From owner-freebsd-jail@freebsd.org  Fri Dec  9 12:21:35 2016
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58D29C69F27
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Fri,  9 Dec 2016 12:21:35 +0000 (UTC)
 (envelope-from fbstable@cps-intl.org)
Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D19193EB
 for <freebsd-jail@freebsd.org>; Fri,  9 Dec 2016 12:21:34 +0000 (UTC)
 (envelope-from fbstable@cps-intl.org)
Received: from [172.16.0.79] (helo=bdLL65j)
 by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128)
 (Exim 4.80.1 (FreeBSD)) (envelope-from <fbstable@cps-intl.org>)
 id 1cFKB5-000P3q-NV; Fri, 09 Dec 2016 12:21:28 +0000
To: Miroslav Lachman <000.fbsd@quip.cz>,
 freebsd-jail <freebsd-jail@freebsd.org>
References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org>
 <584986D0.3040109@quip.cz>
 <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org>
 <58499446.3050403@quip.cz>
 <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org>
 <5849C5BF.7020005@quip.cz>
 <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org>
 <584A9179.9060508@quip.cz>
 <b53fba06-bb7d-06d8-34a4-4677805fb175@cps-intl.org>
 <584A9D89.4040003@quip.cz>
From: SK <fbstable@cps-intl.org>
Message-ID: <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org>
Date: Fri, 9 Dec 2016 12:21:06 +0000
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <584A9D89.4040003@quip.cz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 172.16.0.79
X-SA-Exim-Mail-From: fbstable@cps-intl.org
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 berkeley.lan.cps-intl.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED autolearn=ham
 autolearn_force=no version=3.4.0
Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org)
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2016 12:21:35 -0000

On 09/12/2016 12:03, Miroslav Lachman wrote:
>
> I am not sure, maybe it is not possible to hide them when you need to 
> manage zfs inside jail.
> If you can live with not managing zfs inside but from the host, then 
> you can use enforce_statfs=2. Then you will see just a root dataset 
> inside jail.
>
> enforce_statfs=0 ~ you will see all datasets and partitions from the host
>
> enforce_statfs=1 ~ you will see all related to this jail (parents, 
> devfs etc)
>
> enforce_statfs=2 ~ only root mount is visible
>
I will try enforce_statfs=2, maybe that will give me what I need. But 
still, not sure what is happening with jailed=on

>>>
>>> zfs set jailed=on gT/JailS/testJail   << Did you set this property?
>> Now this is an interesting bit. I tried this, and as soon as I ran the
>> command, the dataset vanished :P
>>
>> Not only that, I could not run jail any more. Given that gT/JailS is
>> mounted on /JailS and the path parameter in jail.conf is
>> /JailS/testJail, I am not surprised that the jail did not run (it
>> initially complained about not being able to mount /dev, as it cannot
>> find /JailS/testJail/dev)
>>
>> As a workaround, I removed mount.devfs, mount.procfs (that complained
>> too), mount.fdesc (complained too), and then the jail ran
>>
>> But now that I do not have devfs, I could not do anything with zfs -- I
>> could not even see them. So, manipulation from within the jail or
>> outside the jail was no longer possible.
>
> Interesting. All documentation says jailed=on must be set.
>
Yes, I know. I checked everywhere and that seems to be the norm. But the 
moment I do it, my jail no longer functions :P

>
> "Everybody" say "use ezjail" because it was the first tool to 
> manipulate jails available for the masses. I tried it after I learned 
> all things about jails the hard way and then I realised ezjail is 
> doing strange things in some cases. I know it evolved, but I you need 
> to use some tool there are some better tools (in my opinion) which 
> were developed with ZFS features from the start.
> You can try iocage or cbsd. They also can manage bhyve guests.
>
I did try iocage for bhyve some time back, honestly, I did not like it 
(maybe because it tried to do things on my behalf without letting me 
know what it was doing). I settled for vm-bhyve instead and am quite 
happy about it. cbsd I have not tried, maybe I'll give that a shot.

Still, my desire for keeping it simple and raw is preventing me from 
taking any of these routes. I would very much like NOT to run any 
additional package on the host/base itself. I already have screen, mc 
and wget -- that is an overkill in my own personal opinion.

Let us see how it goes. If I discover something, I will post it back.

Thanks again for your support and suggestions, they had been very very 
helpful.

Best regards
SK