I admit to being very much a newbie with FreeBSD, but I'm wondering whether these are the right defaults. On my FreeBSD host (outside a jail) I only have devfs mounted at /dev. /dev/fd appears to be provided by devfs, and the same is true in the jails that I've set up with runj. I don't have /dev/shm or /dev/mqueue at all on my host either.

$ mount
zroot/ROOT/default on / (zfs, local, noatime, nfsv4acls)
devfs on /dev (devfs, local, multilabel)
zroot/tmp on /tmp (zfs, local, noatime, nosuid, nfsv4acls)
zroot/usr/home on /usr/home (zfs, local, noatime, nfsv4acls)
zroot/var/log on /var/log (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot on /zroot (zfs, local, noatime, nfsv4acls)
zroot/usr/ports on /usr/ports (zfs, local, noatime, nosuid, nfsv4acls)
zroot/var/audit on /var/audit (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/usr/src on /usr/src (zfs, local, noatime, nfsv4acls)
zroot/var/crash on /var/crash (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/var/mail on /var/mail (zfs, local, nfsv4acls)
zroot/var/tmp on /var/tmp (zfs, local, noatime, nosuid, nfsv4acls)
zroot/containerd on /var/lib/containerd/io.containerd.snapshotter.v1.zfs (zfs, local, noatime, nfsv4acls)
zroot/containerd/44 on /run/containerd/io.containerd.runtime.v2.task/default/test2/rootfs (zfs, local, noatime, nfsv4acls)
devfs on /run/containerd/io.containerd.runtime.v2.task/default/test2/rootfs/dev (devfs, local, multilabel)

The man page for fdescfs answers at least the question of /dev/fd being provided by devfs, but I'd still like to understand more about whether these are the appropriate defaults.

Looking at my jails (setup via cbsd), I have fdescfs mounted for all of them, the other mounts are indeed not present.

/dev/shm is a Linuxism, and I should remove that, my first intention was to make sure mount doesn't explode when it tries to mount filesystems that are not native to FreeBSD. /dev/mqueue is also save to remove I'd say, it doesn't seem to be mounted anywhere either.

I'll fixup tonight.

Looking at my jails (setup via cbsd), I have fdescfs mounted for all of them, the other mounts are indeed not present.

Should fdescfs be present by default though? It doesn't seem to be mounted by default in the FreeBSD host I've been using that I installed without much customization.

According to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216985 and FreeBSD's ports, bash and OpenJDK need fdescfs.

So questions are;

• Do we want to provide a minimal set or good enough default to run common programs?
• Are bash and/or OpenJDK considered "common" to mount fdescfs by default?

bash and OpenJDK needing fdescfs sounds like a good reason to mount it by default to me.

I've been using ruleset=4 in runj so far. A somewhat more-restrictive default might be useful here and the jail(8) manual page suggests using 4.

It has been my intention to pass devfs rule options in a (yet to be defined) OCI specification for FreeBSD.
ruleset=4 sounds like a safe default for the meantime though :)

It's not completely relevant for this PR, but I'm curious to know why you are thinking of embedding devfs rule options in a FreeBSD section rather than mount options. Were you planning to allow for full ruleset definitions rather than referencing existing rulesets?

(Note: dismissing previous LGTM to track the addition of the default ruleset option prior to merging.)

Yes allowing to build a complete devfs ruleset has been the intention.
FreeBSD allows the ruleset to be specified at mount time, but also allows later modifications of a devfs mountpoint via the CLI devfs tool, even changing the ruleset (rulesets in essence basically just being a series of show and hide commands).
So I'd think having a node in a FreeBSD OCI spec that allows specification of a ruleset & a list of actions to take on the dev mountpoint would be usefull.

(Note: dismissing previous LGTM to track the addition of the default ruleset option prior to merging.)