Unionfs etc Re: Packaging

Sean Hogan shogun70 at bigpond.net.au
Fri Mar 12 04:24:28 PST 2004


Matthew Dillon wrote:
:# mkdir /tmp/a
:# mount_union /tmp/a /usr/local
:
:works fine and if I create a file in /usr/local it gets "really"
:created in /tmp and is only visible there after umounting /usr/local
:-- just what I wanted.  However,
:
:# mount_union /tmp/a /
:says 
:mount_union: /tmp/a (/usr/tmp/a) and / (/) are not distinct paths
:
:Is there a way around this?  I ask because I'd rather not assume
:anything about PREFIX, and I'd like this to be usable for
:badly-behaved installers that put stuff into other places like /etc,

    Well, /tmp/a on top of / creates a recursion within unionfs, which is
    why it is not allowed.  Actually, the more interesting mount is:
    mount_union -b / /tmp/a

    Which would create an image of the entire filesystem in /tmp/a, suitable
    for chroot'ing into /tmp/a.   But this is not currently allowed either.
    If you (or someone) would like to fix this, I think it's a fairly simple
    matter to have unionfs detect the recursion (e.g. /tmp/a/tmp/a) and
    disallow access to it.
    This would make unionfs a *very* powerful tool.
(lurk mode off)
Well, I have no right to say anything at this point, but this discussion 
lies close to my heart so I might add some of the things I've been 
thinking about.

I was hoping to write up an organized and critiqued summary of my 
thoughts.... but it hasn't happened in the last two weeks so I see no 
reason it will happen in the next two.  So... this is messy and 
full-of-holes.

Ever since I've been using FreeBSD I've been intrigued by the potential 
of jails and union mounts.   And I've been perplexed by the 
schizophrenic directory layout:  eg 
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
and it is worse for configuration files.

I would like to set up virtual machines via union mounts and jails, such 
that inside each machine you have precisely the programs, libraries, 
config files that you need.  And nothing else.

I want to have no doubts about where in the directory tree something 
can/should be found.
That is... libraries are in /lib, config files in /etc, and so on.

I think that as much of the base install as possible should be relocated 
to the ports/packages system.

I imagine that building a package would involve:

	Creating a jailed process on top of a multi-layered union mount
		- top level is empty (to begin) .
		    path in the base system might be:
			/pkg/<name>-<version>-<port_rev>-<ENV?>
		- next level has source and makefiles, etc for the port.
		    path in the base system might be:
			/src/<name>-....
		- lower levels get dependencies mounted as appropriate.
		    path in the base system might be:
			/pkg/<dep-name>-....
			
	If the port has dependencies, need to request the base-system to
	mount the dependencies on lower layers, possibly building them
	first.
	
	Build the package.  Hmmm, maybe the top level shouldn't be
	mounted until after this stage.
	Install the package.  PREFIX=/
	Now every thing gets installed in /bin /sbin /lib /etc.   Yay.
	In the base-system they appear under /pkg/<name>-..../bin
		and so on.
	Now all packages are ready to be union mounted into
	our virtual machine.  Yay.
The above process is still too simplistic (as well as being 
full-of-holes) becos we would sometimes want only the libraries from a 
package in our virtual machine.

A virtual machine is now a jail on top of a multi-layered union mount.
	Top level is empty (to begin)
	    path in base-system might be:
		/jails/<hostname>
	Lower layers are from the /pkg/<name>-.... tree as desired
	Configuration changes happen in /etc of the top layer,
	and affect this VM only (can't even be accessed by other VMs).
	Command line options to set a special location for config file
	lose their relavence.  World peace ensues.
I suspect that the root of the base-system should be static binaries 
(maybe in a boot-time loaded mfs) and that everything else can (should?) 
be dynamically linked.

Okay.  A bit of a dog's breakfast, I know.
I'm a big believer in "the proof of the pudding..." so if it is too hard 
to understand without some sort of prototype implementation (or if it is 
all just a piece of crap) then it is probably not worth responding...

It probably requires a lot of attention to union mount and other VFS 
voodoo.  It might be slow or resource intensive... my gut-feeling is 
otherwise but I have no basis for this.

Anyway... it's said.
cheers,
SDH




More information about the Kernel mailing list