# What's the most secure way to install/share ports with jails?



## nx (Jul 17, 2012)

I'm curious what's considered the best practice - installing a ports dir in the base jail for other jails to use - or installing ports in jails by sharing/mounting them from the ezjail host?

If the host - can anyone explain how to do this or point me to a howto?

I've also read that some admins package the port they want to install with its dependencies and after moving it to the jail, install it there with pkg_add.

I tend to prefer ports over packages, but I'm all for using the best practice, so will switch to the package method for jails if someone can explain/link.

Thanks


----------



## SirDice (Jul 17, 2012)

Build packages from your ports, use *make package*. But it's easier to use the -g switch to portmaster(8) (ports-mgmt/portmaster). If you make sure /usr/ports/packages/ exists all your built packages will end up there.

And use nullfs(5) to mount the ports directory on a jail (it can be mounted read-only if you prefer).

`# mount -t nullfs /usr/ports/ /jails/myjail/usr/ports/`


----------



## nx (Jul 18, 2012)

Thanks very much!


----------



## nx (Jul 18, 2012)

Bah!

I've just got around to trying your advice SirDice... and found a roadblock.

I installed ezjail without ports, and then created a new jail.


```
ls -l newjail/usr
```

gives:


```
ports -> /basejail/usr/ports
```

Will I create any problems down the line if I delete the ports symlink, create a ports dir, and then:


```
mount -t nullfs /usr/ports /usr/jails/newjail/usr/ports
```

Or have I stuffed this up by not editing the ezjail config to stop the ports symlink being built before I created newjail?

I know this sounds picky, but I'd rather get these basics right now than have to fix up a mess later.

Oh... and is it okay to edit a jail via the host or the ezjail-admin console jailname command rather than via a new user in the jail.

I'd rather not create a user in the wheel group in the jail and I don't have any system users needing ssh access so sudo isn't needed.


----------



## SirDice (Jul 18, 2012)

nx said:
			
		

> Will I create any problems down the line if I delete the ports symlink, create a ports dir, and then:
> 
> 
> ```
> ...


I don't think so but I've never used ezjail.



> Oh... and is it okay to edit a jail via the host or the ezjail-admin console jailname command rather than via a new user in the jail.


Sure, I do that all the time. I even made a small shell script:

```
#!/bin/sh

jexec $1 /usr/bin/su $2 $3 $4 $5 $6
```
Saved it as ~/bin/jsu.

And I use it to "*su*" directly to my jails.
`# jsu build -`


----------

