ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

Alexander Leidinger Alexander at leidinger.net
Mon Dec 19 19:54:35 UTC 2016 

Quoting Miroslav Lachman <000.fbsd at quip.cz> (from Mon, 19 Dec 2016  
18:57:39 +0100):

> Alexander Leidinger wrote on 2016/12/19 17:56:
>>
>> Quoting Miroslav Lachman <000.fbsd at quip.cz> (from Sun, 18 Dec 2016
>> 13:20:31 +0100):
>>> Alexander Leidinger wrote on 2016/12/17 19:59:
>>>> Quoting SK <fbstable at cps-intl.org> (from Fri, 16 Dec 2016 14:02:20
>
>>>> Correct.
>>>>
>>>> You need the data in the root of the jail to boot, if you then attribute
>>>> this dataset to the jail, it will vanish until "zfs mount -a" is run (rc
>>>> script inside the jail). As it will vanish during the boot of the jail
>>>> (if added automatically), the rc script to mount all datasets can not be
>>>> found.
>>>
>>> [...]
>>>
>>>>> I think what you are trying to tell here is, unless and until that
>>>>> "vanished" dataset is put to use (mounted) from inside the jail, it
>>>>> will remain vanished/unusable from the host itself; however, once that
>>>>> dataset is put to use, the host system should be able to "see" and
>>>>> maybe even work on that dataset. Could you please confirm if I
>>>>> understood you correctly?
>>>>
>>>> Correct.
>>>>
>>>> A sub-dataset which is not needed to boot, or a dataset not within the
>>>> subtree of the jail (and not needed to boot) can be used.
>>>
>>> Thank you for this information! If it is somewhere in the docs it is
>>> well hidden to me :)
>>
>> I don't expect it to be in the docs. I try to come up with something for
>> the man page for zfs (for the "attach to jail" part), but anyone shall
>> feel free to beat me with this.
>>
>> Anyone with an idea where in the jail man page we should add something
>> too (I only had a look at the zfs man page when this issue came up)?
>
> It would be nice to have this mentioned in zfs(8) man page (that  
> user in jail cannot manage jail's root dataset but can manage some  
> sub-dataset not required to boot the jail)

What about this? Better wording welcome.
---snip---
Index: zfs.8
===================================================================
--- zfs.8       (Revision 298108)
+++ zfs.8       (Arbeitskopie)
@@ -450,8 +450,11 @@
  dataset can be attached to a jail by using the
  .Qq Nm Cm jail
  subcommand. You cannot attach a dataset to one jail and the children of the
-same dataset to another jails. To allow management of the dataset from within
-a jail, the
+same dataset to another jails. You can also not attach the root file system
+of the jail or any dataset which needs to be mounted before the zfs rc script
+is run inside the jail, as it would be attached unmounted until it is
+mounted from the rc script inside the jail. To allow management of the
+dataset from within a jail, the
  .Sy jailed
  property has to be set and the jail needs access to the
  .Pa /dev/zfs
---snip---

> And there can be some useful example in jail(8) man page in  
> EXAMPLES. There is section "Jails and File Systems" and there can be  
> new section "Manage ZFS from within jail" with basic notes about  
> required jail params, zfs set jailed property and example  
> "hierarchy". (and warning about gotchas with jailed=0 on jail's root  
> directory)

Are you willing to come up with some text-only version/draft/outline  
for this one?

Bye,
Alexander.
-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20161219/43b52883/attachment.sig>

More information about the freebsd-jail mailing list