Date: Tue, 27 Nov 2018 06:42:41 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "Michael W. Lucas" <mwlucas@michaelwlucas.com>, ports@freebsd.org Subject: Re: packages and base jails Message-ID: <3348f9bf-8fb3-e6a7-6878-15e1fcfed62d@grosbein.net> In-Reply-To: <20181126202407.GA95942@mail.michaelwlucas.com> References: <20181126202407.GA95942@mail.michaelwlucas.com>
next in thread | previous in thread | raw e-mail | index | archive | help
27.11.2018 3:24, Michael W. Lucas wrote:
>
> Hi,
>
> I'm writing a book on jails and am looking for BCP. I'd like to
> present either "This is the approved solution and should work" or
> "these are the gotchas with any of these, choose your pain."
>
> Folks want base jails to include packages, but also want to install
> additional packages--which won't happen if /usr/local is mounted
> read-only in the base jail. Trawling around the Net I see a couple
> options. Both involve the primary jail using a different package
> repo. The overlay jail uses the standard package repo.
>
> 1) primary jail uses a repo with PREFIX=/usr/pkg or /opt. Works in my
> simple use cases once I set ldconfig directories in rc.conf, but I'm
> told programs like pkgconfig can go sideways.
>
> 2) base jail repo uses with PREFIX=/. Utterly violates separation of
> base and pkg, but everything should find everything out of the
> box. Again, seems to work in my wimpy use cases.
>
> Is there an option that should work? Or is a matter of choosing
> between horrors?
Not sure I understand the problem which I don't have using sysutils/ezjail
that uses base jail situated in /usr/local/j/basejail in my case.
For each distinct jail instance, it null-mounts it read-only
to /usr/local/j/${JAILNAME}/basejail and /usr/local/j/${JAILNAME} it jail's root.
Inside this root, /bin is symlink to /basejail/bin, and /boot, /libexec, /rescue
and /sbin are similar symlinks, so are /usr/{bin|include|lib|lib32|libdata|libexec|ports|sbin|share}
all symlinks to corresponding directories inside ro-mounted /basejail/usr/...
But not /usr/local nor /usr/{src|obj}, if that matters. So each jail have its own
set of packages or even ports if I choose to null-mount host's /usr/ports readonly
to /usr/local/j/${JAILNAME}/basejail/usr/ports and write to jail's /etc/make.conf:
WRKDIRPREFIX= /var/ports
DISTDIR= /var/ports/distfiles
PACKAGES= /var/ports/packages
INDEXDIR= /var/ports
That works just fine for me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3348f9bf-8fb3-e6a7-6878-15e1fcfed62d>