Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Aug 2011 10:46:14 -0700
From:      "Jason Helfman" <jhelfman@e-e.com>
To:        "Glen Barber" <gjb@FreeBSD.org>
Cc:        Kostik Belousov <kostikbel@gmail.com>, ports@freebsd.org
Subject:   Re: [Request for Comments] Adding a JAILED meta-variable to bsd.port.mk
Message-ID:  <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com>
In-Reply-To: <4E4FBA13.4050009@FreeBSD.org>
References:  <4E4F95FD.907@FreeBSD.org> <20110820115203.GH17489@deviant.kiev.zoral.com.ua> <4E4FA589.7070303@FreeBSD.org> <20110820124443.GJ17489@deviant.kiev.zoral.com.ua> <4E4FBA13.4050009@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
> On 8/20/11 8:44 AM, Kostik Belousov wrote:
>>> One thing I can think of off-hand to fix this in that case is setting a
>>> local environment variable to disable a check for security.jail.jailed.
>>>  Would this be an ok solution for those cases?  If not, I happily agree
>>> that this change should not be made then.
>>>
>>> I have an updated patch to bsd.port.mk that looks for a local
>>> environment variable, PKGJAIL - if it is set, then JAILED is unset.
>>> Would this be acceptable?
>> The change would require user to do a configuration for a thing that
>> previously just worked. What is the point ?
>>
>
> I suppose the specific problem I am trying to solve is a case where a
> user builds a port within a jail with the expectation that the port will
> in fact run within the jail with little or no changes.  Perhaps
> security/sshguard-pf and databases/postgresql*-server are not the most
> ideal examples of where this would be relevant.
>
> I agree that a configuration change for something that worked before is
> not the best solution.  So, I retract this change proposal.
>
> Again, thank you for the feedback and pointing out that this would have
> had negative impact on those using jails for package building.
>
> Regards,
>
> Glen
>
I, myself, have not installed or built enough packages in jails to find
this issue, however I am using tinderbox for maintaining my ports,
submitting ports, or patches, as well as maintaining a local ports tree.

In doing this, and maintaining our operational environment, I am finding
may conditions where you may want to do one thing or another, and the
possibilities I have found can be endless, so it could be argued to not
introduce global functionality for the X number of ports/packages that
need it, however to code the port to be aware of these conditions in the
packaging scripts.

For example, you could test for values of sysctl, or another condition.
Based on the result, perform X action. Although, I haven't done this
specifically for a jail, I don't see why the same practice couldn't be
exercised.

These, I believe, can all be take taken advantage of in subsequent pkg-*
files.

Just a thought.

Thanks,
Jason




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?91b826baee57a450a519fee1c7032a5c.squirrel>