Re: mounting NFS share from the jail

In reply to: Charles Sprickman : "Re: mounting NFS share from the jail"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Sat, 20 Jan 2024 22:06:04 UTC

On Sat, Jan 20, 2024 at 10:55 AM Charles Sprickman <spork@bway.net> wrote:
>
>
>
> > On Jan 20, 2024, at 10:09 AM, Rick Macklem <rick.macklem@gmail.com> wrote:
> >
> > On Sat, Jan 20, 2024 at 6:48 AM Marek Zarychta
> > <zarychtam@plan-b.pwste.edu.pl> wrote:
> >>
> >> Dear List,
> >>
> >> there were some efforts to allow running nfsd(8) inside the jail, but is
> >> mounting an NFS share from the jail allowed?  Inside the jail
> >> "security.jail.mount_allowed" is set to 1, I also added "add path net
> >> unhide" to the ruleset in devfs.rules but when trying to mount the NFS
> >> share I get only the error:
> >>
> >> mount_nfs: nmount: /usr/src: Operation not permitted
> >>
> >> It's not a big deal, the shares can be mounted from the jail host, but I
> >> am surprised that one can run NFSD inside the jail while mounting NFS
> >> shares is still denied.
> >>
> >> Am I missing anything or is mounting NFS from inside the jail still
> >> unsupported?  The tests were done on the recent stable/14 from the vnet
> >> jail.  Any clues h will be appreciated.
> > You are correct. Mounting from inside a jail is not supported.
> > After doing the vnet conversion for nfsd, I tried doing it for the NFS client.
> > There were a moderate # of global variables that needed to be vnet'd,
> > which I did.  The hard/messy part was having the threads (anything that
> > calls an NFS VFS/VOP call) set to the proper vnet.
> > It would have required a massive # of CURVET_SET()/CURVET_RESTORE()
> > macros and I decided that it was just too messy.
>
> (slight hijack)
>
> I'm curious, I currently have a need for either have an nfs server or client in a jail and have had no luck even with the userspace nfsd (https://unfs3.github.io/ / https://www.freshports.org/net/unfs3/). Is there any in-jail solution that works on FreeBSD? It's mainly for very light log-parsing and I want it all inside a jail for portability between hosts. Not even married to nfs if there's another in-jail option...

As above, NFS client mount no, nfsd yes.
See:
https://people.freebsd.org/~rmacklem/nfsd-vnet-prison-setup.txt

rick

>
> Charles
>
>
> > If it becomes a necessary feature, it is ugly but doable.
> >
> > rick
> >
> >>
> >> Cheers
> >>
> >> --
> >> Marek Zarychta
>
>