The badly named MUTABLE_BASE=schg makes the base system immutable via schg flags and is only supported for tmpfs/ufs. It allows writing only to these directories: /boot/modules /etc /var /root /usr/local /tmp We need to identify other paths that are written to and ports that are in general overwriting base still. We can either mark the ports as requiring a jail that has a mutable jail or make a policy against such.
Will run on pb2
net/freebsd-tftp tries to write to /usr/bin: http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03-15_01h36m50s/logs/errors/freebsd-tftp-1.0.log
misc/zoneinfo tries to write to /usr/share/licenses http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03-15_01h36m50s/logs/errors/zoneinfo-2018.c.log This is especially problematic since /usr/share is mounted read-only from a nullfs. A tmpfs may be needed for /usr/share/licenses.
sysutils/py-zfs tries to write to /usr/lib/zfs: http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03-15_01h36m50s/logs/errors/py27-zfs-1.1_1.log
(In reply to Bryan Drewery from comment #2) > net/freebsd-tftp tries to write to /usr/bin: > http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03- > 15_01h36m50s/logs/errors/freebsd-tftp-1.0.log 206650 edwin NO_PACKAGE= Installs software in /usr/libexec and /usr/bin 206499 edwin PREFIX= /usr
(In reply to Bryan Drewery from comment #3) > misc/zoneinfo tries to write to /usr/share/licenses > http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03- > 15_01h36m50s/logs/errors/zoneinfo-2018.c.log > This is especially problematic since /usr/share is mounted read-only from a > nullfs. A tmpfs may be needed for /usr/share/licenses. PREFIX= /usr (Lack of NO_PACKAGE here like tftp)
py-zfs has not been needed since ZFS 28 in base (2011) so I am going to just delete it. ------------------------------------------------------------------------ r219089 | pjd | 2011-02-27 11:41:40 -0800 (Sun, 27 Feb 2011) | 15 lines Finally... Import the latest open-source ZFS version - (SPA) 28. Few new things available from now on: - Data deduplication. - Triple parity RAIDZ (RAIDZ3). - zfs diff. - zpool split. - Snapshot holds. - zpool import -F. Allows to rewind corrupted pool to earlier transaction group. - Possibility to import pool in read-only mode. MFC after: 1 month ------------------------------------------------------------------------ - { "allow", zfs_do_python, HELP_ALLOW }, + { "allow", zfs_do_allow, HELP_ALLOW }, - { "unallow", zfs_do_python, HELP_UNALLOW }, + { "unallow", zfs_do_unallow, HELP_UNALLOW }, -/* ARGSUSED */ -static int -zfs_do_python(int argc, char **argv) -{ - (void) execv(pypath, argv-1); - (void) fprintf(stderr, "internal error: %s not found\n", pypath); - (void) fprintf(stderr, " install sysutils/py-zfs port to correct this\n"); - return (-1); -} -
A commit references this bug: Author: bdrewery Date: Fri Mar 16 20:36:29 UTC 2018 New revision: 464728 URL: https://svnweb.freebsd.org/changeset/ports/464728 Log: Remove sysutils/py-zfs. It has not been needed since the ZFS 28 import in base r219089. PR: 226610 [immutable base exp-run] Changes: head/MOVED head/sysutils/Makefile head/sysutils/py-zfs/
Some other potential problematic ones: mail/postfix-current/Makefile:PREFIX= /usr mail/postfix/Makefile:PREFIX= /usr mail/postfix211/Makefile:PREFIX= /usr
(In reply to Bryan Drewery from comment #5) > (In reply to Bryan Drewery from comment #2) > > net/freebsd-tftp tries to write to /usr/bin: > > http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03- > > 15_01h36m50s/logs/errors/freebsd-tftp-1.0.log > > 206650 edwin NO_PACKAGE= Installs software in /usr/libexec and > /usr/bin > 206499 edwin PREFIX= /usr This was merged into base in r207608: ------------------------------------------------------------------------ r207608 | imp | 2010-05-03 23:19:19 -0700 (Mon, 03 May 2010) | 59 lines Go ahead and merge the work edwin@ on tftpd into the tree. It is a lot better than what's in the tree now. Edwin tested it at a prior employer, but can't test it today. I've found that it works a lot better with the various uboot versions that I've used in my embedded work. Here's the pkg-descr from the port that describes the changes: ... I am going to expedite a removal of it.
A commit references this bug: Author: bdrewery Date: Fri Mar 16 20:50:06 UTC 2018 New revision: 464730 URL: https://svnweb.freebsd.org/changeset/ports/464730 Log: Remove net/freebsd-tftp. It was imported into base in FreeBSD 9.0 in r207608. PR: 226610 [immutable base exp-run] Changes: head/MOVED head/net/Makefile head/net/freebsd-tftp/
www/gitlab will complain about trying to remove /usr/home with bulk -t but I consider the port to be bugged and won't mitigate it further. See Bug 225309.
sysutils/graid5 tries to install to /lib/geom and /sbin/ http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03-17_16h34m44s/logs/errors/graid5-1.3.20140711.62.log
mail/popa3d-before-sendmail and possibly mail/popa3d try to write to /usr/share/sendmail .if exists(${LOCALBASE}/share/sendmail/cf/mailer/uucp.m4) CFDIR= ${LOCALBASE}/share/sendmail/cf .else CFDIR= /usr/share/sendmail/cf .endif http://pb2.nyi.freebsd.org/data/111amd64-default-PR226610/2018-03-17_16h34m44s/logs/errors/popa3d-before-sendmail-1.0.3.log
It just occurred to me that we can enable this feature for package building without impacting the packages. The restriction of writing to /usr, etc, is only relevant for INSTALL which is only tested by bulk -t, not by the package build systems. So they will fail QA but generate a package just fine.