From owner-freebsd-current@FreeBSD.ORG Tue Jul 9 13:41:12 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8A0D5F83; Tue, 9 Jul 2013 13:41:12 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 614E810A9; Tue, 9 Jul 2013 13:41:12 +0000 (UTC) Received: from Julian-MBP3.local (124-169-161-9.dyn.iinet.net.au [124.169.161.9]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r69Df7AG012051 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 9 Jul 2013 06:41:10 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <51DC12ED.1050105@freebsd.org> Date: Tue, 09 Jul 2013 21:41:01 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Hiroki Sato Subject: Re: chroots/jails in jails References: <51DC0054.2040703@freebsd.org> <20130709.214228.1702026470722804811.hrs@allbsd.org> In-Reply-To: <20130709.214228.1702026470722804811.hrs@allbsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: current@freebsd.org, jamie@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 13:41:12 -0000 On 7/9/13 8:42 PM, Hiroki Sato wrote: > Julian Elischer wrote > in <51DC0054.2040703@freebsd.org>: it occurs to me that the machine on which the jail is on is running 8.0 and maybe this was fixed since.. I guess I should have checked that first. > > ju> I'm making a build system for a project which creates a chroot in > ju> which to do some of the building to avoid base-system contamination > ju> (yeah I know lots of people do that). > ju> the trick is that my test system is itself, a jail. > ju> So I can not mount /dev in the chroot. > ju> > ju> I can not predict where a build will occur so I can not pre-mount the > ju> devfs from outside the jail. (users may fire off builds in different > ju> locations) > ju> > ju> Does anyone have any solution to this problem? > ju> > ju> We have hierarchical jails, but no way of allowing the parent jail to > ju> give the child jail a devfs. > ju> > ju> Has anyone looked at what it would take to make devfs "jail friendly"? > ju> > ju> I'm guessing that the jail would have to get some devfs-rule parameter > ju> and that mount_devfs or it's in-kernel parts would have to know what > ju> to do.. > ju> > ju> seems like there should be someone out there who has hit this.. (and > ju> solved it?) > > Allowing to mount devfs inside hierarchical jails should work like > the following: > > # jail -c allow.mount.devfs=1 allow.mount=1 enforce_statfs=1 children.max=10 path=/ name=j1 persist > # jexec j1 /bin/tcsh > # mkdir /tmp/dev1 > # mount -t devfs devfs /tmp/dev1 > # jail -c allow.mount.devfs=1 allow.mount=1 enforce_statfs=1 path=/ name=j2 persist > # jexec j2 /bin/tcsh > # mkdir /tmp/dev2 > # mount -t devfs devfs /tmp/dev2 > > -- Hiroki