Date: Fri, 09 Dec 2016 17:49:47 +0100 From: Alexander Leidinger <Alexander@leidinger.net> To: SK <fbstable@cps-intl.org> Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host Message-ID: <20161209174947.Horde.SMh4Zhj9PxpBbaA71NIfgFO@webmail.leidinger.net> In-Reply-To: <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org> References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org> <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.
--=_SLbYKO_TdkA6PxX3pexrEr9
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Quoting SK <fbstable@cps-intl.org> (from Thu, 8 Dec 2016 19:13:15 +0000):
> @Alexander : I checked out your link. It is interesting, but you are=20=
=20
>=20using ezjail which I am trying to avoid. I have nothing against it,=20=
=20
>=20but I think making it working without too many additional layer of=20=
=20
>=20obfuscation will help me learn it better. So, thanks again, and=20=20
>=20sorry I cannot use that solution right now.
My comment was targeted to the devfs rule to unhide /dev/zfs (and as I=20=
=20
see=20this is what you did), this is independed from the context (plain=20=
=20
jail,=20ezjail, iocage, ...).
> Current status
>
> the main system (host) has gT as the pool/dataset, where the root is=20=
=20
>=20mounted. I have created two more datasets
> # zfs list
> NAME USED AVAIL REFER MOUNTPOINT
> gT 10.3G 199G 9.51G legacy
> gT/JailS 832M 199G 20K /JailS
> gT/JailS/testJail 546K 199G 827M /JailS/testJail
>
>
> Initially they were not visible from within the jail, but as I ran
> zfs jail testJail gT/JailS/testJail
> they were visible from inside.
This means it works, else you would be able to see anything.
> HOWEVER, I am unable to do any manipulation whatsoever from within the ja=
il.
> root@testJail:/ # zfs list
> NAME USED AVAIL REFER MOUNTPOINT
> gT 10.3G 199G 9.51G legacy
> gT/JailS 832M 199G 20K /JailS
> gT/JailS/testJail 546K 199G 827M /JailS/testJail
> root@testJail:/ # zfs snapshot gT/JailS/testJail@test
> *cannot create snapshots : permission denied*
> root@testJail:/ # zfs create gT/JailS/testJail/test
> *cannot create 'gT/JailS/testJail/test': permission denied*
> root@testJail:/ # exit
Hmmm.... no immediate idea for that one...
I definitively are able to snapshot inside my jails.
Apart from the <jail>:rc.conf:zfs_enable=3D"YES" which you already got=20=
=20
told=20about... wait, do you have increased the security level ("sysctl=20=
=20
kern.securelevel")=20of the host?
> Even after the jail was able to see the dataset, the following=20=20
>=20sysctl was still zero
> security.jail.mount_zfs_allowed: 0
I think this is needed if you want to import a pool (zpool import)=20=20
from=20a device (which is made visible in the devfs) or file.
> I changed it to one, but that didn't seem to have the desired effect=20=
=20
>=20(should have I restarted?)
A restart of the jail may be needed to have this setting take effect,=20=20
but=20not the host.
Bye,
Alexander.
--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_SLbYKO_TdkA6PxX3pexrEr9
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYSuCrAAoJEKrxQhqFIICE+uMP/2O5QRf3WQZvuRSi0gL+mpZf
0pHb2FDKFilwHE9rmY9FedV7nYsLV8D92XP4VFhXkWJU/ulURSh/ivCgDfXGgili
t4r7XTOPOnBzxBMPPIbxPBUrolm6aA3NNfVGxiqRVJIO4/fenfA5KIB0fIEUC5sY
CPPZeW1ibv3JPaUbrwocDT0Syl1ZFagu8r61PWby4ybBzOA+AhHyF16f1lNBcehy
EMZRMFbEM7o+DUWH7xwE04usIRXckBWMrIHdlYvQQ8fuiR/EVwPbNPTAunIHb1r9
G4Lb5j81Gy9rxvH6ZERVyOIzJu+B8zjD6P+YJI0AMps7OPfmfiCc6ZsrUoihXMHP
YbgPNx0/UZ2rFBD4Dw3otNdeGYkKaoGwDT8rzcMllIMytNWdgJBYF0odr0l3PSwn
tGFfhVicvzk7pGnKVQAkfp1Kig9MbcGyGQU759FbFHwShswzPKiAEAkGO1il79Lp
zzh3hdaPoVWx2J9+cJ81rMAe0/VsERt4Vg80ex5XNNkNip3oqPcUtnkbfmcwwKtQ
5Eti/6vV4fSDUWnD1WVkqO0rkeGe48PHWSy2sNajXSjMkAnlaTjj2sHZYaJirgs0
GoC5GxeDOLxNVXWKQZQLwhgt+VHYDypLx9HkVjzoAfdvjSVpZhWkxAqB7pSH4gAl
D5vHbr6EnrG3RVOAmFuS
=QMcx
-----END PGP SIGNATURE-----
--=_SLbYKO_TdkA6PxX3pexrEr9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161209174947.Horde.SMh4Zhj9PxpBbaA71NIfgFO>