Arthur Chance freebsd at
Wed Mar 15 08:19:44 UTC 2017

On 14/03/2017 20:59, James B. Byrne via freebsd-questions wrote:
> On Tue, March 14, 2017 16:01, Dean E. Weimer wrote:
>> Look at man jail, search for mount.fstab, that's probably what you
>> need.
>> I use it for mounting nullfs file systems to my jails, haven't tried
>> with these special file systems though.
> I read the man page which is why I first looked in the ezjail
> configuration file for this particular jail to see if the ability to
> mount these special file-systems was enabled. It appeared to be.  I
> then  updated the /etc/fstab.jailname file to have the desired
> entries:
> # cat /etc/fstab.hllidempiere
> /usr/jails/basejail /usr/jails/hllidempiere/basejail nullfs ro 0 0
> fdesc   /dev/fd         fdescfs         rw      0       0
> proc    /proc           procfs          rw      0       0
> However, when I start the jail, log on to it, and perform a mount
> command this is all I see:
> # mount
> zroot/ROOT/default on / (zfs, local, noatime, nfsv4acls)
> Thus my question.

If your jail.conf has "enforce_statfs = 2" in it the jail can't report
any mounts other than its root. You should be able to see all mounts
from the host. The best test when in the jail is whether you can see
/proc or not. If so, the jail system is doing its job of mounting the
extra filesystems *before* the jail starts, which means you can safely
prevent the jail from doing mounts itself, improving security. The only
reason for having /etc/fstab in the jail is to stop the rc scripts
complaining about it being missing, and an empty file is sufficient for

Note that looking for /dev/fd isn't quite the same. devd provides a
vestigial /dev/fd itself, containing just 0, 1 & 2 (i.e. stdin, stdout &
stderr). If fdesc is mounted you might see other file descriptors
depending on what your shell has open.

