How do I set up a Build Jail

[bsus]

Hi,

I want to set up a build-jail which holds the sources and builds world and packages available for the whole system.

There are following hurdles:

1. How does the host system or other jails use tha package repository of the buildjail?
2. How does the host system redirect build requests to the buildjail when no package is available
3. How does updating work
4. How do I manage make configs (do I prebuild the packages in the jail?)?
5. Other things to thing about?

Hope somebody can answer me the questions.

Best Regards,
bsus

 

[bbzz]

Build jail on same system (laptop).

Step 1.
Create build jail. In /etc/rc.conf I use:

jail_enable="YES"
jail_list="build"
jail_build_rootdir="/usr/jail/build"
jail_build_hostname="build"
jail_build_flags="-l -U root -n build"
jail_build_mount_enable="YES"
jail_build_devfs_enable="YES"
jail_build_interface="wlan0"
jail_build_ip="192.168.168.168"

Check manual for more info. You could use IP on loopback but you need to turn system into router/nat.

Step 2.
Create /etc/fstab.build This allows jail to mount filesystems it needs to work on:

/usr/src/             /usr/jail/build/usr/src/             nullfs  ro,noatime  0  0
/usr/ports            /usr/jail/build/usr/ports            nullfs  rw,noatime  0  0
/usr/ports/distfiles  /usr/jail/build/usr/ports/distfiles  nullfs  rw,noatime  0  0
/usr/ports/packages   /usr/jail/build/usr/ports/packages   nullfs  rw,noatime  0  0
/var/db/ports	      /usr/jail/build/var/db/ports	   nullfs  rw,noatime  0  0
/var/db/ccache 	      /usr/jail/build/var/db/ccache	   nullfs  rw,noatime  0  0

YMMV.

Step 2.1
Make sure you create jail with (on host):
# cd /usr/src
# make installworld DESTDIR=/usr/jail/build
# make distribution DESTDIR=/usr/jail/build

Step 3.
Start jail, and in there configure anything that you would do as if you were building on host system, such as /etc/make.conf. Don't forget to edit /etc/resolv.conf.

Step 4.
Use portmaster to build (in jail), for example:
# portmaster --no-confirm -P --packages-local --local-packagedir=/usr/ports/packages -g -y <port>

This will try and install package if it already has locally, or build new port. -g saves package on /usr/ports/packages.

Step 5.
Go back to host system. Again, use portmaster but now simply "fetch" from local repository what is built in jail:
# portmaster --no-confirm -PP --packages-local --local-packagedir=/usr/ports/packages -y -a
This way anything that can be installed is already built as package. No dependency issues.

This is one way to do it.

 

[bsus]

Hi,

Thank you for the detailed howto.

Maybe an admin can remove my comment and make a how-to thread.


One thing is a little strange to me (Step 1):
Why do you define these setting in rc.conf?
I remember somehow that they where stored somewhere else (for example /usr/local/etc/ezjail?) or am I just wrong?

Regards

 

[bbzz]

That's where they are specified, in /etc/rc.conf.
You are welcome!

edit:

I remember somehow that they where stored somewhere else (for example /usr/local/etc/ezjail?) or am I just wrong?

Sorry I don't use ezjail, so can't comment on that.

 

[bsus]

Hi,

I mean this setup doesn't use ezjail or is ezjail only an option for creating the jail?

Regards!

 

[bbzz]

sysutils/ezjail is just a method of administering jails, and is certainly not necessary for this. I don't use it so I can't comment on it.

 

[Uniballer]

I just build a jail manually, and install world into it, etc. (see man 8 jail), then build an empty ports tree with portsnap. I do not link the ports or packages trees or databases to the main system because building large package groups sometimes fails and I do not want to impact the running system until all the major groups are built. I do install a source tree because a few ports seem to need parts of it. It is pretty easy to move or copy the successfully built packages to wherever they are needed.

 

[_martin]

sysutils/ezjail is just a shell wrapper script. It eases up the jail installation/administration. Basically it does the same as described by @bbzz; but on the other hand it really simplifies the process of overall jail administration.

In my opinion this is missing from FreeBSD base (similar to Solaris zone administration commands).

 

[bsus]

In my opinion this is missing from FreeBSD base (similar to Solaris zone administration commands).

I fully agree!

I now fail at mounting the sources. Seems that there is an incompatibility with ezjail (or better its structure).

The dump about this when I fallback to raw jail administration than I know that I will have forget this to the next time also I have no idea how to admin jails manuelly with zfs.

 

[_martin]

I wrote this quick tutorial how to set up a jail on ZFS. Maybe you can pick some hints on how to use ezjail there.

 

[bsus]

@matoatlantis

Hi, this was actually the tutorial I used for creating jails

The issue is that mounting the ports tree and sources is solved quite badly in ezjail or at least I didn't manage to mount /usr/src on /usr/jails/build/usr/src
I always get

# mount -t nullfs /usr/src/ /usr/jails/build/usr/src/
mount: /basejail: No such file or directory

I solved this error in another situation with deleting the symlink in /usr/ports (to mount the ports tree) but this time there is no symlink and also no possibility to mount the sources for a buildjail.

 

[_martin]

I'm using the ports collection in some of my jails. I didn't want jails to use the same ports collection as used by the host. I did set up a basejail/usr/ports directory instead.

This way all my jails have access to the ports tree collection (which is updated by my sandbox jail).

 

[bsus]

I'm using ports collection in some of my jails. I didn't want jails to use the same port collection as used by host. I did setup basejail/usr/ports directory instead.

This way all my jails have access to the tree collection (which is updated by my sandbox jail).

So you use a seperate ports tree from the basejail which an extra jail handles?

This is also a good idea! Even the "doupling" would hit my requirements

 

[_martin]

So you use a seperate portstree from the basejail which an extra jail handles?

Yes. It's not that much - ~500MB. All jails can see it (as it's in basejail), all of them can update it if needed. I'm admin of all of those jails so there's no "race condition" on ports.

One of my jails is the sandbox (a jail where I try some new stuff before installing on host) - this one is dedicated to update ports.

 

[nORKy]

Sorry, but ports-mgmt/poudriere is exactly what you want. An automated jail packages builder
It can manage diifferents ports tree and differents releases/arch.

 

[bsus]

@matoatlantis

How do you make the ports tree writable for the buildjail? Do you mount the whole basejail as rw or do you do something additional? Is it possible to only build a package with portmaster? Currently the build jail creates a package and installs the port but I only need the package.

Regards

 

[bbzz]

That's the advantage of jail, after you get your packages, if you want to, simply remove all installed binaries with pkg_delete -a.

That's one of the reasons I used this command for installing in jail:
# portmaster -P --packages-local --localpackagedir=/usr/ports/packages

If you need to reinstall packages in jail again, it will first look if it has already up-to-date packages on local repository.

What happens in jail, stays in jail. :stud

As for your first question, I already posted solution.

 

[_martin]

@bsus
My ezjail_jaildir is set to /local/jails. After ezjail installation/first setup I did remove the symbolic link /local/jails/basejail/usr/ports and created regular directory instead.

No, basejail is mounted read-only as it should be. I've misled you though; it was some time ago I did setup this. Ports are updated from host only using prefix in supfile. Each jail is saving its distfiles to /var/ports - default behavior.

The only tools I use when dealing with packages are: net/cvsup-without-gui, ports-mgmt/portaudit and ports-mgmt/portupgrade-devel. I don't use portmaster so I can't answer that.