From owner-freebsd-current@FreeBSD.ORG Tue Jul 9 12:44:01 2013 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 33390693; Tue, 9 Jul 2013 12:44:01 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) by mx1.freebsd.org (Postfix) with ESMTP id 19D3E1DA7; Tue, 9 Jul 2013 12:43:59 +0000 (UTC) Received: from alph.d.allbsd.org (p2049-ipbf1102funabasi.chiba.ocn.ne.jp [122.26.101.49]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id r69ChfSf071934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Jul 2013 21:43:52 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.5/8.14.5) with ESMTP id r69CheHl062755; Tue, 9 Jul 2013 21:43:41 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Tue, 09 Jul 2013 21:42:28 +0900 (JST) Message-Id: <20130709.214228.1702026470722804811.hrs@allbsd.org> To: julian@FreeBSD.org Subject: Re: chroots/jails in jails From: Hiroki Sato In-Reply-To: <51DC0054.2040703@freebsd.org> References: <51DC0054.2040703@freebsd.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Tue_Jul__9_21_42_28_2013_084)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Tue, 09 Jul 2013 21:43:52 +0900 (JST) X-Spam-Status: No, score=-89.1 required=13.0 tests=CONTENT_TYPE_PRESENT, DIRECTOCNDYN,DYN_PBL,QENCPTR1,RCVD_IN_PBL,RCVD_IN_RP_RNBL,SPF_SOFTFAIL, USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: current@FreeBSD.org, jamie@FreeBSD.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 12:44:01 -0000 ----Security_Multipart(Tue_Jul__9_21_42_28_2013_084)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Julian Elischer wrote in <51DC0054.2040703@freebsd.org>: ju> I'm making a build system for a project which creates a chroot in ju> which to do some of the building to avoid base-system contamination ju> (yeah I know lots of people do that). ju> the trick is that my test system is itself, a jail. ju> So I can not mount /dev in the chroot. ju> ju> I can not predict where a build will occur so I can not pre-mount the ju> devfs from outside the jail. (users may fire off builds in different ju> locations) ju> ju> Does anyone have any solution to this problem? ju> ju> We have hierarchical jails, but no way of allowing the parent jail to ju> give the child jail a devfs. ju> ju> Has anyone looked at what it would take to make devfs "jail friendly"? ju> ju> I'm guessing that the jail would have to get some devfs-rule parameter ju> and that mount_devfs or it's in-kernel parts would have to know what ju> to do.. ju> ju> seems like there should be someone out there who has hit this.. (and ju> solved it?) Allowing to mount devfs inside hierarchical jails should work like the following: # jail -c allow.mount.devfs=1 allow.mount=1 enforce_statfs=1 children.max=10 path=/ name=j1 persist # jexec j1 /bin/tcsh # mkdir /tmp/dev1 # mount -t devfs devfs /tmp/dev1 # jail -c allow.mount.devfs=1 allow.mount=1 enforce_statfs=1 path=/ name=j2 persist # jexec j2 /bin/tcsh # mkdir /tmp/dev2 # mount -t devfs devfs /tmp/dev2 -- Hiroki ----Security_Multipart(Tue_Jul__9_21_42_28_2013_084)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEABECAAYFAlHcBTQACgkQTyzT2CeTzy1EpwCfUsApw7x8v/GO6Z7DWYIRXpQn yjIAoM1nx4Q1BBGwV6Qt7wjyzqfF7D1R =sncX -----END PGP SIGNATURE----- ----Security_Multipart(Tue_Jul__9_21_42_28_2013_084)----