jail and dedicated zfs dataset
David Christensen
dpchrist at holgerdanske.com
Wed Feb 5 06:57:06 UTC 2020
On 2020-02-04 13:44, Jacques Foucry wrote:
> Hi folks,
>
> I'm trying to create a jail (for the mail) with a dedicated zfs dataset.
>
> On the host, the dataset in tank/root/mails wiht /var/mail as mountpoint.
> jailed property in on
>
> # zfs get mountpoint tank/root/mails
> NAME PROPERTY VALUE SOURCE
> tank/root/mails mountpoint /var/mail local
>
> # zfs get jailed tank/root/mails
> NAME PROPERTY VALUE SOURCE
> tank/root/mails jailed on local
>
> I also set allow properties:
> # zfs allow tank/root/mails
> ---- Permissions on tank/root/mails ----------------------------------
> Local+Descendent permissions:
> user root mount
> group wheel create,destroy,mount,snapshot
>
>
> My /etc/jail.conf¹ definition for the dataset is:
>
> exec.poststart = "/sbin/zfs jail mail tank/root/mails";
> exec.poststart += "zfs mount -a";
> exec.stop = "/sbin/zfs unjail mail tank/root/mails";
> persist=true;
> mount.fstab="/etc/fstab.${name}";
>
> On the guest, things seems good:
>
> # zfs allow tank/root/mails
> ---- Permissions on tank/root/mails ----------------------------------
> Local+Descendent permissions:
> user root mount
> group wheel create,destroy,mount,snapshot
>
> # zfs list
> NAME USED AVAIL REFER MOUNTPOINT
> tank 42.2G 6.92T 88K legacy
> tank/root 36.7G 6.92T 3.60G legacy
> tank/root/mails 200K 6.92T 88K /var/mail
>
> But the dataset in not mounted:
>
> # df -h /var/mail
> Filesystem Size Used Avail Capacity Mounted on
> tank/root/jails/mail 6.9T 2.9G 6.9T 0% /
>
> And mounting by hand failed:
> # zfs mount -a
> cannot mount 'tank/root/mails': Insufficient privileges
>
> What could be wrong? The /var/mail mount point permissions? The host /var/mail
> permissions (that should not be used)? Something in zfs allow?
>
>
> ¹ I know there is the old ezjail or iocage, but I'm more comfortable with the
> system way.
>
>
> Thanks for you help if you can.
I have a SOHO LAN with a FreeBSD server and jails for CVS and Samba. I
(mostly) followed along with Chapter 22 of Lucas AF3E [1]:
2020-02-04 22:30:15 toor at soho ~
# freebsd-version
12.1-RELEASE-p1
2020-02-04 22:30:23 toor at soho ~
# uname -a
FreeBSD soho.tracy.holgerdanske.com 12.1-RELEASE-p1 FreeBSD
12.1-RELEASE-p1 GENERIC amd64
I created a top-level ZFS dataset in my root pool for jails. I then
created a dataset for each jail. I did not modify any of the ZFS
properties:
2020-02-04 22:30:25 toor at soho ~
# zfs list -r soho_zroot/jail
NAME USED AVAIL REFER MOUNTPOINT
soho_zroot/jail 2.81G 6.40G 132K /jail
soho_zroot/jail/cvs 1.09G 6.40G 1016M /jail/cvs
soho_zroot/jail/samba 1.72G 6.40G 1.60G /jail/samba
The bulk CVS and the Samba data are in separate datasets in another pool:
2020-02-04 22:35:34 toor at soho ~
# zfs list | egrep 'p1/ds2/(cvs|samba) '
p1/ds2/cvs 469M 1.71T 88K /jail/cvs/var/local/cvs
p1/ds2/samba 921G 1.71T 96K
/jail/samba/var/local/samba
Each has their mountpoint property set inside the corresponding jail:
2020-02-04 22:35:40 toor at soho ~
# zfs get mountpoint p1/ds2/cvs p1/ds2/samba
NAME PROPERTY VALUE SOURCE
p1/ds2/cvs mountpoint /jail/cvs/var/local/cvs received
p1/ds2/samba mountpoint /jail/samba/var/local/samba received
Here is my jail configuration file:
2020-02-04 22:32:41 toor at soho ~
# cat /etc/jail.conf
$j="/jail";
path="$j/$name";
host.hostname="$name.tracy.holgerdanske.com";
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
mount.devfs;
cvs {
ip4.addr="192.168.5.23";
}
samba {
ip4.addr="192.168.5.24";
}
I tried ezjail(7) and discovered that it is unsupported.
Lucas covers iocage(8) in FMJAIL [2], but my needs are simple and I too
prefer basic system tools.
David
[1] https://mwl.io/nonfiction/os#af3e
[2] https://mwl.io/nonfiction/os#fmjail
More information about the freebsd-questions
mailing list