self/fruix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
04b6ade095f41bedc7d4e8cd2ac8ccb78d7c2a3b
fruix/docs/reports/phase6-jail-build-integration-freebsd.md

2.8 KiB
Raw Blame History

Phase 6.2: FreeBSD jail and build-user isolation integrated into the live build path

Date: 2026-04-01

Summary

This step takes the earlier FreeBSD jail and privilege-drop prototypes and moves them into a real package build submitted through the live Fruix/Guix daemon path.

Added files:

  • tests/daemon/freebsd-drop-exec.c
  • tests/guix/run-phase6-jail-package-build.sh

Validation command

Run command:

METADATA_OUT=/tmp/phase6-jail-package-metadata.txt \
./tests/guix/run-phase6-jail-package-build.sh

What the harness does

The harness:

  1. reuses the patched Phase 5 checkout/runtime setup
  2. fetches GNU Hello 2.12.3 and verifies the expected SHA256
  3. starts the patched daemon on a temporary Unix socket
  4. generates a package file that inherits from Guix's real hello package definition
  5. lowers that package through a FreeBSD-specific build system whose builder:
    • compiles freebsd-drop-exec
    • creates a thin jail root
    • mounts a minimal host tool view with explicit nullfs mounts
    • mounts the source tarball read-only
    • mounts per-build writable work/output areas
    • enters the jail
    • drops to UID/GID 35001:35001
    • runs the GNU Hello configure/build/check/install sequence inside the jail
  6. copies the staged result back to the real /frx/store output path
  7. validates runtime output, jail metadata, and preserved source references

Observed results

Observed metadata included:

  • drv_path=/frx/store/...-hello-2.12.3.drv
  • out_path=/frx/store/...-hello-2.12.3
  • runtime_output=Hello, world!
  • build_uid=35001
  • build_gid=35001
  • jail_hostname=fruix-phase6-hello-...
  • build_mode=freebsd-jail
  • source_store_path=/frx/store/...-hello-2.12.3.tar.gz

The GNU Hello test suite also passed inside the jail build path.

Important findings

  • this is no longer a separate subsystem prototype; a real package build submitted through the daemon now executes under FreeBSD jail isolation with dropped build credentials
  • the daemon's host TMPDIR path was not automatically meaningful inside the jail, so the integrated build path had to reset TMPDIR=/tmp inside the jailed builder environment
  • a small helper binary was still needed to perform the post-jexec UID/GID drop reliably using numeric build identities on FreeBSD
  • the output preserved a direct reference to the source tarball store item, so the integrated jail path still maintains the store-reference expectations established in Phase 6.1

Conclusion

Phase 6.2 is satisfied on the current FreeBSD prototype track:

  • a real Fruix/Guix package build now runs inside a FreeBSD jail
  • the actual build work executes as a dropped numeric build user (35001:35001)
  • the build succeeds into /frx/store
  • the previously separate jail/build-user validation work is now connected to the live package-build path
Reference in New Issue View Git Blame Copy Permalink