I'm trying to setup a jail to enable building a NanoBSD image. It's actually a jail on top of a NanoBSD install.
The problem I have is that I'm unable to mount the md
device in order to do the 'build image' part. Is it simply not possible to mount an md
device inside a jail, or is there some other knob I need to twiddle?
On the host
/etc/rc.conf.local
jail_enable="YES"
jail_mount_enable="YES"
jail_list="build"
jail_set_hostname_allow="NO"
jail_build_hostname="build.vm"
jail_build_ip="192.168.0.100"
jail_build_rootdir="/mnt/zpool0/jails/build/home"
jail_build_devfs_enable="YES"
jail_build_devfs_ruleset="devfsrules_jail_build"
/etc/devfs.rules
[devfsrules_jail_build=5]
# nothing
Inside the jail
[root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# sysctl security.jail
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 1
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 1
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.jailed: 1
[root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# mdconfig -l
md2 md0 md1
md0
and md1
are the ramdisks of the host.
bsdlabel
looks sensible
[root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# bsdlabel /dev/md2s1
# /dev/md2s1:
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
a: 1012016 16 4.2BSD 0 0 0
c: 1012032 0 unused 0 0 # "raw" part, don't edit
newfs
runs ok
[root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# newfs -U /dev/md2s1a
/dev/md2s1a: 494.1MB (1012016 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 123.55MB, 7907 blks, 15872 inodes.
with soft updates
super-block backups (for fsck -b #) at:
160, 253184, 506208, 759232
mount
fails
[root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# mount /dev/md2s1a _.mnt/
mount: /dev/md2s1a : Operation not permitted
UPDATE:
One of my colleagues pointed out
There are some file systems types that can't be securely mounted within
a jail no matter what, like UFS, MSDOFS, EXTFS, XFS, REISERFS, NTFS,
etc. because the user mounting it has access to raw storage and can
corrupt it in a way that it will panic entire system.
From http://www.mail-archive.com/freebsd-hackers@freebsd.org/msg160389.html
So it seems that the standard nanobsd.sh won't run inside a jail while it uses the md
device to build the image. One potential solution I'll try is to chroot
from the host into the build jail, rather than jexec
a shell.
Best Answer
As you said, chroot is the way to go.
You don't want to achieve security, just build and change the root so that your installation scripts behave correctly. That's what chroot is for.
On some systems there isn't a chroot binary, but it's kind of easy to code a simple script that will achieve what everything you want (and hey, you can reuse it later!).