Date: Tue, 22 Jan 2019 11:39:57 +0100 From: Willem Jan Withagen <wjw@digiware.nl> To: "Michael W. Lucas" <mwlucas@michaelwlucas.com>, jail@freebsd.org Subject: Re: delegating ZFS of jail's root directory Message-ID: <946528bf-f9a9-724f-b4c0-1a734800d16d@digiware.nl> In-Reply-To: <20190121164242.GB91955@mail.michaelwlucas.com> References: <20190121164242.GB91955@mail.michaelwlucas.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21-1-2019 17:42, Michael W. Lucas wrote:
> Hi,
>
> Two more book research questions, sorry. If the answer is "it doesn't
> work that way," cool, I'll document and move on. It looks like ZFS
> delegation isn't widely used.
>
> 1) It seems I can successfully delegate managing ZFS datasets to a jail,
> sort of. A restart removes my ability to destroy and rename datasets I
> created, though.
>
> 2) I can't delegate the jail's root to the jail. Obvious question: CAN
> you delegate a jail's root dataset, or am I chasing an impossibility
> here?
>
> Details:
>
> Real hardware, running yesterday's -current:
>
> FreeBSD storm 13.0-CURRENT FreeBSD 13.0-CURRENT r343219 GENERIC amd64
>
>
> Here's my jail.conf.
>
> exec.start="sh /etc/rc";
> exec.stop="sh /etc/rc.shutdown";
>
> filedump {
> host.hostname="filedump.mwl.io";
> ip4.addr="203.0.113.224";
> path="/jail/filedump/zroot";
> persist=true;
> mount.devfs=true;
> allow.mount=true;
> allow.mount.zfs=true;
> enforce_statfs=1;
> exec.poststart="/sbin/zfs jail filedump jail/filedump/zroot";
> exec.poststop="/sbin/zfs unjail filedump jail/filedump/zroot";
> }
>
> /jail/filedump/zroot contains FreeBSD 12.0 base.tgz extract.
>
> # ls /jail/filedump/zroot/
> .cshrc dev media root var
> .profile etc mnt sbin
> COPYRIGHT jail net sys
> bin lib proc tmp
> boot libexec rescue usr
>
> Initial ZFS "jailed" parameter:
>
> # zfs get -r jailed jail/filedump
> NAME PROPERTY VALUE SOURCE
> jail/filedump jailed off default
> jail/filedump/zroot jailed off default
> jail/filedump/zroot/cdr jailed on local
> jail/filedump/zroot/home jailed on local
> jail/filedump/zroot/home/mwl jailed on inherited from jail/filedump/zroot/home
>
>
> Running "service jail start filedump" gives me a working jail. I can
> create and destroy datasets.
>
> root@filedump:~ # zfs create jail/filedump/zroot/home/abc
> root@filedump:~ # zfs destroy jail/filedump/zroot/home/abc
>
> Gonna recreate that dataset for testing purposes:
>
> root@filedump:~ # zfs create jail/filedump/zroot/home/abc
>
> Now back to the host, restart the jail, and:
>
> root@filedump:~ # zfs destroy jail/filedump/zroot/home/abc
> cannot unmount '/jail/filedump/zroot/home/abc': Operation not permitted
>
> I created this dataset within the jail, and can manage it only so long
> as it's the same jail instance. A restart wrecks my ability to manage
> the dataset.
>
>
>
> Second problem:
>
> I would also like to delegate management of the jail's root fileset,
> so on the host I run:
>
> # zfs set jailed=on jail/filedump/zroot
> # service jail start filedump
> Starting jails: cannot start jail "filedump":
> jail: filedump: mount.devfs: /jail/filedump/zroot/dev: No such file or directory
> .
>
> Which--of course, the root dir isn't mounted, so /dev can't be mounted.
>
>
> I'm vaguely confident I've heard of people delegating management of
> the root dataset to the jail, though I can't find it. Am I
> misremembering?
Hi Michael,
I think I asked that question a some time ago, to be able to run a
ceph-setup script in a jail....
The basic answer was that the jail needs to have access to /dev/zfs in
the jail to be effectively controlling zfs. But then I think you
delegate the whole set of zfs capabilities to the jail.
Which in my case was not a problem. But if you want to use a jail as
separation of control, then this will be way too liberal.
There is a set of configs for devfs in /etc. See `man -k devfs`
But I've not used this in the end.
--WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?946528bf-f9a9-724f-b4c0-1a734800d16d>