ZFS and Jail :: nullfs mount :: nothing visible from host

Alexander Leidinger Alexander at leidinger.net
Fri Dec 9 16:50:11 UTC 2016 

Quoting SK <fbstable at cps-intl.org> (from Thu, 8 Dec 2016 19:13:15 +0000):

> @Alexander : I checked out your link. It is interesting, but you are  
> using ezjail which I am trying to avoid. I have nothing against it,  
> but I think making it working without too many additional layer of  
> obfuscation will help me learn it better. So, thanks again, and  
> sorry I cannot use that solution right now.

My comment was targeted to the devfs rule to unhide /dev/zfs (and as I  
see this is what you did), this is independed from the context (plain  
jail, ezjail, iocage, ...).


> Current status
>
> the main system (host) has gT as the pool/dataset, where the root is  
> mounted. I have created two more datasets
> # zfs list
> NAME                USED  AVAIL  REFER  MOUNTPOINT
> gT                 10.3G   199G  9.51G  legacy
> gT/JailS            832M   199G    20K  /JailS
> gT/JailS/testJail   546K   199G   827M  /JailS/testJail
>
>
> Initially they were not visible from within the jail, but as I ran
> zfs jail testJail gT/JailS/testJail
> they were visible from inside.

This means it works, else you would be able to see anything.

> HOWEVER, I am unable to do any manipulation whatsoever from within the jail.
> root at testJail:/ # zfs list
> NAME                USED  AVAIL  REFER  MOUNTPOINT
> gT                 10.3G   199G  9.51G  legacy
> gT/JailS            832M   199G    20K  /JailS
> gT/JailS/testJail   546K   199G   827M  /JailS/testJail
> root at testJail:/ # zfs snapshot gT/JailS/testJail at test
> *cannot create snapshots : permission denied*
> root at testJail:/ # zfs create gT/JailS/testJail/test
> *cannot create 'gT/JailS/testJail/test': permission denied*
> root at testJail:/ # exit

Hmmm.... no immediate idea for that one...

I definitively are able to snapshot inside my jails.
Apart from the <jail>:rc.conf:zfs_enable="YES" which you already got  
told about... wait, do you have increased the security level ("sysctl  
kern.securelevel") of the host?

> Even after the jail was able to see the dataset, the following  
> sysctl was still zero
> security.jail.mount_zfs_allowed: 0

I think this is needed if you want to import a pool (zpool import)  
from a device (which is made visible in the devfs) or file.

> I changed it to one, but that didn't seem to have the desired effect  
> (should have I restarted?)

A restart of the jail may be needed to have this setting take effect,  
but not the host.

Bye,
Alexander.


-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20161209/fa6be1f5/attachment.sig>

More information about the freebsd-jail mailing list