From owner-freebsd-stable@FreeBSD.ORG  Mon Aug 18 12:26:19 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id BD37ADB5
 for <freebsd-stable@freebsd.org>; Mon, 18 Aug 2014 12:26:19 +0000 (UTC)
Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "erg.verweg.com", Issuer "Verweg Dot Com CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DDC83247
 for <freebsd-stable@freebsd.org>; Mon, 18 Aug 2014 12:26:18 +0000 (UTC)
Received: from [IPv6:2001:980:4ffa:1:b9bb:8500:9f27:a9d8]
 ([IPv6:2001:980:4ffa:1:b9bb:8500:9f27:a9d8]) (authenticated bits=0)
 by erg.verweg.com (8.14.9/8.14.9) with ESMTP id s7ICQCtU036905
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT)
 for <freebsd-stable@freebsd.org>; Mon, 18 Aug 2014 12:26:13 GMT
 (envelope-from ruben@verweg.com)
From: Ruben van Staveren <ruben@verweg.com>
Content-Type: multipart/signed;
 boundary="Apple-Mail=_184AC6CB-04E9-45AC-B07D-6355A5BB985A";
 protocol="application/pgp-signature"; micalg=pgp-sha1
Subject: mounting fdescfs in a nested/hierarchical jail?
Message-Id: <3CB0C5BC-3864-418E-A59F-467D39B7E1EA@verweg.com>
Date: Mon, 18 Aug 2014 14:26:09 +0200
To: "freebsd-stable@FreeBSD.org Stable" <freebsd-stable@freebsd.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-Spam-Status: No, score=2.2 required=5.0 tests=HELO_NO_DOMAIN,RDNS_NONE,
 SPF_FAIL autolearn=no autolearn_force=no version=3.4.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on erg.verweg.com
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]);
 Mon, 18 Aug 2014 12:26:15 +0000 (UTC)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 12:26:19 -0000


--Apple-Mail=_184AC6CB-04E9-45AC-B07D-6355A5BB985A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi list,

I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am =
using ezjail again to set up a nested jail. My goal is to eventually =
have my jails use these nested jails as containers for certain services.

However, I am not able to mount a nested fdescfs. When I leave out =
fdesc, the nested jail starts up just fine.

There is no allow.mount.fdescfs. Do we need one?

Cheers,
	Ruben




ruben@test:~ % sudo ezjail-admin onestart nested1
Starting jails: cannot start jail  "nested1":=20
mount: .: Operation not permitted
jail: nested1: /sbin/mount -t fdescfs . /opt/jails/nested1/dev/fd: =
failed
.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is =
obsolete.  Please consider to migrate to /etc/jail.conf.
Error: Could not onestart nested1.
  You need to onestart it by hand.



ruben@test:~ % sysctl -a | egrep jail\|mount | grep -v param
vfs.usermount: 0
vfs.ffs.compute_summary_at_mount: 0
debug.softdep.softdep_mounts: 0
security.jail.jailed: 1
security.jail.vnet: 0
security.jail.jail_max_af_ips: 255
security.jail.set_hostname_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.mount_allowed: 1
security.jail.mount_devfs_allowed: 1
security.jail.mount_nullfs_allowed: 1
security.jail.mount_procfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_zfs_allowed: 1
security.jail.enforce_statfs: 1
security.jail.devfs_ruleset: 4


ruben@test:~ % sudo /sbin/mount -vt devfs . /opt/jails/nested1/dev/
devfs on /opt/jails/nested1/dev (devfs)
ruben@test:~ % sudo /sbin/mount -vt fdescfs . /opt/jails/nested1/dev/fd/
mount: .: Operation not permitted
devfs on /opt/jails/nested1/dev (devfs)


--Apple-Mail=_184AC6CB-04E9-45AC-B07D-6355A5BB985A
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPx8OIACgkQZ88+mcQxRw09RQCfRd3TNE0VFT2Mq1j9oyyLIDid
eE8AnjKH8h6wzBFn3w5YkdpdBy0M2dWN
=qg0A
-----END PGP SIGNATURE-----

--Apple-Mail=_184AC6CB-04E9-45AC-B07D-6355A5BB985A--