Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Aug 2011 19:18:15 +0100
From:      Chris Rees <crees@freebsd.org>
To:        Jason Helfman <jhelfman@e-e.com>
Cc:        Kostik Belousov <kostikbel@gmail.com>, Glen Barber <gjb@freebsd.org>, ports@freebsd.org
Subject:   Re: [Request for Comments] Adding a JAILED meta-variable to bsd.port.mk
Message-ID:  <CADLo838JTL5sGBJsYm4CYFVS37sG17V9L-dC1xyhNjgh%2BDD69w@mail.gmail.com>
In-Reply-To: <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com>
References:  <4E4F95FD.907@FreeBSD.org> <20110820115203.GH17489@deviant.kiev.zoral.com.ua> <4E4FA589.7070303@FreeBSD.org> <20110820124443.GJ17489@deviant.kiev.zoral.com.ua> <4E4FBA13.4050009@FreeBSD.org> <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 20 August 2011 18:46, Jason Helfman <jhelfman@e-e.com> wrote:
>> On 8/20/11 8:44 AM, Kostik Belousov wrote:
>>>> One thing I can think of off-hand to fix this in that case is setting =
a
>>>> local environment variable to disable a check for security.jail.jailed=
.
>>>> =A0Would this be an ok solution for those cases? =A0If not, I happily =
agree
>>>> that this change should not be made then.
>>>>
>>>> I have an updated patch to bsd.port.mk that looks for a local
>>>> environment variable, PKGJAIL - if it is set, then JAILED is unset.
>>>> Would this be acceptable?
>>> The change would require user to do a configuration for a thing that
>>> previously just worked. What is the point ?
>>>
>>
>> I suppose the specific problem I am trying to solve is a case where a
>> user builds a port within a jail with the expectation that the port will
>> in fact run within the jail with little or no changes. =A0Perhaps
>> security/sshguard-pf and databases/postgresql*-server are not the most
>> ideal examples of where this would be relevant.
>>
>> I agree that a configuration change for something that worked before is
>> not the best solution. =A0So, I retract this change proposal.
>>
>> Again, thank you for the feedback and pointing out that this would have
>> had negative impact on those using jails for package building.
>>
>> Regards,
>>
>> Glen
>>
> I, myself, have not installed or built enough packages in jails to find
> this issue, however I am using tinderbox for maintaining my ports,
> submitting ports, or patches, as well as maintaining a local ports tree.
>
> In doing this, and maintaining our operational environment, I am finding
> may conditions where you may want to do one thing or another, and the
> possibilities I have found can be endless, so it could be argued to not
> introduce global functionality for the X number of ports/packages that
> need it, however to code the port to be aware of these conditions in the
> packaging scripts.
>
> For example, you could test for values of sysctl, or another condition.
> Based on the result, perform X action. Although, I haven't done this
> specifically for a jail, I don't see why the same practice couldn't be
> exercised.
>
> These, I believe, can all be take taken advantage of in subsequent pkg-*
> files.
>

Hm, not a fan of getting output of sysctl for many ports -- that'd
take forever in INDEX generation for example.

Perhaps we could just introduce a JAILED variable and leave it at that?

Chris



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo838JTL5sGBJsYm4CYFVS37sG17V9L-dC1xyhNjgh%2BDD69w>