Objectives:
After a few years of trying to make consistent sense of the various options from the host as well as running pkg from a shell within the jail, I thought I had it understood, -r <root directory> was supposed to install at the specified root directory.
Unfortunately...
sudo pkg -r /var/jail/cloud install nginx failed to work as expected, both populating the host's root file system
as well as failing to execute the install scripts with the errors
though these files were "properly" installed to the root as specified
So -r doesn't really restrict itself like pkg(8) indicates, "pkg will install all packages within the specified <root directory>."
Is this just a bug with the www/nginx package, or is it that packages, in general, are not robust to use of the -r option?
Edit: Looks like "POST-INSTALL" scripts fail rather often -- php72 as required by nextcloud72 fails repeatedly and it looks like the font cache was run on the host system's font cache, not that of the file system below the specified root.
Unfortunately, it seems as though the -c option will use the config files and cached packages in the target file system not the host's. Edit: It has additional problems, as it apparently uses the files in the chroot which apparently cause failures as the host system has different networking than the jail -- the jail's resolver is not reachable from the host (VIMAGE/vnet configuration).
Edit: Even with an in-chroot /etc/resolv.conf, the next problem is that the POST-INSTALL scripts use /dev/null, which isn't there on a non-running jail and can't be written on a locked-down root file system.
The -j option is a non-starter as it, as well as use of jexec, have both the problem of using the jail's config files and cached packages, as well as requiring Internet connectivity if using the FreeBSD binary-package repos. (I also seem to recall that -j requires the jail to be running, which is a challenge for "back-up" jails that shouldn't be running when the "primary" jail is running.)
I'd like to be able to manage the jails' contents from the comparatively "safe" environment of the host, without needing dump in new config and clean package caches (need depending on how tinfoil-hat one feels at the time).
Any suggestions of how to accomplish this?
- Manage multiple jails' packages from the host environment
- Doing so should not require the jail to be active
- Doing so should not require the jail to have Internet connectivity
- Strongly desired that the jail's filesystem doesn't control the settings, or contain cached packages that are used
- Preferable if only a single copy of each package file is downloaded
- There is one, and only one way to manage the jails' packages to help reduce the chances of corruption or inconsistencies
After a few years of trying to make consistent sense of the various options from the host as well as running pkg from a shell within the jail, I thought I had it understood, -r <root directory> was supposed to install at the specified root directory.
Unfortunately...
sudo pkg -r /var/jail/cloud install nginx failed to work as expected, both populating the host's root file system
Code:
$ ls -ld /usr/local/www
drwxr-xr-x 3 root wheel 4 Dec 24 12:05 /usr/local/www
$ ls -lR /usr/local/www
total 1
lrwxr-xr-x 1 root wheel 25 Dec 24 12:05 nginx -> /usr/local/www/nginx-dist
dr-xr-xr-x 2 root wheel 2 Dec 24 12:05 nginx-dist
/usr/local/www/nginx-dist:
total 0
as well as failing to execute the install scripts with the errors
Code:
cp: /usr/local/etc/nginx/fastcgi_params-dist: No such file or directory
cp: /usr/local/etc/nginx/scgi_params-dist: No such file or directory
cp: /usr/local/etc/nginx/uwsgi_params-dist: No such file or directory
cp: /usr/local/etc/nginx/mime.types-dist: No such file or directory
cp: /usr/local/etc/nginx/nginx.conf-dist: No such file or directory
though these files were "properly" installed to the root as specified
Code:
$ ls -l /var/jail/cloud/usr/local/etc/nginx/
total 36
-rw-r--r-- 1 root wheel 1007 Dec 20 13:00 fastcgi_params-dist
-rw-r--r-- 1 root wheel 2837 Dec 20 13:00 koi-utf
-rw-r--r-- 1 root wheel 2223 Dec 20 13:00 koi-win
-rw-r--r-- 1 root wheel 5170 Dec 20 13:00 mime.types-dist
-rw-r--r-- 1 root wheel 2989 Dec 20 13:00 nginx.conf-dist
-rw-r--r-- 1 root wheel 636 Dec 20 13:00 scgi_params-dist
-rw-r--r-- 1 root wheel 664 Dec 20 13:00 uwsgi_params-dist
-rw-r--r-- 1 root wheel 3610 Dec 20 13:00 win-utf
So -r doesn't really restrict itself like pkg(8) indicates, "pkg will install all packages within the specified <root directory>."
Is this just a bug with the www/nginx package, or is it that packages, in general, are not robust to use of the -r option?
Edit: Looks like "POST-INSTALL" scripts fail rather often -- php72 as required by nextcloud72 fails repeatedly and it looks like the font cache was run on the host system's font cache, not that of the file system below the specified root.
Unfortunately, it seems as though the -c option will use the config files and cached packages in the target file system not the host's. Edit: It has additional problems, as it apparently uses the files in the chroot which apparently cause failures as the host system has different networking than the jail -- the jail's resolver is not reachable from the host (VIMAGE/vnet configuration).
Code:
$ sudo pkg -dc /var/jail/cloud/ install nginx
DBG(1)[11404]> pkg initialized
Updating FreeBSD repository catalogue...
DBG(1)[11404]> PkgRepo: verifying update for FreeBSD
DBG(1)[11404]> Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite'
DBG(1)[11404]> Fetch: fetching from: http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/meta.txz with opts "i"
DBG(1)[11404]> Fetch: fetching from: http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/meta.txz with opts "i"
DBG(1)[11404]> Fetch: fetching from: http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/meta.txz with opts "i"
pkg: http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/meta.txz: No address record
[...]
Edit: Even with an in-chroot /etc/resolv.conf, the next problem is that the POST-INSTALL scripts use /dev/null, which isn't there on a non-running jail and can't be written on a locked-down root file system.
Code:
/bin/sh: cannot create /dev/null: Read-only file system
pkg: POST-INSTALL script failed
The -j option is a non-starter as it, as well as use of jexec, have both the problem of using the jail's config files and cached packages, as well as requiring Internet connectivity if using the FreeBSD binary-package repos. (I also seem to recall that -j requires the jail to be running, which is a challenge for "back-up" jails that shouldn't be running when the "primary" jail is running.)
I'd like to be able to manage the jails' contents from the comparatively "safe" environment of the host, without needing dump in new config and clean package caches (need depending on how tinfoil-hat one feels at the time).
Any suggestions of how to accomplish this?