From owner-freebsd-questions@freebsd.org Wed Aug 26 09:06:51 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 23C703CEF03 for ; Wed, 26 Aug 2020 09:06:51 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Received: from holgerdanske.com (holgerdanske.com [IPv6:2001:470:0:19b::b869:801b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.holgerdanske.com", Issuer "www.holgerdanske.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bc0NV0769z4tjQ for ; Wed, 26 Aug 2020 09:06:49 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Received: from dpchrist-mbp.tracy.holgerdanske.com (99-100-19-101.lightspeed.frokca.sbcglobal.net [99.100.19.101]) by holgerdanske.com with ESMTPSA (TLS_AES_128_GCM_SHA256:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(128):Mac=AEAD) (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN) for ; Wed, 26 Aug 2020 02:06:36 -0700 Subject: Re: Jail question: packages with relative symlinks To: freebsd-questions@freebsd.org References: <24d244da-43e4-9a5e-e940-3f183bc5a50e@holgerdanske.com> <9127e9ca-c6be-d007-bd82-fdf7c5508242@kicp.uchicago.edu> <7c3ad6a6-5ff1-5816-dc23-83d80590baac@kicp.uchicago.edu> From: David Christensen Message-ID: <903bb601-f4d6-ed72-6cdd-6f22219e485b@holgerdanske.com> Date: Wed, 26 Aug 2020 02:06:26 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <7c3ad6a6-5ff1-5816-dc23-83d80590baac@kicp.uchicago.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Bc0NV0769z4tjQ X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of dpchrist@holgerdanske.com has no SPF policy when checking 2001:470:0:19b::b869:801b) smtp.mailfrom=dpchrist@holgerdanske.com X-Spamd-Result: default: False [3.19 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.42)[0.420]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.89)[0.891]; ARC_NA(0.00)[]; NEURAL_SPAM_LONG(0.98)[0.982]; DMARC_NA(0.00)[holgerdanske.com]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2020 09:06:51 -0000 On 8/25/20 2:30 PM, Valeri Galtsev wrote: > > > On 8/25/20 4:12 PM, Valeri Galtsev wrote: >> >> >> On 8/25/20 3:50 PM, David Christensen wrote: >>> On 2020-08-25 09:51, Valeri Galtsev wrote: >>>> Dear Experts, >>>> >>>> I've got question about jails, namely, what do you do if some >>>> package you install in jail brings relative symlink(s)? >>>> >>>> I install jails "by the book" and if relative symlinks are in >>>> /usr/local, there is no problem with those, as in jail an equivalent >>>> of /usr/local is >>>> >>>> /s/usr-local >>>> >>>> and the depth is the same as on real system. However, /etc in jail is >>>> >>>> /s/etc >>>> >>>> and if package brings relative symlink to /etc, in jail it will >>>> point nowhere. I just resolved this failure for package ca_root_nss >>>> in jail. This package places in >>>> >>>> /etc/ssl >>>> >>>> relative symlink: >>>> >>>> cert.pem --> ../../usr/local/share/certs/ca-root-nss.crt >>>> >>>> In jail, however it is situated in >>>> >>>> /s/etc/ssl >>>> >>>> so the above relative symlink points nowhere. I did a "trivial" >>>> thing, just replaced relative symlink with absolute one: >>>> >>>> cert.pem --> /usr/local/share/certs/ca-root-nss.crt >>>> >>>> ,and as this symlink is owned by the package ca_root_nss, I locked >>>> that package, to prevent it from "automagically" replacing symlink >>>> with relative if updated package is installed. >>>> >>>> This is kind of crude solution, standing next to the "hack", so I do >>>> not like what I did. >>>> >>>> >>>> I wonder, how jail experts deal with relative symlinks when some >>>> package brings it into place where filesystem depth in jail is >>>> different from real system. >>>> >>>> >>>> Thanks. >>>> Valeri >>> >>> I am no jail expert, but AIUI jails include chroot(8) functionality. >>> So, all paths used within a jail will be resolved within the jailed >>> tree. >>> >>> >>> If you log in to the jail as root and install your software from >>> there, it should just work. >>> >> >> Having that structure with symlinks I have mentioned has a special >> purpose. That purpose is: the base system is mounted read only inside >> the jail, and only things that have to be read-write are read-write. >> > > I probably didn't explain things detailed enough. > > my jail has its root in: > > /jail/[jailname] > > so all what is inside jail on host filesystem is visible as: > > /jail/[jailname]/s/etc > /jail/[jailname]/etc --> s/etc > /jail/[jailname]/usr > /jail/[jailname]/s/usr-local > /jail/[jailname]/usr/local --> ../s/usr-local > ... > > the > > /jail/[jailname] > > is base system mounted read-only (with symlinks etc pointing to s/etc, > and others which point to a single place > > /jail/[jailname]/s > > which is mounted read-write, and this is the only place inside jail > which  is read-write. This is the wonderful idea which inside jail makes > base system read-only. And it is convenient, as you maintain only one > base system (of given version) for all jails. And as you correctly said, > chroot is used (in addition to other things), so inside jail what on > host is /jail/[jailname]/ is plainly / > > I hope, this provides enough detail to un-confuse things (and the need > of symlinks when one sets up jails "by the book", meaning FreeBSD Handbook) > > Valeri > >> This basically precludes using what you suggest without diminishing >> robustness of jails. >> >> Thanks for your input though! >> >> Valeri Have you tried mount_unionfs(8)? David