ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

SK fbstable at cps-intl.org
Fri Dec 16 14:41:02 UTC 2016 

On 16/12/2016 13:15, Alexander Leidinger wrote:
> Quoting SK <fbstable at cps-intl.org> (from Mon, 12 Dec 2016 17:13:27 
> +0000):
>
>> b) Alexander, I am still not able to do snapshot or any other action 
>> from within my jail. My understanding is that you are using ezjail, 
>> which might be doing something that my regular jail creation is 
>> ommitting. If you do not mind sharing your configuration steps, I can 
>> try to reproduce it at this end. If it is exactly as it is on the 
>> site you pointed to earlier, please let me know, I will follow that 
>> verbatim (even though I do not remember seeing anything there that I 
>> have not tried already, but I might be mistaken).
>
> Do you use quotas on the datasets you want to add to the jail? If yes, 
> try without. The man-page of zfs tells that this value can not be 
> changed (but from the wording I would expect hat an already set value 
> should work).
>
Hi Alexander, short answer, NO, I have not used quota yet

> ezjail is just a shell script which simplifies some things with jails. 
> For a particular jail where I can manage the datasets which are handed 
> over to the jail I have those settings in ezjail which correspond to 
> the settings you can specify in jail.conf:
> ---snip---
> export jail_xyz_leidinger_net_devfs_ruleset="17"
> export jail_xyz_leidinger_net_zfs_datasets="space/something"
> export jail_xyz_leidinger_net_parameters="allow.mount allow.mount.zfs 
> enforce_statfs=1"
> ---snip---
> Check if you have allow.mount and allow.mount.zfs for the jails in 
> question.
>
Yes, those are in place.

> Note, "space/something" is not the root of the jail, it's a seperate 
> dataset. Do not add the root of the jail as a dataset. Example bellow.
>
I think that might have been the cause for it to not work for me. I had 
space/something/jailRoot, and defined that as the dataset for the jail

> devfs.rules part:
> ---snip---
> [devfsrules_unhide_zfs=12]
> add path zfs unhide
>
> [devfsrules_jail_withzfs=17]
> add include $devfsrules_hide_all
> add include $devfsrules_unhide_basic
> add include $devfsrules_unhide_login
> add include $devfsrules_unhide_zfs
> ---snip---
>
> The rc.conf inside this jail:
> ---snip---
> zfs_enable="YES"
> ---snip---
>
These are all in place as expected.

> For one of the filesystems I have set "zfs allow" permissions, but 
> just that a specific user in the jail can do something on those FS 
> without the need to switch to root. So as long as you try to do a zfs 
> create/snapshot with an user with UID 0 inside the jail, the "zfs 
> allow" part doesn't come into play.
>
> So assume space/jails/xyz.leidinger.net/ to be the dataset which 
> contains the root of the jail but is not attached/attributed to the 
> jail itself. space/jails/xyz.leidinger.net/data with mountpoint=none 
> to be attributed ("zfs jail xyz space/jails/xyz.leidinger.net/data") 
> to the jail (similar to the "space/something" in the ezjail config 
> above, I have some iocage-managed jails were this works). In this case 
> you should be able to do from inside the jail "zfs create -o 
> mpuntpoint=/mnt space/jails/xyz.leidinger.net/data/test".
>
hmmm, I'm slightly confused at this point. Let me see if I can clarify 
that in my brain

If I understand you correctly, what you are suggesting is, the dataset 
used by the jail itself for its root/base cannot be "worked on" from 
within the jail, but if I define a different dataset (under the same 
branch below the jail dataset), and attribute it to the jail, then I can 
manipulate that "other" dataset. Could you please confirm if I 
understood it correctly?

>> And now to everyone, I am still confused about zfs set jailed=on. As 
>> I mentioned on my previous emails, as soon as I do that, the dataset 
>> vanishes from the host system (as I understand, that is expected 
>> behaviour). Then the jail fails as it is unable to mount /dev, /proc
>
> From the zfs man page:
> ---snip---
>      After a dataset is attached to a jail and the jailed property is 
> set, a
>      jailed file system cannot be mounted outside the jail, since the 
> jail
>      administrator might have set the mount point to an unacceptable 
> value.
> ---snip---
>
> So yes, it is expected that it "vanishes", but it should be visible 
> from the parent host at the place inside the jail FS subtree were it 
> is mounted there (after setting the mountpoint of the dataset).
>
I think what you are trying to tell here is, unless and until that 
"vanished" dataset is put to use (mounted) from inside the jail, it will 
remain vanished/unusable from the host itself; however, once that 
dataset is put to use, the host system should be able to "see" and maybe 
even work on that dataset. Could you please confirm if I understood you 
correctly?

>> and so on. I have to change jail.conf and comment out mount.devfs and 
>> mount.procfs -- but than in turn makes /dev/zfs unavaulable and I 
>> cannot do anything from inside the jail.
>
> Could it be that you try to attribute the root of the jail as a 
> dataset into the jail?
>
Yes, I did. But now that I have a few more slightly different 
explanation from you, once you confirm if my understanding is correct, I 
am willing to give this a try.

Thanks again for your suggestions and guidlines.

Have a lovely weekend.
SK

More information about the freebsd-jail mailing list