ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

Alexander Leidinger Alexander at leidinger.net
Sat Dec 17 19:00:20 UTC 2016 

Quoting SK <fbstable at cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +0000):

> On 16/12/2016 13:15, Alexander Leidinger wrote:

>> For one of the filesystems I have set "zfs allow" permissions, but  
>> just that a specific user in the jail can do something on those FS  
>> without the need to switch to root. So as long as you try to do a  
>> zfs create/snapshot with an user with UID 0 inside the jail, the  
>> "zfs allow" part doesn't come into play.
>>
>> So assume space/jails/xyz.leidinger.net/ to be the dataset which  
>> contains the root of the jail but is not attached/attributed to the  
>> jail itself. space/jails/xyz.leidinger.net/data with  
>> mountpoint=none to be attributed ("zfs jail xyz  
>> space/jails/xyz.leidinger.net/data") to the jail (similar to the  
>> "space/something" in the ezjail config above, I have some  
>> iocage-managed jails were this works). In this case you should be  
>> able to do from inside the jail "zfs create -o mpuntpoint=/mnt  
>> space/jails/xyz.leidinger.net/data/test".
>>
> hmmm, I'm slightly confused at this point. Let me see if I can  
> clarify that in my brain
>
> If I understand you correctly, what you are suggesting is, the  
> dataset used by the jail itself for its root/base cannot be "worked  
> on" from within the jail, but if I define a different dataset (under  
> the same branch below the jail dataset), and attribute it to the  
> jail, then I can manipulate that "other" dataset. Could you please  
> confirm if I understood it correctly?

Correct.

You need the data in the root of the jail to boot, if you then  
attribute this dataset to the jail, it will vanish until "zfs mount  
-a" is run (rc script inside the jail). As it will vanish during the  
boot of the jail (if added automatically), the rc script to mount all  
datasets can not be found.

>>> And now to everyone, I am still confused about zfs set jailed=on.  
>>> As I mentioned on my previous emails, as soon as I do that, the  
>>> dataset vanishes from the host system (as I understand, that is  
>>> expected behaviour). Then the jail fails as it is unable to mount  
>>> /dev, /proc
>>
>> From the zfs man page:
>> ---snip---
>>     After a dataset is attached to a jail and the jailed property is set, a
>>     jailed file system cannot be mounted outside the jail, since the jail
>>     administrator might have set the mount point to an unacceptable value.
>> ---snip---
>>
>> So yes, it is expected that it "vanishes", but it should be visible  
>> from the parent host at the place inside the jail FS subtree were  
>> it is mounted there (after setting the mountpoint of the dataset).
>>
> I think what you are trying to tell here is, unless and until that  
> "vanished" dataset is put to use (mounted) from inside the jail, it  
> will remain vanished/unusable from the host itself; however, once  
> that dataset is put to use, the host system should be able to "see"  
> and maybe even work on that dataset. Could you please confirm if I  
> understood you correctly?

Correct.

A sub-dataset which is not needed to boot, or a dataset not within the  
subtree of the jail (and not needed to boot) can be used.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20161217/b97499b1/attachment.sig>

More information about the freebsd-jail mailing list