Solved Mount fs in poudriere jail

[language]

Here's what I would like to do:
Test a java-based port in an i386 environment from an amd64 machine, meaning run its test target, run the executable it produces, etc.

Since I am already using poudriere testport, with all packages built, installed, and doing all of the work to set up an i386 jail, I thought the easiest way to accomplish the above would be to run poudriere testport -I ... jexec into the jail when it's done and play around with the port. The problem is that for java to work, fdescfs and procfs must be mounted. Reading the docs for poudriere, there doesn't seem to be a way to pass jail configuration parameters through, such as mount.fdescfs, mount.procfs, enforce_statfs=1, allow.mount, allow.mount.procfs, allow.mount.fdescfs. And poudriere doesn't seem to consult /etc/jail.conf. So from within the jail I get

root@jailx-portsy:~ # mount -t procfs proc /proc
mount: proc: Operation not permitted
root@jailx-portsy:~ # mount -t fdescfs fdesc /dev/fd
mount: fdesc: Operation not permitted

From the Thread how-can-i-mount-a-nullfs-inside-a-jail-iocage.67891
I tried creating a /etc/fstab.jailx-portsy and /etc/fstab.jailx-portsy-n:

# Device        Mountpoint      FStype  Options Dump    Pass#
fdesc   /dev/fd         fdescfs         rw      0       0
proc    /proc           procfs          rw      0       0

(Poudriere seems to be starting two jails, one with "-n" appended to the name, so I'm not sure which one to target:

root@aaa:~ # jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
    15  jailx-portsy                /usr/local/poudriere/data/.m/jailx-portsy/ref
        jailx-portsy                ACTIVE
        2
        127.0.0.1
        ::1
    16  jailx-portsy                /usr/local/poudriere/data/.m/jailx-portsy/ref
        jailx-portsy-n              ACTIVE
        3
)

But there's still no fstab in the jail

root@jailx-portsy:~ # ls /etc/fstab
ls: /etc/fstab: No such file or directory

And in the java application there are errors like

java.io.IOException: Mount point not found in fstab
        at sun.nio.fs.BsdFileStore.findMountEntry(BsdFileStore.java:78)

How can I configure the poudriere jail to mount these filesystems or enable a priviledged user within the jail to do so?

 

[ucomp]

enforce_statfs=1;

 

[language]

enforce_statfs=1;

Manually configuring a new jailing to run poudriere itself in wouldn't help with mounting filesystems in the jails poudriere creates. I think at most (and at worst) it could only further limit the capabilities of the sub-jails. From jail(8)

Jailed processes are not allowed to confer greater permissions than they
themselves are given, e.g., if a jail is created with allow.nomount, it
is not able to create a jail with allow.mount set. Similarly, such re-
strictions as ip4.addr and securelevel may not be bypassed in child
jails.

But I don't think these settings from poudriere's jail would get inherited by the children. Correct me if I'm wrong...

 

[language]

Ok, I got it. Though poudriere doesn't read the jail.conf file and doesn't accept much jail configuration, the system settings still take effect:

me@aaa:~ # sudo sysctl security.jail.enforce_statfs=1
security.jail.enforce_statfs: 2 -> 1

In the jail:

root@j_i386_4-pi386:~ # sysctl -n security.jail.enforce_statfs
1

And the fstab errors go away.

(Poudriere was already mounting these two filesystems in src/share/poudriere/common.sh:

do_jail_mounts() {
    ...
    [ "${USE_FDESCFS}" = "yes" ] && \
        [ ${JAILED} -eq 0 -o "${PATCHED_FS_KERNEL}" = "yes" ] && \
        mount -t fdescfs fdesc "${mnt}/dev/fd"
    [ "${USE_PROCFS}" = "yes" ] && \
        mount -t procfs proc "${mnt}/proc"
    ...
}
...
: ${USE_PROCFS:=yes}
: ${USE_FDESCFS:=yes}

)