From owner-freebsd-jail@freebsd.org Fri Dec 9 16:50:10 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7B28C6EB62 for ; Fri, 9 Dec 2016 16:50:10 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 913B49FB for ; Fri, 9 Dec 2016 16:50:10 +0000 (UTC) (envelope-from Alexander@leidinger.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481302188; bh=MwN9WmR/72GJjpE66W3yJcpuT4/qspmko10mL8ymDp0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=3Suv0wO1H+z18DSlpOWgugkBf3RUMdrXp5mDDJ4EcMoYeyBRm56BLjGrZQPhrf/ml qqc+kcB+fm5QvTWy41lrG9HdDt63NmtBfjKr9lM6SZIMg34lkuCWZp/kzipjkotXkG JruFpIiZn9Khnq5ZKJbnFKr23rpIQ3f/t610m6u1SDFYVJISz7IACpFa3FtATdlV58 WtU9BUisT8ubvufaxvSxWix/bdPKHP7STzAx0AoGQk9UMmgpBRYsk1wsmb3i3VziSy I4HzNdXV5lDd7dPWT6p0+BTG0o+Bg5GnNVye9T0qcblLLXtRcIQI6sT01JWh2JAzt+ /SAqT96OuzuKA== DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481302207; bh=MwN9WmR/72GJjpE66W3yJcpuT4/qspmko10mL8ymDp0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=PV0XuwXIIcJEQjrkYKgHt5u4Gdocg9pDp5BHMLdgxIm0vSLLFinPo+RpaDT4A2Lch yvmy8NrypnhlWZfU1ouH/CpXzTJ7b9al8KW2mi/KFz+92Hw+xT4rZVlJx/85zgjTrD EPZ+NohYuiumFOR80uKhHEXqe41MpJX0DjPFi10pRsYieyXOsc6QWw3aPO5lznazzj b3iTplZyTmhrVCM6sSOXUHO38afYzp+9u2btHl9YTRDdX9LtpwhIeOfUtvh4pZ6U2n eUKbVVLjV+h8zQaAKBPDWZ3SZJyPjXG9nNtC8LQ/vIJTaSGbLS2etlnja65R+G8695 VZV5bX6H2ZZsQ== Date: Fri, 09 Dec 2016 17:49:47 +0100 Message-ID: <20161209174947.Horde.SMh4Zhj9PxpBbaA71NIfgFO@webmail.leidinger.net> From: Alexander Leidinger To: SK Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_SLbYKO_TdkA6PxX3pexrEr9"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 16:50:11 -0000 This message is in MIME format and has been PGP signed. --=_SLbYKO_TdkA6PxX3pexrEr9 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting SK (from Thu, 8 Dec 2016 19:13:15 +0000): > @Alexander : I checked out your link. It is interesting, but you are=20= =20 >=20using ezjail which I am trying to avoid. I have nothing against it,=20= =20 >=20but I think making it working without too many additional layer of=20= =20 >=20obfuscation will help me learn it better. So, thanks again, and=20=20 >=20sorry I cannot use that solution right now. My comment was targeted to the devfs rule to unhide /dev/zfs (and as I=20= =20 see=20this is what you did), this is independed from the context (plain=20= =20 jail,=20ezjail, iocage, ...). > Current status > > the main system (host) has gT as the pool/dataset, where the root is=20= =20 >=20mounted. I have created two more datasets > # zfs list > NAME USED AVAIL REFER MOUNTPOINT > gT 10.3G 199G 9.51G legacy > gT/JailS 832M 199G 20K /JailS > gT/JailS/testJail 546K 199G 827M /JailS/testJail > > > Initially they were not visible from within the jail, but as I ran > zfs jail testJail gT/JailS/testJail > they were visible from inside. This means it works, else you would be able to see anything. > HOWEVER, I am unable to do any manipulation whatsoever from within the ja= il. > root@testJail:/ # zfs list > NAME USED AVAIL REFER MOUNTPOINT > gT 10.3G 199G 9.51G legacy > gT/JailS 832M 199G 20K /JailS > gT/JailS/testJail 546K 199G 827M /JailS/testJail > root@testJail:/ # zfs snapshot gT/JailS/testJail@test > *cannot create snapshots : permission denied* > root@testJail:/ # zfs create gT/JailS/testJail/test > *cannot create 'gT/JailS/testJail/test': permission denied* > root@testJail:/ # exit Hmmm.... no immediate idea for that one... I definitively are able to snapshot inside my jails. Apart from the :rc.conf:zfs_enable=3D"YES" which you already got=20= =20 told=20about... wait, do you have increased the security level ("sysctl=20= =20 kern.securelevel")=20of the host? > Even after the jail was able to see the dataset, the following=20=20 >=20sysctl was still zero > security.jail.mount_zfs_allowed: 0 I think this is needed if you want to import a pool (zpool import)=20=20 from=20a device (which is made visible in the devfs) or file. > I changed it to one, but that didn't seem to have the desired effect=20= =20 >=20(should have I restarted?) A restart of the jail may be needed to have this setting take effect,=20=20 but=20not the host. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_SLbYKO_TdkA6PxX3pexrEr9 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYSuCrAAoJEKrxQhqFIICE+uMP/2O5QRf3WQZvuRSi0gL+mpZf 0pHb2FDKFilwHE9rmY9FedV7nYsLV8D92XP4VFhXkWJU/ulURSh/ivCgDfXGgili t4r7XTOPOnBzxBMPPIbxPBUrolm6aA3NNfVGxiqRVJIO4/fenfA5KIB0fIEUC5sY CPPZeW1ibv3JPaUbrwocDT0Syl1ZFagu8r61PWby4ybBzOA+AhHyF16f1lNBcehy EMZRMFbEM7o+DUWH7xwE04usIRXckBWMrIHdlYvQQ8fuiR/EVwPbNPTAunIHb1r9 G4Lb5j81Gy9rxvH6ZERVyOIzJu+B8zjD6P+YJI0AMps7OPfmfiCc6ZsrUoihXMHP YbgPNx0/UZ2rFBD4Dw3otNdeGYkKaoGwDT8rzcMllIMytNWdgJBYF0odr0l3PSwn tGFfhVicvzk7pGnKVQAkfp1Kig9MbcGyGQU759FbFHwShswzPKiAEAkGO1il79Lp zzh3hdaPoVWx2J9+cJ81rMAe0/VsERt4Vg80ex5XNNkNip3oqPcUtnkbfmcwwKtQ 5Eti/6vV4fSDUWnD1WVkqO0rkeGe48PHWSy2sNajXSjMkAnlaTjj2sHZYaJirgs0 GoC5GxeDOLxNVXWKQZQLwhgt+VHYDypLx9HkVjzoAfdvjSVpZhWkxAqB7pSH4gAl D5vHbr6EnrG3RVOAmFuS =QMcx -----END PGP SIGNATURE----- --=_SLbYKO_TdkA6PxX3pexrEr9--