packages and base jails

Miroslav Lachman 000.fbsd at quip.cz
Tue Nov 27 08:25:27 UTC 2018 

Eugene Grosbein wrote on 2018/11/27 00:42:
> 27.11.2018 3:24, Michael W. Lucas wrote:
>>
>> Hi,
>>
>> I'm writing a book on jails and am looking for BCP. I'd like to
>> present either "This is the approved solution and should work" or
>> "these are the gotchas with any of these, choose your pain."
>>
>> Folks want base jails to include packages, but also want to install
>> additional packages--which won't happen if /usr/local is mounted
>> read-only in the base jail. Trawling around the Net I see a couple
>> options. Both involve the primary jail using a different package
>> repo. The overlay jail uses the standard package repo.
>>
>> 1) primary jail uses a repo with PREFIX=/usr/pkg or /opt. Works in my
>> simple use cases once I set ldconfig directories in rc.conf, but I'm
>> told programs like pkgconfig can go sideways.
>>
>> 2) base jail repo uses with PREFIX=/. Utterly violates separation of
>> base and pkg, but everything should find everything out of the
>> box. Again, seems to work in my wimpy use cases.
>>
>> Is there an option that should work? Or is a matter of choosing
>> between horrors?
> 
> Not sure I understand the problem which I don't have using sysutils/ezjail
> that uses base jail situated in /usr/local/j/basejail in my case.
> 
> For each distinct jail instance, it null-mounts it read-only
> to /usr/local/j/${JAILNAME}/basejail and /usr/local/j/${JAILNAME} it jail's root.
> Inside this root, /bin is symlink to /basejail/bin, and /boot, /libexec, /rescue
> and /sbin are similar symlinks, so are /usr/{bin|include|lib|lib32|libdata|libexec|ports|sbin|share}
> all symlinks to corresponding directories inside ro-mounted /basejail/usr/...
> 
> But not /usr/local nor /usr/{src|obj}, if that matters. So each jail have its own
> set of packages or even ports if I choose to null-mount host's /usr/ports readonly
> to /usr/local/j/${JAILNAME}/basejail/usr/ports and write to jail's /etc/make.conf:

I guess Michael wants to have some packages installed in shared basejail 
(packages common to all jails) and some packages later installed 
separately in jails. And this is something that I would never do. :)

But you can try some union fs overlay on top of shared /usr/local. But 
again - I will not do this in production environment.

Miroslav Lachman

More information about the freebsd-ports mailing list