Re: packages and base jails

Tue, 27 Nov 2018 00:27:02 -0800 

Eugene Grosbein wrote on 2018/11/27 00:42:

27.11.2018 3:24, Michael W. Lucas wrote:


Hi,

I'm writing a book on jails and am looking for BCP. I'd like to
present either "This is the approved solution and should work" or
"these are the gotchas with any of these, choose your pain."

Folks want base jails to include packages, but also want to install
additional packages--which won't happen if /usr/local is mounted
read-only in the base jail. Trawling around the Net I see a couple
options. Both involve the primary jail using a different package
repo. The overlay jail uses the standard package repo.

1) primary jail uses a repo with PREFIX=/usr/pkg or /opt. Works in my
simple use cases once I set ldconfig directories in rc.conf, but I'm
told programs like pkgconfig can go sideways.

2) base jail repo uses with PREFIX=/. Utterly violates separation of
base and pkg, but everything should find everything out of the
box. Again, seems to work in my wimpy use cases.

Is there an option that should work? Or is a matter of choosing
between horrors?


Not sure I understand the problem which I don't have using sysutils/ezjail
that uses base jail situated in /usr/local/j/basejail in my case.

For each distinct jail instance, it null-mounts it read-only
to /usr/local/j/${JAILNAME}/basejail and /usr/local/j/${JAILNAME} it jail's 
root.
Inside this root, /bin is symlink to /basejail/bin, and /boot, /libexec, /rescue
and /sbin are similar symlinks, so are 
/usr/{bin|include|lib|lib32|libdata|libexec|ports|sbin|share}
all symlinks to corresponding directories inside ro-mounted /basejail/usr/...

But not /usr/local nor /usr/{src|obj}, if that matters. So each jail have its 
own
set of packages or even ports if I choose to null-mount host's /usr/ports 
readonly
to /usr/local/j/${JAILNAME}/basejail/usr/ports and write to jail's 
/etc/make.conf:



I guess Michael wants to have some packages installed in shared basejail 
(packages common to all jails) and some packages later installed 
separately in jails. And this is something that I would never do. :)



But you can try some union fs overlay on top of shared /usr/local. But 
again - I will not do this in production environment.


Miroslav Lachman
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"














    











					Reply via email to