Date: Sat, 20 Aug 2011 19:18:15 +0100 From: Chris Rees <crees@freebsd.org> To: Jason Helfman <jhelfman@e-e.com> Cc: Kostik Belousov <kostikbel@gmail.com>, Glen Barber <gjb@freebsd.org>, ports@freebsd.org Subject: Re: [Request for Comments] Adding a JAILED meta-variable to bsd.port.mk Message-ID: <CADLo838JTL5sGBJsYm4CYFVS37sG17V9L-dC1xyhNjgh%2BDD69w@mail.gmail.com> In-Reply-To: <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com> References: <4E4F95FD.907@FreeBSD.org> <20110820115203.GH17489@deviant.kiev.zoral.com.ua> <4E4FA589.7070303@FreeBSD.org> <20110820124443.GJ17489@deviant.kiev.zoral.com.ua> <4E4FBA13.4050009@FreeBSD.org> <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 August 2011 18:46, Jason Helfman <jhelfman@e-e.com> wrote: >> On 8/20/11 8:44 AM, Kostik Belousov wrote: >>>> One thing I can think of off-hand to fix this in that case is setting = a >>>> local environment variable to disable a check for security.jail.jailed= . >>>> =A0Would this be an ok solution for those cases? =A0If not, I happily = agree >>>> that this change should not be made then. >>>> >>>> I have an updated patch to bsd.port.mk that looks for a local >>>> environment variable, PKGJAIL - if it is set, then JAILED is unset. >>>> Would this be acceptable? >>> The change would require user to do a configuration for a thing that >>> previously just worked. What is the point ? >>> >> >> I suppose the specific problem I am trying to solve is a case where a >> user builds a port within a jail with the expectation that the port will >> in fact run within the jail with little or no changes. =A0Perhaps >> security/sshguard-pf and databases/postgresql*-server are not the most >> ideal examples of where this would be relevant. >> >> I agree that a configuration change for something that worked before is >> not the best solution. =A0So, I retract this change proposal. >> >> Again, thank you for the feedback and pointing out that this would have >> had negative impact on those using jails for package building. >> >> Regards, >> >> Glen >> > I, myself, have not installed or built enough packages in jails to find > this issue, however I am using tinderbox for maintaining my ports, > submitting ports, or patches, as well as maintaining a local ports tree. > > In doing this, and maintaining our operational environment, I am finding > may conditions where you may want to do one thing or another, and the > possibilities I have found can be endless, so it could be argued to not > introduce global functionality for the X number of ports/packages that > need it, however to code the port to be aware of these conditions in the > packaging scripts. > > For example, you could test for values of sysctl, or another condition. > Based on the result, perform X action. Although, I haven't done this > specifically for a jail, I don't see why the same practice couldn't be > exercised. > > These, I believe, can all be take taken advantage of in subsequent pkg-* > files. > Hm, not a fan of getting output of sysctl for many ports -- that'd take forever in INDEX generation for example. Perhaps we could just introduce a JAILED variable and leave it at that? Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo838JTL5sGBJsYm4CYFVS37sG17V9L-dC1xyhNjgh%2BDD69w>