Sharing Ports Directory with Jails

[Sephiroth]

I have a bunch of service jails installed on a FreeBSD 8.1 box, installed as per the handbook. I use portupgrade to manage both the base server and all the jails. I thought it would be a good idea to save space and unnecessary re-indexing by sharing the Ports collection of the base server with the jails. I did this by creating more nullfs mounts inside the jails with entries in /etc/fstab like this, one for each jail:

/usr/ports              /home/j/ns/usr/ports    nullfs  rw      0       0
/usr/ports              /home/j/data/usr/ports  nullfs  rw      0       0

I then renamed the existing ports directory in /home/j/mroot/usr to ports-old, and created a new directory ports for the mount. Everything seems to work just fine- the ports directory for the main box is mounted read-write inside all the jails.

I just have a few questions:

1. Is there a better way to structure this? Symlinks start getting cyclical in this case, so I know I need nullfs mounts, however, if I just mount /usr/ports into /home/j/mroot/usr/ports, it doesn't show up in the jail. I sort of vaguely understand why this is, but I'm not 100%

2. Before I did this, I ran portupgrade in the jails, and it hasn't upgraded anything in quite some time, which I thought was very odd. I thought this might be because I haven't upgraded the jails (which requires a full installworld and a bunch of mergemastering and time) in a while. I'm not 100% on what version information is actually contained in the ports directory, so I figured sharing the ports directory of the base machine (which is updated via freebsd-update nightly) would make sure they all have the latest and greatest information, but this was not the case- portupgrade still has nothing to report. The question is, have there really been very few upgrades available, or is something possibly broken with Portupgrade, or is there something that's missing that doing the full installworld routine would fix?

Thanks for any help!

 

[plamaiziere]

I have a bunch of service jails installed on a FreeBSD 8.1 box, installed as per the handbook. I use portupgrade to manage both the base server and all the jails. I thought it would be a good idea to save space and unnecessary re-indexing by sharing the Ports collection of the base server with the jails. I did this by creating more nullfs mounts inside the jails with entries in /etc/fstab like this, one for each jail:

/usr/ports /home/j/ns/usr/ports nullfs rw 0 0
/usr/ports /home/j/data/usr/ports nullfs rw 0 0

I then renamed the existing ports directory in /home/j/mroot/usr to ports-old, and created a new directory ports for the mount. Everything seems to work just fine- the ports directory for the main box is mounted read-write inside all the jails.

You should not mount the ports directory in read-write into the jail. A bad guy into the jail could affect the ports for all the systems. Instead mount the ports directory in read-only and change the location of the build directory, distfiles and packages in each jail.

example:
mount:

/usr/ports on /jails/192.168.1.1/usr/ports (nullfs, local, read-only)

in the jail, change /etc/make.conf and create these directories

WRKDIRPREFIX=   /usr/pkg
DISTDIR=        /usr/pkg/distfiles
PACKAGES=       /usr/pkg/packages

Adapt /usr/local/etc/pkgtools.conf if you use portupgrade:

  ENV['PORTSDIR'] ||= '/usr/ports'
  ENV['PACKAGES'] ||= '/usr/pkg/packages'
  ENV['PKG_PATH'] ||= ENV['PACKAGES'] + '/All

 

[Sephiroth]

You're absolutely right! I did that thinking I'd need it writable, but changing the work dirs is much better.

Edit: Looked into this. During the inital jail setup, I setup a place to build the ports in the read-write section of the jail, by adding a prefix to /etc/make.conf, as per the handbook. So, mounting read-write was totally unnecessary to begin with.

 

[Korla_Plankton]

I usually just mount_nullfs /usr/ports /usr/jail/myjail/usr/ports install what I need then unmount. Occasionally I need to [cmd=]make clean[/cmd] if I have to install the same thing in two jails. Anyone know of any other unpleasant side-effects waiting to bite me in the rear?

Thanks.

ps: w00t first post!

 

[kinari]

If using ezjail you can mount in the basejail to share the same updates with all the jails. So using Korla_Plankton's method:

hostos# mkdir /usr/jails/basejail/usr/ports
hostos# mount_nullfs /usr/ports /usr/jails/basejail/usr/ports

This works because ezjail puts a link in each jail to the basejail.

hostos# ls -lah /usr/jails/myjail/usr
lrwxr-xr-x   1 root  wheel   DD Mmm DD HH:MM ports -> /basejail/usr/ports

 

[alfikmik]

for example my jail "test" directory:

mkdir -p /vol/jails/test/vol/tmp/{ports,portsnap}

then upack to them base.txz

and then for shared ports directory config (some example):

/etc/jail.conf

# other jail config here

test {
        ip4.addr = "IFACE|ADDR_IP/MASK";
        path = "/vol/jails/$name";
        host.hostname = "$name.bsd";
        mount.fstab = "/etc/jail.$name.fstab";
        mount.devfs;
        devfs_ruleset = 4;
        interface= IFACE;
        allow.dying;
}

/etc/jail.test.fstab

# fstab

/usr/ports                              /vol/jails/test/usr/ports                 nullfs          ro              0       0
/vol/jails/test/vol/tmp/ports           /vol/jails/test/usr/ports                 unionfs         rw              0       0

/var/db/portsnap                        /vol/jails/test/var/db/portsnap           nullfs          ro              0       0
/vol/jails/test/vol/tmp/portsnap        /vol/jails/test/var/db/portsnap           unionfs         rw              0       0

In this case my jail takes sth about 300-400MB (with additional compiled software) of space, directories from main system are readonly so jailed users can't touch them.
Unionfs allow to compile ports inside jail, makes specified directories "locally writable" (inside jail) and addons files/directories are stored in /vol/jails/test/vol/tmp/

Second thing is that I'm using ZFS that have many interesting options.