From nobody Wed Jul 17 20:40:31 2024 X-Original-To: doc@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WPSW440gkz5QLVR for ; Wed, 17 Jul 2024 20:40:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WPSW36KxQz4jSy for ; Wed, 17 Jul 2024 20:40:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1721248831; a=rsa-sha256; cv=none; b=WRt4u/7bkKPsFXOY+eqHTRTidu4IRLcuehBbJm+60P+EO+kfb9gW6Yx0pdP/ohusvCrQk9 oF2FLK1XLy29FrQ6DP7PKi3PDR4LPSxRnQ5BENNUDDIu4Cr/hMu59pz8Wx4v/E86MAQs5o jJnCO+R22yPAiP1jXW1doCC551t5c/bp5xE45QbIrHou/0OnAKUMeoOaYI0uzGCwUNjX94 7P0z6pEl+J02T/WqmfGDgR5lxq0xoK18UFVKqbwoTpMQEPLfqd7yOI+XWtGXu6+jMINSrz wC75sxvCrb94VifN76B9Qf663AggWrluoe97uSlke1M3gWXfNF2PhqtDTKWJ4A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721248831; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+Tw9+NAh8EFEwG2X2e7OvtRAT8OQkBLuSUN1hTXz0Mk=; b=ChCW7KGjrcboyoqFa88xlQat769i/wkQnWlhlENAthLVZaX5fmQlfWXmEn4W2u+XMQrjqO lRx9vqQHOqBAG8m+LRAEGcIE3kz8tNYFgNyuFWTF5JlxQzj7OSZnb+iLHfQPsmQgpMxeO9 GlwBQcNZpJUhzdGQsxCnBM8s90pprFQkudqDSrM8GtCGY3EIATe/7EYqOwjCBfQSVHFGoY w8S68uCnefzYrno+YAfBcjmN4WtmSpJUeSSzcmeCjzCrnRy+NKvBh0PLsx+GoDDSowHE1V 1uY9lzQMd4qqmZR/h12J0zz01jZjrLy2kc+LVTK7jPkzdVAQScXc1Z1IzApmig== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WPSW35wnBzJkw for ; Wed, 17 Jul 2024 20:40:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 46HKeVSl038680 for ; Wed, 17 Jul 2024 20:40:31 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 46HKeVH1038679 for doc@FreeBSD.org; Wed, 17 Jul 2024 20:40:31 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: doc@FreeBSD.org Subject: [Bug 280339] Handbook section 17.5.2 Creating a Thin Jail Using NullFS results in broken jails Date: Wed, 17 Jul 2024 20:40:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Documentation X-Bugzilla-Component: Books & Articles X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tommy@s3cr3t.codes X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: doc@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Documentation project List-Archive: https://lists.freebsd.org/archives/freebsd-doc List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-doc@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280339 Bug ID: 280339 Summary: Handbook section 17.5.2 Creating a Thin Jail Using NullFS results in broken jails Product: Documentation Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Books & Articles Assignee: doc@FreeBSD.org Reporter: tommy@s3cr3t.codes Section 17.5 "Thin Jails" contains directions to create jails having a large amount of reuse. However, jails created following these instructions have a large number of broken symlinks inside the jails. To see the problem, follow exactly the instructions at https://docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-nullfs= . I only tried the ZFS instructions, but I suspect this issue applies equally to UFS. I also replaced `13.2-RELEASE` with `$(uname -r)` everywhere in those instructions - my workaround for #275685. After executing the last command = in that section (`service jail start thinjail`) attempt to install a package in that jail: `pkg -j thinjail bootstrap -f`. You can see that there is an err= or, and the `pkg` command isn't bootstrapped there. Running `pkg bootstrap -f` = from a shell "inside" the jail (via `jexec`) likewise fails. The issue is that the certificate files symlinked inside the jail at `/etc/ssl/certs` use relative paths to find the target files; e.g., `../../../usr/share/certs/trusted/GlobalSign_Root_E46.pem`. However, these relative paths are effectively broken by the reusable-base/skeleton separat= ion described in 17.5. From within the jail's view of `/etc/ssl/certs`, the path `../../../usr` (prefix of these symlinks' targets) is a directory at (absol= ute path inside the jail) `/skeleton/usr` which contains only another directory `local`. To repair the symlinks, you could prefix an extra level of `../` (i.e., `../../../../usr/share/certs/trusted/GlobalSign_Root_E46.pem` for the example from above). This gets you the relative path to the correct `usr` wherein `share/certs/trusted/GlobalSign_Root_E46.pem` exists. After changing all symlinks in `/etc/ssl/certs` within the jail, it can be seen that `pkg bootstrap -f` works from inside the jail, as also `pkg -k thinjail bootstrap -f` works from the host. It's not clear to me what is the recommended solution; adding documentation= and code blocks in 17.5 to "fix up" all symlinks inside the jail is probably incorrect, because this section is designed to facilitate reuse, so that all jails using the same release "base" template could be updated at once from = the host: `freebsd-update -b /usr/local/jails/templates/13.2-RELEASE-base/ fetch install`. This can conceivable clobber some or all of the fixed-up symlinks. Basically, I suspect that the nullfs-thin-jails approach is doomed without quite a bit of workaround. I could write my own suite of wrappers for `pkg`, `freebsd-update`, and potentially other commands that know how to operate on jails from the host, but the effort involved with that starts to push me to= ward one of the externally-maintained jails management suites that I had hoped to avoid. --=20 You are receiving this mail because: You are the assignee for the bug.=