jails Error while creating base template skeleton for thin jails according to the Handbook

I'm following the excellent handbook's chapter on creating jails (“Chapter 17. Jails and Containers”), and in particular §17.5.2 “Creating a Thin Jail Using NullFS”. I'm following the instructions almost verbatim, except that I'm creating a 14.1-RELEASE template rather than a 13.2-RELEASE template. But moving files from the downloaded user land to the skeleton results in an error:

Code:
    # mv /usr/local/jails/templates/14.1-RELEASE-base/var /usr/local/jails/templates/14.1-RELEASE-skeleton/var

    mv: /usr/local/jails/templates/14.1-RELEASE-base/var/empty: Operation not permitted             
    mv: /usr/local/jails/templates/14.1-RELEASE-base/var: Directory not empty                       
    mv: /bin/rm /usr/local/jails/templates/14.1-RELEASE-base/var: terminated with 1 (non-zero) status

Perhaps, the handbook needs to be updated? And what's the best way to fix the error?
 
This is a well known security feature like "file flags".
FreeBSD's base system has a few files and directories protected by schg flag.
You need to remove the "schg" flag for any system directory that you going to move or delete.
chflags -Rvx noschg /usr/local/jails/templates/14.1-RELEASE-base/var
See the manual page: chflags(1)

p.s.
If you are new with jails then try to use "Classic Jail (Thick Jail)" first.
In general, you may not need "thin jails" until you need to support 10+ similar jails on a single host.
 
Ok, the question is: should that flag (and uarch) be restored in the jail's skeleton? Currently, what I'm doing is this:

chflags 0 /usr/local/jails/templates/${TEMPLATE}-base/var/empty
mv /usr/local/jails/templates/${TEMPLATE}-base/var /usr/local/jails/templates/${TEMPLATE}-skeleton/var
chflags schg,uarch /usr/local/jails/templates/${TEMPLATE}-skeleton/var/empty


I think that the handbook should explain how to deal with chflags when creating the jail's skeleton. Maybe, just removing all schg flags as you suggest has no implications, but as a newbie handbook reader I may not know.

As an aside, I have another couple of minor remarks, in case some handbook's editor is reading: the handbook suggests to update the base template “to the latest patch level” with:

freebsd-update -b /usr/local/jails/templates/13.2-RELEASE-base/ fetch install

But that would upgrade to the host release if that's more recent. I'm not sure whether that is intended: personally, what I want when I install a template for a given release is to stay with that release. That is, the update command should be:

freebsd-update -b /usr/local/jails/templates/13.2-RELEASE-base/ --currently-running 13.2-RELEASE fetch install

The other nitpick is that §17.2.2 mentions this advantage of thin jails:

Since thin jails share the majority of their base system with the host system, updates and maintenance of common base system components (such as libraries and binaries) only need to be done once on the host.
That is true for NullFS jails, but not for thin jails created with ZFS snapshots as explained in §17.5.1. But §17.2.2 does not make such distinction.

Other than that, excellent documentation!
 
It may be a good idea to restore flags on affected files/directories.
But I had a few systems where I skipped to restore the flags after copying/moving the OS to another hardware and it does not affect any runtime usecase.

Handbook is not a "step-by-step" manual and may not fully cover some OS features or assume some user's experience especially for not so simple things like "thin jails".
 
Back
Top