Date: Tue, 25 Aug 2020 16:12:14 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: freebsd-questions@freebsd.org Subject: Re: Jail question: packages with relative symlinks Message-ID: <9127e9ca-c6be-d007-bd82-fdf7c5508242@kicp.uchicago.edu> In-Reply-To: <24d244da-43e4-9a5e-e940-3f183bc5a50e@holgerdanske.com> References: <f3636f36-b6ce-3e8a-878a-bf8d5f75144d@kicp.uchicago.edu> <24d244da-43e4-9a5e-e940-3f183bc5a50e@holgerdanske.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/25/20 3:50 PM, David Christensen wrote: > On 2020-08-25 09:51, Valeri Galtsev wrote: >> Dear Experts, >> >> I've got question about jails, namely, what do you do if some package >> you install in jail brings relative symlink(s)? >> >> I install jails "by the book" and if relative symlinks are in >> /usr/local, there is no problem with those, as in jail an equivalent >> of /usr/local is >> >> /s/usr-local >> >> and the depth is the same as on real system. However, /etc in jail is >> >> /s/etc >> >> and if package brings relative symlink to /etc, in jail it will point >> nowhere. I just resolved this failure for package ca_root_nss in jail. >> This package places in >> >> /etc/ssl >> >> relative symlink: >> >> cert.pem --> ../../usr/local/share/certs/ca-root-nss.crt >> >> In jail, however it is situated in >> >> /s/etc/ssl >> >> so the above relative symlink points nowhere. I did a "trivial" thing, >> just replaced relative symlink with absolute one: >> >> cert.pem --> /usr/local/share/certs/ca-root-nss.crt >> >> ,and as this symlink is owned by the package ca_root_nss, I locked >> that package, to prevent it from "automagically" replacing symlink >> with relative if updated package is installed. >> >> This is kind of crude solution, standing next to the "hack", so I do >> not like what I did. >> >> >> I wonder, how jail experts deal with relative symlinks when some >> package brings it into place where filesystem depth in jail is >> different from real system. >> >> >> Thanks. >> Valeri > > I am no jail expert, but AIUI jails include chroot(8) functionality. So, > all paths used within a jail will be resolved within the jailed tree. > > > If you log in to the jail as root and install your software from there, > it should just work. > Having that structure with symlinks I have mentioned has a special purpose. That purpose is: the base system is mounted read only inside the jail, and only things that have to be read-write are read-write. This basically precludes using what you suggest without diminishing robustness of jails. Thanks for your input though! Valeri > > David > > > p.s. Lucas wrote some good books that cover jails: > > [1] https://mwl.io/nonfiction/os#af3e > > [2] https://mwl.io/nonfiction/os#fmjail > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9127e9ca-c6be-d007-bd82-fdf7c5508242>