ZFS and Jail :: nullfs mount :: nothing visible from host

Miroslav Lachman 000.fbsd at quip.cz
Thu Dec 8 17:11:39 UTC 2016 

SK wrote on 2016/12/08 17:41:
> On 08/12/2016 16:14, Miroslav Lachman wrote:
>> SK wrote on 2016/12/08 15:22:
>>
>>> So far I have tried to follow as many google results as possible using
>>> jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few
>>> sites coming up again and again but they were talking about ezjail (not
>>> that I have anything against it, but I would prefer to be able to use
>>> the base system as it is -- might help me learn a few things that ezjail
>>> will hide from me :D)
>>
>> If you want to manage ZFS dataset from withing a jail, then you need
>> to use zfs set jailed=on property (see man zfs). But this data set
>> cannot be mounted as nullfs, it should be dedicated to the jail.
>>
>> You don't need ezjail because ezjail cannot do anything more than you
>> can do. It is just a shell script wrapper.
>>
>> Miroslav Lachman
>>
> Hi Miroslav
>
> Thank you for your response. I tried setting it up like that (use zfs
> set jailed=on), and that did not work. I could not even run zfs from
> within the jail. Maybe I did something wrong -- so I am setting up a
> test box where I can try them all out.
>
> I also came across these links
> https://clinta.github.io/freebsd-jails-the-hard-way/
> http://aaron.baugher.biz/unix/freebsd-jails-zfs-1
>
> I will give these a try. However, neither confirms (or maybe I missed
> it) if I can manage/manupulate the zfs datasets from within the jail --
> and that seems to be the logical approach based on various emails on the
> mailing lists. So, what I am really after is some kind of a
> pointer/direction, maybe even a rough sketch of a how-to, that would
> help in getting started at least. I am not new to jails -- it is just
> that so far most of my jails were on UFS systems and I never encountered
> this issue of data mismatch between what the Jail can see and what the
> host can see.

Did you read man page carefully? Do you have /dev/zfs visible inside 
jails /dev/? If not, you need to create your own rule inside 
/etc/devfs.rules


    Jails
      A ZFS dataset can be attached to a jail by using the "zfs jail" 
subcom‐
      mand. You cannot attach a dataset to one jail and the children of the
      same dataset to another jails. To allow management of the dataset from
      within a jail, the jailed property has to be set and the jail needs
      access to the /dev/zfs device. The quota property cannot be 
changed from
      within a jail. See jail(8) for information on how to allow 
mounting ZFS
      datasets from within a jail.

      A ZFS dataset can be detached from a jail using the "zfs unjail" 
subcom‐
      mand.

      After a dataset is attached to a jail and the jailed property is 
set, a
      jailed file system cannot be mounted outside the jail, since the jail
      administrator might have set the mount point to an unacceptable value.


What are jails properties? Do you have something like this?

enforce_statfs=1 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1 
allow.mount.devfs=1

Then you need to run
zfs jail $JID tank/jail/testJail    (put the real UID of running jail 
and path to dedicated dataset)

Miroslav Lachman

More information about the freebsd-jail mailing list