Tinderbox, inside a jail issue

Joe Marcus Clarke marcus at marcuscom.com
Sat Apr 17 04:12:47 EDT 2010 

On Mon, 2010-04-12 at 19:26 -0300, Chris Bowlby wrote:
> Some additional information, it appears that NFS's functionality inside 
> a jail is iffy at best, and that nullfs is the way to do. I already use 
> nullfs extensively on my system, but each time I try to load a build 
> with nullfs enabled I get the following error:
> 
> tinderbox# ./tc tinderbuild -b 8.0-FreeBSD -nullfs 
> databases/postgresql84-server
> tinderbuild: creating makefile...
> tinderbuild: Creating build directory for 8.0-FreeBSD
> 8.0-FreeBSD: cleaning out /usr/local/tinderbox/builds/8.0-FreeBSD
> makeBuild: extracting jail tarball
> tinderbuild: Finalizing chroot environment
> mount_nullfs: Operation not permitted
> tinderbuild: cannot mount ports source
> tinderbuild: Cleaning up after tinderbuild.  Please be patient.
> 
> my sysctl configs are:
> 
> security.jail.enforce_statfs=2 (I have tried 0, 1 and 2)
> security.jail.mount_allowed=1
> security.jail.chflags_allowed=1
> 
> keeping in mind, tinderbox in it's entirety is completely isolated in a 
> jail of it's own.

You may want to search the archives, as I think this has come up before,
and it was determined that nullfs wasn't blessed inside a jail.  I'm not
sure if anyone is currently hosting TB inside a jail, but this isn't
something I've done myself.  Why is NFS iffy?

Joe

> 
> On 4/12/2010 5:44 PM, Chris Bowlby wrote:
> > Hi Everyone,
> >
> >  I've managed to get the tinder jails built, and that process seems 
> > fairly straight forward, the last bit is actually executing a build. 
> > There are two ways from what I can see, nullfs or NFS. Both of which 
> > seem to fail, one is due to a patch for the kernel requirement, not 
> > sure I want to do that to be totally honest, the other is because NFS 
> > itself is failing to start properly and I keep getting:
> >
> > [tcp] localhost://usr/local/tinderbox/portstrees/FreeBSD/ports: 
> > RPCPROG_NFS: RPC: Program not registered
> > [tcp6] localhost://usr/local/tinderbox/portstrees/FreeBSD/ports: 
> > RPCPROG_NFS: RPC: Remote system error - Protocol not supported
> >
> > I do have all the NFS elements enabled as per the README:
> >
> > nfs_client_enable="YES"
> > nfs_server_flags="-u -t -n 20"
> > rpcbind_enable="YES"
> > nfs_server_enable="YES"
> > nfs_reserved_port_only="YES"
> >
> > other then an IPV6 related error when restarting RPCBind, and an NFS 
> > error via nfsclient:
> >
> > NFS access cache time=60
> > sysctl: vfs.nfs.access_cache_timeout: Operation not permitted
> > /etc/rc.d/nfsclient: WARNING: failed to set access cache timeout
> >
> > I see no errors. I can not find anything online to address that later 
> > issue, however... anyone have any pointers?
> >
> >
> > On 4/11/2010 6:14 PM, Chris Bowlby wrote:
> >> Hi Joe,
> >>
> >>   Thanks, that seems to have done the trick to getting the jail built,
> >> now I can look into the next few steps.
> >>
> >> On 04/11/2010 01:52 PM, Joe Marcus Clarke wrote:
> >>> On Sun, 2010-04-11 at 12:34 -0300, Chris Bowlby wrote:
> >>>
> >>>> Hi Guys,
> >>>>
> >>>> Based on what I've been reading on the web, it is possible to get
> >>>> tinderbox working within a jail, and as such wanted to play around 
> >>>> with
> >>>> such a configuration to see if I could get it to work. I've 
> >>>> configured a
> >>>> FreeBSD 8.0-RELEASE host system with a 8.0-RELEASE jail, both off the
> >>>> most recent CSUP'd source. I have all of the dependencies configured -
> >>>> apache22, PHP5, PostgreSQL 8.4, DBD-Pg, etc. as well as tinderbox 
> >>>> itself
> >>>> right from /usr/ports/ports-mgmt/tinderbox.
> >>>>
> >>>> I did notice, however, that even before I've selected the "options" of
> >>>> what database I wanted in place, etc via the selections menu,  the 
> >>>> port
> >>>> package installed MySQL based elements, regardless of the fact that I
> >>>> was not going to be using them. But that's not my issue here.
> >>>>
> >>>> The issue is with the OS source itself from what I can tell, based on
> >>>> previous research I created an src.conf file in /etc (inside the 
> >>>> jail),
> >>>> and added:
> >>>>
> >>>>    NO_FSCHG=yes
> >>>>
> >>>> to the contents, as well as added:
> >>>>
> >>>> security.jail.enforce_statfs=0
> >>>> security.jail.mount_allowed=1
> >>>>
> >>>> to /etc/sysctl.conf on the host machine, and applied the changes. I 
> >>>> then
> >>>> restarted the jail and executed the following command:
> >>>>
> >>>> tinderbox# ./tc createJail -j 8.0-FreeBSD -d "FreeBSD 8.0-RELEASE" -t
> >>>> RELENG_8_0_0_RELEASE -u CSUP
> >>>> 8.0-FreeBSD: initializing tree
> >>>> 8.0-FreeBSD: creating top-level directory
> >>>> 8.0-FreeBSD: adding to datastore... done.
> >>>> 8.0-FreeBSD: initializing new jail...
> >>>> 8.0-FreeBSD: updating jail with CSUP
> >>>> 8.0-FreeBSD: cleaning out /usr/local/tinderbox/jails/8.0-FreeBSD/obj
> >>>> 8.0-FreeBSD: cleaning out /usr/local/tinderbox/jails/8.0-FreeBSD/tmp
> >>>> 8.0-FreeBSD: making world
> >>>> ERROR: world failed - see 
> >>>> /usr/local/tinderbox/jails/8.0-FreeBSD/world.tmp
> >>>> Cleaning up after Jail creation.  Please be patient.
> >>>>
> >>>> Despite the NO_FSCHG set, I get this in world.tmp:
> >>>>
> >>>> ===>  lib/libc (install)
> >>>> install -C -o root -g wheel -m 444   libc.a
> >>>> /usr/local/tinderbox/jails/8.0-FreeBSD/tmp/usr/lib
> >>>> install -C -o root -g wheel -m 444   libc_p.a
> >>>> /usr/local/tinderbox/jails/8.0-FreeBSD/tmp/usr/lib
> >>>> install -s -o root -g wheel -m 444   -fschg -S  libc.so.7
> >>>> /usr/local/tinderbox/jails/8.0-FreeBSD/tmp/lib
> >>>> install: /usr/local/tinderbox/jails/8.0-FreeBSD/tmp/lib/libc.so.7:
> >>>> chflags: Operation not permitted
> >>>>
> >>>> Have I got something miss-configured, or is there something that I
> >>>> missed? If there's any additional details needed, just let me know and
> >>>> I'll do my best to answer accordingly.
> >>>>
> >>> Add this to the host:
> >>>
> >>> security.jail.chflags_allowed=1
> >>>
> >>> Joe
> >>>
> >>>
> >> _______________________________________________
> >> tinderbox-list at marcuscom.com mailing list
> >> http://marcuscom.com/mailman/listinfo/tinderbox-list
> >> To unsubscribe, send any mail to 
> >> "tinderbox-list-unsubscribe at marcuscom.com"
> >
> > _______________________________________________
> > tinderbox-list at marcuscom.com mailing list
> > http://marcuscom.com/mailman/listinfo/tinderbox-list
> > To unsubscribe, send any mail to 
> > "tinderbox-list-unsubscribe at marcuscom.com"
> 
> _______________________________________________
> tinderbox-list at marcuscom.com mailing list
> http://marcuscom.com/mailman/listinfo/tinderbox-list
> To unsubscribe, send any mail to "tinderbox-list-unsubscribe at marcuscom.com"
> 

-- 
PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part
URL: <http://marcuscom.com/pipermail/tinderbox-list/attachments/20100417/46e303e5/attachment.bin>

More information about the tinderbox-list mailing list