What's the most secure way to install/share ports with jails?

nx · #1 July 17th, 2012, 13:30

I'm curious what's considered the best practice - installing a ports dir in the base jail for other jails to use - or installing ports in jails by sharing/mounting them from the ezjail host?

If the host - can anyone explain how to do this or point me to a howto?

I've also read that some admins package the port they want to install with its dependencies and after moving it to the jail, install it there with pkg_add.

I tend to prefer ports over packages, but I'm all for using the best practice, so will switch to the package method for jails if someone can explain/link.

Thanks

**SirDice** · #2 July 17th, 2012, 13:43

Build packages from your ports, use make package. But it's easier to use the -g switch to portmaster(8) (ports-mgmt/portmaster). If you make sure /usr/ports/packages/ exists all your built packages will end up there.

And use nullfs(5) to mount the ports directory on a jail (it can be mounted read-only if you prefer).

# mount -t nullfs /usr/ports/ /jails/myjail/usr/ports/

nx · #3 July 18th, 2012, 01:37

Thanks very much!

nx · #4 July 18th, 2012, 12:28

Bah!

I've just got around to trying your advice SirDice... and found a roadblock.

I installed ezjail without ports, and then created a new jail.

Code:

ls -l newjail/usr

gives:

Code:

ports -> /basejail/usr/ports

Will I create any problems down the line if I delete the ports symlink, create a ports dir, and then:

Code:

mount -t nullfs /usr/ports /usr/jails/newjail/usr/ports

Or have I stuffed this up by not editing the ezjail config to stop the ports symlink being built before I created newjail?

I know this sounds picky, but I'd rather get these basics right now than have to fix up a mess later.

Oh... and is it okay to edit a jail via the host or the ezjail-admin console jailname command rather than via a new user in the jail.

I'd rather not create a user in the wheel group in the jail and I don't have any system users needing ssh access so sudo isn't needed.

**SirDice** · #5 July 18th, 2012, 13:17

Quote:

Originally Posted by nx

Will I create any problems down the line if I delete the ports symlink, create a ports dir, and then:

Code:

mount -t nullfs /usr/ports /usr/jails/newjail/usr/ports

I don't think so but I've never used ezjail.

Quote:

Oh... and is it okay to edit a jail via the host or the ezjail-admin console jailname command rather than via a new user in the jail.

Sure, I do that all the time. I even made a small shell script:

Code:

#!/bin/sh

jexec $1 /usr/bin/su $2 $3 $4 $5 $6

Saved it as ~/bin/jsu.

And I use it to "su" directly to my jails.
# jsu build -

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

The Following User Says Thank You to SirDice For This Useful Post:
nx (July 26th, 2012)