used within a jail will be resolved within the jailed >>> tree. >>> >>> >>> If you log in to the jail as root and install your software from >>> there, it should just work. >>> >> >> Having that structure with symlinks I have mentioned has a special >> purpose. That purpose is: the base system is mounted read only inside >> the jail, and only things that have to be read-write are read-write. >> > > I probably didn't explain things detailed enough. > > my jail has its root in: > > /jail/[jailname] > > so all what is inside jail on host filesystem is visible as: > > /jail/[jailname]/s/etc > /jail/[jailname]/etc --> s/etc > /jail/[jailname]/usr > /jail/[jailname]/s/usr-local > /jail/[jailname]/usr/local --> ../s/usr-local > ... > > the > > /jail/[jailname] > > is base system mounted read-only (with symlinks etc pointing to s/etc, > and others which point to a single place > > /jail/[jailname]/s > > which is mounted read-write, and this is the only place inside jail > which is read-write. This is the wonderful idea which inside jail makes > base system read-only. And it is convenient, as you maintain only one > base system (of given version) for all jails. And as you correctly said, > chroot is used (in addition to other things), so inside jail what on > host is /jail/[jailname]/ is plainly / > > I hope, this provides enough detail to un-confuse things (and the need > of symlinks when one sets up jails "by the book", meaning FreeBSD Handbook) > > Valeri > >> This basically precludes using what you suggest without diminishing >> robustness of jails. >> >> Thanks for your input though! >> >> Valeri Have you tried mount_unionfs(8)? David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?903bb601-f4d6-ed72-6cdd-6f22219e485b>