packages and base jails

Eugene Grosbein eugen at grosbein.net
Mon Nov 26 23:42:57 UTC 2018 

27.11.2018 3:24, Michael W. Lucas wrote:
> 
> Hi,
> 
> I'm writing a book on jails and am looking for BCP. I'd like to
> present either "This is the approved solution and should work" or
> "these are the gotchas with any of these, choose your pain."
> 
> Folks want base jails to include packages, but also want to install
> additional packages--which won't happen if /usr/local is mounted
> read-only in the base jail. Trawling around the Net I see a couple
> options. Both involve the primary jail using a different package
> repo. The overlay jail uses the standard package repo.
> 
> 1) primary jail uses a repo with PREFIX=/usr/pkg or /opt. Works in my
> simple use cases once I set ldconfig directories in rc.conf, but I'm
> told programs like pkgconfig can go sideways.
> 
> 2) base jail repo uses with PREFIX=/. Utterly violates separation of
> base and pkg, but everything should find everything out of the
> box. Again, seems to work in my wimpy use cases.
> 
> Is there an option that should work? Or is a matter of choosing
> between horrors?

Not sure I understand the problem which I don't have using sysutils/ezjail
that uses base jail situated in /usr/local/j/basejail in my case.

For each distinct jail instance, it null-mounts it read-only
to /usr/local/j/${JAILNAME}/basejail and /usr/local/j/${JAILNAME} it jail's root.
Inside this root, /bin is symlink to /basejail/bin, and /boot, /libexec, /rescue
and /sbin are similar symlinks, so are /usr/{bin|include|lib|lib32|libdata|libexec|ports|sbin|share}
all symlinks to corresponding directories inside ro-mounted /basejail/usr/...

But not /usr/local nor /usr/{src|obj}, if that matters. So each jail have its own
set of packages or even ports if I choose to null-mount host's /usr/ports readonly
to /usr/local/j/${JAILNAME}/basejail/usr/ports and write to jail's /etc/make.conf:

WRKDIRPREFIX=           /var/ports
DISTDIR=                /var/ports/distfiles
PACKAGES=               /var/ports/packages
INDEXDIR=               /var/ports

That works just fine for me.

More information about the freebsd-ports mailing list