Install package inside jail vs install package from outside

J

japoc

Hi,

I'm experimenting with jails and I can see two ways of installing packages (using the pkg command).
For example, to install vim:

either log into the jail and run

# pkg install vim

or, from the host

# pkg -j myjail install vim

I can see the benefit of the first way (from inside the jail): I can write one deployment script, and don't worry about whether someone runs it on a physical host or inside a jail. The command is the same.

So what's the use of the second way?
 
That's it? I was worried that packages installed from the host could not be upgraded from inside the jail, or similar problems.
 
The packages are the same. The difference is that administrators do not have to log in to each jail to do it. That feature got applause when it was first described at BSDCan.
 

wblock@

Is there a way to install packages inside jail using packages from main host repository?
I'm using poudriere, and every new jail (UFS filesystem) I need to change /usr/local/etc/pkg/repos/ to point to my repository url location.
It's not a difficult job obviously, but if I could install the packages directly from the main host's repository to the jail, without entering the jail, it would be interesting.
 
wblock@ said:
Being able to work on jails as an admin on the host system.
Click to expand...
Exactly.

What I do is update my jail as a chroot. The jail itself doesn't have write privileges to the underlying directory tree. Some mountpoints are mounted read-only while others are layered underneath unionfs. The jail itself is just a read-only consumer of the beneath it. The layer underneath -- call it the source of truth for the jail -- is then updated as a chroot.

The rationale for this is should the jail become compromised the damage is limited to the unionfs layers on top of the "source of truth" and any data directories directly in the jail.

As to how I update it, I have an installworld script that installs world on the host itself, then the jails. WRT packages, they are built using poudriere. The update itself is done using the pkgng ansible module. A snippet of my pkg upgrade ansible is below:

Code: 
### /jails/template

    - name: Check for existence of jail template /sbin/init
      stat:
        path: /jails/template/root/sbin/init
      register: stat_result

    - name: Upgrade all packages in jail template
      pkgng:
        chroot: /jails/template/root
        name: "*"
        ignore_osver: true
        autoremove: false
        state: latest
      when: stat_result.stat.exists

The ansible playbook updates all my machines at once, each machine has an amd64 partition and i386 partition, except for the exterior gateway which has two amd64 partitions and a jail template.

Now the reason for calling the stat module is that this same playbook is run on all my machines but only one has /jails/template/root. The jail will mount /jails/template/root as /jails/external/root via read-only nullfs and with its own /etc plus bits and pieces of /var and its own data mounted using r/w nullfs on top of that. This allows the jail template update to happen on that machine and not others (because there is no jail template on the others).

The template itself could conceivably be used as a basis for multiple jails. For example, different nginx jail instances. Minimizing the number of copies of the same software on the same machine. When the jail template is updated, all the jails are updated simultaneously.
 
Using pkg from the host is not the same as using it inside the jail. The former uses the host's packaging tools, and the latter uses the jail's packaging tools. In theory this could be problematic if you are running an older version of FreeBSD on the jail, but in most cases probably not. By this I mean that if you are running an older version of FreeBSD on a jail, do not use the pkg of the host ( pkg -j jail), use the pkg of the jail instead.

Another difference you may want to be aware of is that using pkg inside the jail involves boostraping it for each new jail. This can be problematic if you don't want to do that.

I think under normal circumstances, you have no problems, but don't combine those approaches, stick with one of them.
 
You must log in or register to reply here.
Back
Top