ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

Alexander Leidinger Alexander at leidinger.net
Fri Dec 16 13:16:03 UTC 2016 

Quoting SK <fbstable at cps-intl.org> (from Mon, 12 Dec 2016 17:13:27 +0000):

> b) Alexander, I am still not able to do snapshot or any other action  
> from within my jail. My understanding is that you are using ezjail,  
> which might be doing something that my regular jail creation is  
> ommitting. If you do not mind sharing your configuration steps, I  
> can try to reproduce it at this end. If it is exactly as it is on  
> the site you pointed to earlier, please let me know, I will follow  
> that verbatim (even though I do not remember seeing anything there  
> that I have not tried already, but I might be mistaken).

Do you use quotas on the datasets you want to add to the jail? If yes,  
try without. The man-page of zfs tells that this value can not be  
changed (but from the wording I would expect hat an already set value  
should work).

ezjail is just a shell script which simplifies some things with jails.  
For a particular jail where I can manage the datasets which are handed  
over to the jail I have those settings in ezjail which correspond to  
the settings you can specify in jail.conf:
---snip---
export jail_xyz_leidinger_net_devfs_ruleset="17"
export jail_xyz_leidinger_net_zfs_datasets="space/something"
export jail_xyz_leidinger_net_parameters="allow.mount allow.mount.zfs  
enforce_statfs=1"
---snip---
Check if you have allow.mount and allow.mount.zfs for the jails in question.

Note, "space/something" is not the root of the jail, it's a seperate  
dataset. Do not add the root of the jail as a dataset. Example bellow.

devfs.rules part:
---snip---
[devfsrules_unhide_zfs=12]
add path zfs unhide

[devfsrules_jail_withzfs=17]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_zfs
---snip---

The rc.conf inside this jail:
---snip---
zfs_enable="YES"
---snip---

For one of the filesystems I have set "zfs allow" permissions, but  
just that a specific user in the jail can do something on those FS  
without the need to switch to root. So as long as you try to do a zfs  
create/snapshot with an user with UID 0 inside the jail, the "zfs  
allow" part doesn't come into play.

So assume space/jails/xyz.leidinger.net/ to be the dataset which  
contains the root of the jail but is not attached/attributed to the  
jail itself. space/jails/xyz.leidinger.net/data with mountpoint=none  
to be attributed ("zfs jail xyz space/jails/xyz.leidinger.net/data")  
to the jail (similar to the "space/something" in the ezjail config  
above, I have some iocage-managed jails were this works). In this case  
you should be able to do from inside the jail "zfs create -o  
mpuntpoint=/mnt space/jails/xyz.leidinger.net/data/test".

> And now to everyone, I am still confused about zfs set jailed=on. As  
> I mentioned on my previous emails, as soon as I do that, the dataset  
> vanishes from the host system (as I understand, that is expected  
> behaviour). Then the jail fails as it is unable to mount /dev, /proc

 From the zfs man page:
---snip---
      After a dataset is attached to a jail and the jailed property is set, a
      jailed file system cannot be mounted outside the jail, since the jail
      administrator might have set the mount point to an unacceptable value.
---snip---

So yes, it is expected that it "vanishes", but it should be visible  
from the parent host at the place inside the jail FS subtree were it  
is mounted there (after setting the mountpoint of the dataset).

> and so on. I have to change jail.conf and comment out mount.devfs  
> and mount.procfs -- but than in turn makes /dev/zfs unavaulable and  
> I cannot do anything from inside the jail.

Could it be that you try to attribute the root of the jail as a  
dataset into the jail?

Bye,
Alexander.
-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20161216/8b1a9905/attachment.sig>

More information about the freebsd-jail mailing list