Jail question: packages with relative symlinks
David Christensen
dpchrist at holgerdanske.com
Wed Aug 26 09:06:51 UTC 2020
On 8/25/20 2:30 PM, Valeri Galtsev wrote:
>
>
> On 8/25/20 4:12 PM, Valeri Galtsev wrote:
>>
>>
>> On 8/25/20 3:50 PM, David Christensen wrote:
>>> On 2020-08-25 09:51, Valeri Galtsev wrote:
>>>> Dear Experts,
>>>>
>>>> I've got question about jails, namely, what do you do if some
>>>> package you install in jail brings relative symlink(s)?
>>>>
>>>> I install jails "by the book" and if relative symlinks are in
>>>> /usr/local, there is no problem with those, as in jail an equivalent
>>>> of /usr/local is
>>>>
>>>> /s/usr-local
>>>>
>>>> and the depth is the same as on real system. However, /etc in jail is
>>>>
>>>> /s/etc
>>>>
>>>> and if package brings relative symlink to /etc, in jail it will
>>>> point nowhere. I just resolved this failure for package ca_root_nss
>>>> in jail. This package places in
>>>>
>>>> /etc/ssl
>>>>
>>>> relative symlink:
>>>>
>>>> cert.pem --> ../../usr/local/share/certs/ca-root-nss.crt
>>>>
>>>> In jail, however it is situated in
>>>>
>>>> /s/etc/ssl
>>>>
>>>> so the above relative symlink points nowhere. I did a "trivial"
>>>> thing, just replaced relative symlink with absolute one:
>>>>
>>>> cert.pem --> /usr/local/share/certs/ca-root-nss.crt
>>>>
>>>> ,and as this symlink is owned by the package ca_root_nss, I locked
>>>> that package, to prevent it from "automagically" replacing symlink
>>>> with relative if updated package is installed.
>>>>
>>>> This is kind of crude solution, standing next to the "hack", so I do
>>>> not like what I did.
>>>>
>>>>
>>>> I wonder, how jail experts deal with relative symlinks when some
>>>> package brings it into place where filesystem depth in jail is
>>>> different from real system.
>>>>
>>>>
>>>> Thanks.
>>>> Valeri
>>>
>>> I am no jail expert, but AIUI jails include chroot(8) functionality.
>>> So, all paths used within a jail will be resolved within the jailed
>>> tree.
>>>
>>>
>>> If you log in to the jail as root and install your software from
>>> there, it should just work.
>>>
>>
>> Having that structure with symlinks I have mentioned has a special
>> purpose. That purpose is: the base system is mounted read only inside
>> the jail, and only things that have to be read-write are read-write.
>>
>
> I probably didn't explain things detailed enough.
>
> my jail has its root in:
>
> /jail/[jailname]
>
> so all what is inside jail on host filesystem is visible as:
>
> /jail/[jailname]/s/etc
> /jail/[jailname]/etc --> s/etc
> /jail/[jailname]/usr
> /jail/[jailname]/s/usr-local
> /jail/[jailname]/usr/local --> ../s/usr-local
> ...
>
> the
>
> /jail/[jailname]
>
> is base system mounted read-only (with symlinks etc pointing to s/etc,
> and others which point to a single place
>
> /jail/[jailname]/s
>
> which is mounted read-write, and this is the only place inside jail
> which is read-write. This is the wonderful idea which inside jail makes
> base system read-only. And it is convenient, as you maintain only one
> base system (of given version) for all jails. And as you correctly said,
> chroot is used (in addition to other things), so inside jail what on
> host is /jail/[jailname]/ is plainly /
>
> I hope, this provides enough detail to un-confuse things (and the need
> of symlinks when one sets up jails "by the book", meaning FreeBSD Handbook)
>
> Valeri
>
>> This basically precludes using what you suggest without diminishing
>> robustness of jails.
>>
>> Thanks for your input though!
>>
>> Valeri
Have you tried mount_unionfs(8)?
David
More information about the freebsd-questions
mailing list