What's the most secure way to install/share ports with jails?

N

nx

I'm curious what's considered the best practice - installing a ports dir in the base jail for other jails to use - or installing ports in jails by sharing/mounting them from the ezjail host?

If the host - can anyone explain how to do this or point me to a howto?

I've also read that some admins package the port they want to install with its dependencies and after moving it to the jail, install it there with pkg_add.

I tend to prefer ports over packages, but I'm all for using the best practice, so will switch to the package method for jails if someone can explain/link.

Thanks
 
Build packages from your ports, use make package. But it's easier to use the -g switch to portmaster(8) (ports-mgmt/portmaster). If you make sure /usr/ports/packages/ exists all your built packages will end up there.

And use nullfs(5) to mount the ports directory on a jail (it can be mounted read-only if you prefer).

# mount -t nullfs /usr/ports/ /jails/myjail/usr/ports/
 
Bah!

I've just got around to trying your advice SirDice... and found a roadblock.

I installed ezjail without ports, and then created a new jail.

Code: 
ls -l newjail/usr

gives:

Code: 
ports -> /basejail/usr/ports

Will I create any problems down the line if I delete the ports symlink, create a ports dir, and then:

Code: 
mount -t nullfs /usr/ports /usr/jails/newjail/usr/ports

Or have I stuffed this up by not editing the ezjail config to stop the ports symlink being built before I created newjail?

I know this sounds picky, but I'd rather get these basics right now than have to fix up a mess later.

Oh... and is it okay to edit a jail via the host or the ezjail-admin console jailname command rather than via a new user in the jail.

I'd rather not create a user in the wheel group in the jail and I don't have any system users needing ssh access so sudo isn't needed.
 
nx said:
Will I create any problems down the line if I delete the ports symlink, create a ports dir, and then:

Code: 
mount -t nullfs /usr/ports /usr/jails/newjail/usr/ports
Click to expand...
I don't think so but I've never used ezjail.

Oh... and is it okay to edit a jail via the host or the ezjail-admin console jailname command rather than via a new user in the jail.
Click to expand...
Sure, I do that all the time. I even made a small shell script:
Code: 
#!/bin/sh

jexec $1 /usr/bin/su $2 $3 $4 $5 $6
Saved it as ~/bin/jsu.

And I use it to "su" directly to my jails.
# jsu build -
 
  • Thanks
Reactions: nx
You must log in or register to reply here.
Back
Top