ZFS and Jail :: nullfs mount :: nothing visible from host
SK
fbstable at cps-intl.org
Thu Dec 8 19:13:40 UTC 2016
On 08/12/2016 17:11, Miroslav Lachman wrote:
>
> What are jails properties? Do you have something like this?
>
> enforce_statfs=1 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1
> allow.mount.devfs=1
>
> Then you need to run
> zfs jail $JID tank/jail/testJail (put the real UID of running jail
> and path to dedicated dataset)
>
> Miroslav Lachman
>
Dear Miroslav, Alexander
@Alexander : I checked out your link. It is interesting, but you are
using ezjail which I am trying to avoid. I have nothing against it, but
I think making it working without too many additional layer of
obfuscation will help me learn it better. So, thanks again, and sorry I
cannot use that solution right now.
@Miroslav : as I mentioned earlier, I did have those parameters but that
didn't seem to do any good on the main system since I was using nullfs
for mounting jails. However, on the new system I used purely zfs and
things have improved slightly.
Current status
the main system (host) has gT as the pool/dataset, where the root is
mounted. I have created two more datasets
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
gT 10.3G 199G 9.51G legacy
gT/JailS 832M 199G 20K /JailS
gT/JailS/testJail 546K 199G 827M /JailS/testJail
Initially they were not visible from within the jail, but as I ran
zfs jail testJail gT/JailS/testJail
they were visible from inside.
HOWEVER, I am unable to do any manipulation whatsoever from within the jail.
root at testJail:/ # zfs list
NAME USED AVAIL REFER MOUNTPOINT
gT 10.3G 199G 9.51G legacy
gT/JailS 832M 199G 20K /JailS
gT/JailS/testJail 546K 199G 827M /JailS/testJail
root at testJail:/ # zfs snapshot gT/JailS/testJail at test
*cannot create snapshots : permission denied*
root at testJail:/ # zfs create gT/JailS/testJail/test
*cannot create 'gT/JailS/testJail/test': permission denied*
root at testJail:/ # exit
Even after the jail was able to see the dataset, the following sysctl
was still zero
security.jail.mount_zfs_allowed: 0
I changed it to one, but that didn't seem to have the desired effect
(should have I restarted?)
below are some of the relevant settings. If you require any other
information, I'll try to send them as soon as I can.
# cat /etc/jail.conf
==============
### common items
host.hostname = "${name}";
path = "/JailS/${name}";
exec.start += "ifconfig ${ePairIF}b vnet ${name}" ;
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.consolelog = "/var/log/jail_${name}_console.log";
command = "/sbin/ifconfig ${ePairIF}b inet ${jailIP} netmask
255.255.255.240" ;
command += "route add -inet default ${gWay}" ;
mount.fstab = "/etc/fstab.${name}";
devfs_ruleset = "4";
mount.devfs;
mount.fdescfs;
mount.procfs;
allow.mount;
allow.set_hostname = 0;
allow.sysvipc = 1;
allow.raw_sockets = 1;
vnet;
vnet="new";
$bridegIF = "bridge1" ;
$gWay = "10.7.3.1" ;
testJail {
enforce_statfs = 1 ;
allow.mount = 1;
allow.mount.zfs = 1;
allow.mount.procfs = 1 ;
allow.mount.devfs = 1 ;
$ePairIF = "epair0" ;
$jailIP = "10.7.3.4" ;
vnet.interface = ${ePairIF}b ;
exec.start = "/bin/sh /etc/rc" ;
exec.stop = "/bin/sh /etc/rc.shutdown" ;
persist ;
}
##################
# cat /etc/devfs.rules
=============
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
# zfs status at the moment
root at testJail:/ # zfs list
NAME USED AVAIL REFER MOUNTPOINT
gT 10.3G 199G 9.51G legacy
gT/JailS 832M 199G 20K /JailS
gT/JailS/testJail 546K 199G 827M /JailS/testJail
root at testJail:/ # zfs snapshot gT/JailS/testJail at test
cannot create snapshots : permission denied
root at testJail:/ # zfs create gT/JailS/testJail/test
cannot create 'gT/JailS/testJail/test': permission denied
root at testJail:/ # exit
exit
Thanks and regards
SK
More information about the freebsd-jail
mailing list