ZFS and Jail :: nullfs mount :: nothing visible from host

SK fbstable at cps-intl.org
Fri Dec 9 12:21:35 UTC 2016 

On 09/12/2016 12:03, Miroslav Lachman wrote:
>
> I am not sure, maybe it is not possible to hide them when you need to 
> manage zfs inside jail.
> If you can live with not managing zfs inside but from the host, then 
> you can use enforce_statfs=2. Then you will see just a root dataset 
> inside jail.
>
> enforce_statfs=0 ~ you will see all datasets and partitions from the host
>
> enforce_statfs=1 ~ you will see all related to this jail (parents, 
> devfs etc)
>
> enforce_statfs=2 ~ only root mount is visible
>
I will try enforce_statfs=2, maybe that will give me what I need. But 
still, not sure what is happening with jailed=on

>>>
>>> zfs set jailed=on gT/JailS/testJail   << Did you set this property?
>> Now this is an interesting bit. I tried this, and as soon as I ran the
>> command, the dataset vanished :P
>>
>> Not only that, I could not run jail any more. Given that gT/JailS is
>> mounted on /JailS and the path parameter in jail.conf is
>> /JailS/testJail, I am not surprised that the jail did not run (it
>> initially complained about not being able to mount /dev, as it cannot
>> find /JailS/testJail/dev)
>>
>> As a workaround, I removed mount.devfs, mount.procfs (that complained
>> too), mount.fdesc (complained too), and then the jail ran
>>
>> But now that I do not have devfs, I could not do anything with zfs -- I
>> could not even see them. So, manipulation from within the jail or
>> outside the jail was no longer possible.
>
> Interesting. All documentation says jailed=on must be set.
>
Yes, I know. I checked everywhere and that seems to be the norm. But the 
moment I do it, my jail no longer functions :P

>
> "Everybody" say "use ezjail" because it was the first tool to 
> manipulate jails available for the masses. I tried it after I learned 
> all things about jails the hard way and then I realised ezjail is 
> doing strange things in some cases. I know it evolved, but I you need 
> to use some tool there are some better tools (in my opinion) which 
> were developed with ZFS features from the start.
> You can try iocage or cbsd. They also can manage bhyve guests.
>
I did try iocage for bhyve some time back, honestly, I did not like it 
(maybe because it tried to do things on my behalf without letting me 
know what it was doing). I settled for vm-bhyve instead and am quite 
happy about it. cbsd I have not tried, maybe I'll give that a shot.

Still, my desire for keeping it simple and raw is preventing me from 
taking any of these routes. I would very much like NOT to run any 
additional package on the host/base itself. I already have screen, mc 
and wget -- that is an overkill in my own personal opinion.

Let us see how it goes. If I discover something, I will post it back.

Thanks again for your support and suggestions, they had been very very 
helpful.

Best regards
SK

More information about the freebsd-jail mailing list