Override for the fingerprints directory [jail bootstrapping]

[feld]

Theoretically it should be possible to bootstrap a jail with a command like this:

mkdir -p /jails/test
pkg -r /jails/test/ install FreeBSD-runtime pkg

However, this fails if you are validating signatures/fingerprints of packages:

# pkg -d -r /jails/test/ install FreeBSD-runtime pkg
-- snipped debug logs --
pkg: Error opening the trusted directory /usr/share/keys/pkg/trusted
pkg: Error loading trusted certificates
-- snipped debug logs --

It's looking for the trusted fingerprints inside the provided root path which are missing, so it gives up. If you copy the /usr/share/keys/pkg into the jail it will work. I can manage this as a personal workaround but it will definitely confuse others trying to achieve the same ends.

The end goal is to use pkg to generate a jail which will be more lightweight than my current method of extracting base.txz into the jail. Anything pkg can do to support generating a valid jail structure including copying in repo configs and public keys/fingerprints would be greatly appreciated.

[Crest]

I encountered this too. You can work around this for now by copying the fingerprints directory into the jail like this: mkdir -vp "${jail_path}/usr/share/keys/pkg/trusted" && cp -av /usr/share/keys/pkg/trusted/ "$jail_path/usr/share/keys/pkg/trusted" before running pkg -r "$jail_path" install ....

Also keep in mind that pkg -r does not provide secure isolation against a malicious jail. You either have to wrap pkg(8) inside a trusted immutable jail (except for a few temp files) using its pkg -r on the jail (probably via nullfs) or mark the jail userland as tainted after the initial installation, but before you ever run it. I prefer to create my temporary jail datasets under "$zpool/jails/.$name" (destroying stale failed bootstrapping attempts) and renaming the datasets to their permanent name after the jail filesystem has been populated.