Configuration differences for jails

Wed Apr 20 09:56:42 PDT 2005

> I'm trying to untangle myself on this issue. I have different
> filesystems for /, /usr, and /usr/local, mounted in unusual places:
> 
> 504,p0,1$ ls -l /usr{,/X11R6,/local}
> lrwxr-xr-x  1 root  wheel  18  7 nov  2003 /usr -> fs/base/mount/usr/
> lrwxr-xr-x  1 root  wheel  25  8 nov  2003 /usr/X11R6 ->
> ../../../apps/mount/X11R6
> lrwxr-xr-x  1 root  wheel  25 18 abr 20:40 /usr/local ->
> ../../../apps/mount/local
> 
> I know I want to share /usr, but not /usr/local, and only parts of /. So
> I mount_unionfs /fs/base inside the jail:
>
> <above>:/fs/base/mount on /fs/jaildata/mount/fs/base/mount (unionfs,
> local, read-only, noclusterw)
>
mount_nullfs(8) will mount one directory and all its content onto another
one, but there is no way to exclude one of the subdirectory.  You
will instead have to mount each subdirectory you need, not more.  One
other way do achieve this is to make a second null mount over the
directory you don't wan't to share (/usr/local) but I'm not aware of
the consequences of such setup in term of performance and stability.

> But this way I don't get the "automagically upgrade virtual hosts"
> behaviour I want, since I'm missing /{,s}bin, /lib and /libexec and I
> definitely don't want to share /etc.

You won't have a one to one mapping between jail and null mounts.  There
are generally multiple null mounts for a unique jail.

Considering your jail root is /jail/test, and you enabled the
jail_$jail_mount (jail_test_mount here) rc.conf(5) variable, here is
the content of /etc/fstab.test :
%%%
  /bin                    /jail/test/bin          nullfs  ro      0       0
  /sbin                   /jail/test/sbin         nullfs  ro      0       0
  /lib                    /jail/test/lib          nullfs  ro      0       0
  /libexec                /jail/test/libexec      nullfs  ro      0       0
  /usr/bin                /jail/test/usr/bin      nullfs  ro      0       0
  /usr/sbin               /jail/test/usr/sbin     nullfs  ro      0       0
  /usr/lib                /jail/test/usr/lib      nullfs  ro      0       0
  /usr/libexec            /jail/test/usr/libexec  nullfs  ro      0       0
  /usr/libdata            /jail/test/usr/libdata  nullfs  ro      0       0
  /usr/share              /jail/test/usr/share    nullfs  ro      0       0
  /usr/compat             /jail/test/usr/compat   nullfs  ro      0       0
%%%

> I don't think it's easy to take /etc/ outside the root fs, but I don't
> see how to share /bin or /lib without leaking info.
>
> How do you handle this? What are those distribution targets and how can
> I use them?

As I said above, null mount each directory.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >