Integrate FreeBSD jail builds into package path
This commit is contained in:
@@ -1754,3 +1754,40 @@ Current assessment:
|
||||
|
||||
- Phase 6.1 is now satisfied on the current FreeBSD prototype track
|
||||
- the next step is to move the already validated jail/build-user model into this live package-build path rather than keeping it prototype-only
|
||||
|
||||
## 2026-04-01 — Phase 6.2 completed: jail/build-user isolation integrated into the real package path
|
||||
|
||||
Completed work:
|
||||
|
||||
- added a reusable UID/GID drop helper source:
|
||||
- `tests/daemon/freebsd-drop-exec.c`
|
||||
- added a runnable jail-integrated package harness:
|
||||
- `tests/guix/run-phase6-jail-package-build.sh`
|
||||
- wrote the Phase 6.2 report:
|
||||
- `docs/reports/phase6-jail-build-integration-freebsd.md`
|
||||
- ran the jail-integrated harness successfully and captured metadata under:
|
||||
- `/tmp/phase6-jail-package-metadata.txt`
|
||||
|
||||
Important findings:
|
||||
|
||||
- a real package build derived from Guix's `hello` definition now runs through the live daemon path inside a FreeBSD jail rather than only through the earlier prototype scripts
|
||||
- the actual build work inside the jail runs as dropped credentials:
|
||||
- UID `35001`
|
||||
- GID `35001`
|
||||
- the integrated build path required one additional FreeBSD-specific adjustment beyond the earlier prototype:
|
||||
- the daemon-side host `TMPDIR` path was not automatically valid inside the jail, so the jailed build environment must reset `TMPDIR=/tmp`
|
||||
- observed metadata confirmed:
|
||||
- `drv_path=/frx/store/...-hello-2.12.3.drv`
|
||||
- `out_path=/frx/store/...-hello-2.12.3`
|
||||
- `runtime_output=Hello, world!`
|
||||
- `build_uid=35001`
|
||||
- `build_gid=35001`
|
||||
- `jail_hostname=fruix-phase6-hello-...`
|
||||
- `build_mode=freebsd-jail`
|
||||
- `source_store_path=/frx/store/...-hello-2.12.3.tar.gz`
|
||||
- the GNU Hello test suite also passed inside the jail-integrated build path
|
||||
|
||||
Current assessment:
|
||||
|
||||
- Phase 6.2 is now satisfied on the current FreeBSD prototype track
|
||||
- the next step is to validate a minimal user-facing profile installation flow on top of these real store outputs
|
||||
|
||||
72
docs/reports/phase6-jail-build-integration-freebsd.md
Normal file
72
docs/reports/phase6-jail-build-integration-freebsd.md
Normal file
@@ -0,0 +1,72 @@
|
||||
# Phase 6.2: FreeBSD jail and build-user isolation integrated into the live build path
|
||||
|
||||
Date: 2026-04-01
|
||||
|
||||
## Summary
|
||||
|
||||
This step takes the earlier FreeBSD jail and privilege-drop prototypes and moves them into a real package build submitted through the live Fruix/Guix daemon path.
|
||||
|
||||
Added files:
|
||||
|
||||
- `tests/daemon/freebsd-drop-exec.c`
|
||||
- `tests/guix/run-phase6-jail-package-build.sh`
|
||||
|
||||
## Validation command
|
||||
|
||||
Run command:
|
||||
|
||||
```sh
|
||||
METADATA_OUT=/tmp/phase6-jail-package-metadata.txt \
|
||||
./tests/guix/run-phase6-jail-package-build.sh
|
||||
```
|
||||
|
||||
## What the harness does
|
||||
|
||||
The harness:
|
||||
|
||||
1. reuses the patched Phase 5 checkout/runtime setup
|
||||
2. fetches GNU Hello `2.12.3` and verifies the expected SHA256
|
||||
3. starts the patched daemon on a temporary Unix socket
|
||||
4. generates a package file that inherits from Guix's real `hello` package definition
|
||||
5. lowers that package through a FreeBSD-specific build system whose builder:
|
||||
- compiles `freebsd-drop-exec`
|
||||
- creates a thin jail root
|
||||
- mounts a minimal host tool view with explicit `nullfs` mounts
|
||||
- mounts the source tarball read-only
|
||||
- mounts per-build writable work/output areas
|
||||
- enters the jail
|
||||
- drops to UID/GID `35001:35001`
|
||||
- runs the GNU Hello configure/build/check/install sequence inside the jail
|
||||
6. copies the staged result back to the real `/frx/store` output path
|
||||
7. validates runtime output, jail metadata, and preserved source references
|
||||
|
||||
## Observed results
|
||||
|
||||
Observed metadata included:
|
||||
|
||||
- `drv_path=/frx/store/...-hello-2.12.3.drv`
|
||||
- `out_path=/frx/store/...-hello-2.12.3`
|
||||
- `runtime_output=Hello, world!`
|
||||
- `build_uid=35001`
|
||||
- `build_gid=35001`
|
||||
- `jail_hostname=fruix-phase6-hello-...`
|
||||
- `build_mode=freebsd-jail`
|
||||
- `source_store_path=/frx/store/...-hello-2.12.3.tar.gz`
|
||||
|
||||
The GNU Hello test suite also passed inside the jail build path.
|
||||
|
||||
## Important findings
|
||||
|
||||
- this is no longer a separate subsystem prototype; a real package build submitted through the daemon now executes under FreeBSD jail isolation with dropped build credentials
|
||||
- the daemon's host `TMPDIR` path was not automatically meaningful inside the jail, so the integrated build path had to reset `TMPDIR=/tmp` inside the jailed builder environment
|
||||
- a small helper binary was still needed to perform the post-`jexec` UID/GID drop reliably using numeric build identities on FreeBSD
|
||||
- the output preserved a direct reference to the source tarball store item, so the integrated jail path still maintains the store-reference expectations established in Phase 6.1
|
||||
|
||||
## Conclusion
|
||||
|
||||
Phase 6.2 is satisfied on the current FreeBSD prototype track:
|
||||
|
||||
- a real Fruix/Guix package build now runs inside a FreeBSD jail
|
||||
- the actual build work executes as a dropped numeric build user (`35001:35001`)
|
||||
- the build succeeds into `/frx/store`
|
||||
- the previously separate jail/build-user validation work is now connected to the live package-build path
|
||||
Reference in New Issue
Block a user