stripped jail Installworld /lib/libc.so.7 error

[justauser]

I just upgraded my n4f from 9.1.0.1.847 to 9.2.0.1.972 and I wanted to create a new stripped down jail (utilizing 9.2 base.txz and lib32.txz, my previous stripped down jail was utilizing 9.1). I followed the directions in the howto:jails. Everything went fine (I was able to create, start, and enter a proto jail, I was able to download src, edit src.conf, and successfully "make buildworld") until I reached the command of "proto# make installworld". The installworld command errors with:
“install: rename: /lib/IFX@PYX42 to /lib/libc.so.7: Operation not permitted“

I had successfully built and installed a stripped down jail in 9.1.0.1.847 (the sysctl.conf setting of security.jail.chflags_allowed is still set to 1 after the upgrade to 9.2.0.1.972).

I run a AMD_x64 with 4GB of memory and plenty of hard drive space.

Any ideas on a fix would be gladly appreciated.

[raulfg3]

actually there are 2 ways of manage jails in a easy way, you can use "TheBrig": viewtopic.php?f=79&t=3894
or Finch: viewtopic.php?f=79&t=6260 this last have better support for the user dreamcat4.

My suggest is that delete your actual attemp and start again using finch.

if you do not want to do, you still can avoid error: “install: rename: /lib/IFX@PYX42 to /lib/libc.so.7: Operation not permitted“ doing the operation by hand.

You need to rename a file so use mv command: http://www.cyberciti.biz/faq/unix-command-rename-file/

[justauser]

Thank you for your response. Trying out finch seems like the next step. Does Finch support "stripped jails"? (I don't see any reference to them in Finches documentation.)

I had thought about using mv or cp to do the process manually, but it seems "IFX@PYX42" was a temporary file created by installworld and was not located in /lib.

[raulfg3]

try to PM dreamcat4, is really active, and can solve your questions.

[justauser]

Thanks will do.

[dreamcat4]

Finch looks great but I was wondering would I be able to create a stripped jail using Finch?

Well - the program that Finch provides for you is actually "qjail". And you are free to use any other jails software that is available on FreeBSD systems. You may see a little more info about those other jail systems alternatives in the Finch FAQ.

But to answer your question (in respect to qjail):

Qjail does not provide an option to create stripped jails. Qjail it *does* provide a very simple (but effective) jail templating system, whereby you are free to create "flavors" which are simple overlays applied onto a very small base "template" jail.

Now then. A full Freebsd base image is located in "/usr/jails/sharedfs". This shared filesystem is automatically mounted read-only into all jails. So all of qjail's jails share the same 1 single "sharedfs" folder for the:

* FreeBSD base image
* Ports tree

Your jail's unique files are in a folder "/usr/jails/$jailname". Which is going to be where the shared filesystem ("sharedfs") is mounted to.

This gives many benefits over "stripped jails" and is a more flexible approach. TBH stripped jails are often just a lot of effort for not much reward. So unless you have a specific reason to use stripped jails, then it is by far less headache to just go with the flow here and use the provided mechanism.

In terms of disk space, take for example finch's ssh jail template. It is only 104 kilobytes:

Code: Select all

freenas // root^> cd /usr/jails/flavors/finch-ssh
freenas finch-ssh/ root^> du -sh
104k	.

Of course the template jail folder (83MB) will be duplicated for each jail. But sharedfs folder (1.0GB) will not be, so is effectively, an additional "0 Kb" for every jail you create above 1.

Also the mounting of filesystems looks a little confusing to me.

Sorry about that. Its due to technical restrictions imposed by using chroot, and nullfs on FreeBSD. For reasons of security, performance, and so on. It can't easily be gotten around. Hopefully the info on the website is clear enough. I'm happy to hear any suggestions that can help improve the documentation.

So once I have Finch installed, I would want to change the mount points of my UFS drives to be mounted within finch, which I would be able to change via the N4F webgui.

Yes, correct.

Then I would go into Finch and do a mount_nullfs back out to where the drives were mounted before. And this mount_nullfs would survive restarts?

Yes. The simplest way to do that is add a line (or lines) into finch's fstab file, located at "/path/to/finch/etc/fstab". For example:

Code: Select all

/path/to/finch/mnt/my_ufs_disk1 /mnt/my_ufs_disk1 nullfs rw 0 0

* Where "/path/to/finch" is the path to your finch installation's root directory.
* And "/mnt/my_ufs_disk1" is the path you would otherwise normally have used in nas4free's disk management tab / WebGUI.

[justauser]

Thanks for your thorough response. I had a feeling that is how qjails worked, and it certainly sounds better then a "stripped jail" (at least for my use case).

I will give Finch a try later on tonight, along with implementing the mounting.

Thanks again .

[bennyboy84]

Had the same issue found a fix on a random page, was not related directly to my issue but it worked.

I found when in nas4free

Code: Select all

sysctl security.jail

would show chflags:1
but inside the jail the same command chflags:0 and as such not allowed.

to fix (jid is the jid of your jail listed when

Code: Select all

jls

Code: Select all

jail -m jid=2 allow.chflags=0

then

Code: Select all

jail -m jid=2 allow.chflags=1

and bam my issue was fixed and make installworld finally worked.

I had tried setting in System|Advanced|sysctl.conf
security.jail.chflags_allowed
0
rebooting, confirmed with

Code: Select all

sysctl security.jail

that chflags: 0
then changing back in System|Advanced|sysctl.conf but that did not work.

the link
https://bugs.freebsd.org/bugzilla/show_ ... ?id=174104
dose not fix the issue for the user but did for me. Also the link has a extra step of logging into the jail but i had just ran both commands after each other then logged into the jail

[dong_lin2000]

thanks, it really worked for my issue.

Had the same issue found a fix on a random page, was not related directly to my issue but it worked.

I found when in nas4free

Code: Select all

sysctl security.jail

would show chflags:1
but inside the jail the same command chflags:0 and as such not allowed.

to fix (jid is the jid of your jail listed when

Code: Select all

jls

Code: Select all

jail -m jid=2 allow.chflags=0

then

Code: Select all

jail -m jid=2 allow.chflags=1

and bam my issue was fixed and make installworld finally worked.

I had tried setting in System|Advanced|sysctl.conf
security.jail.chflags_allowed
0
rebooting, confirmed with

Code: Select all

sysctl security.jail

that chflags: 0
then changing back in System|Advanced|sysctl.conf but that did not work.

the link
https://bugs.freebsd.org/bugzilla/show_ ... ?id=174104
dose not fix the issue for the user but did for me. Also the link has a extra step of logging into the jail but i had just ran both commands after each other then logged into the jail