From owner-freebsd-jail@freebsd.org Fri Dec 16 13:16:03 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE8A1C82DBA for ; Fri, 16 Dec 2016 13:16:03 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:375::1:5]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 466169BB for ; Fri, 16 Dec 2016 13:16:03 +0000 (UTC) (envelope-from Alexander@leidinger.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481894142; bh=iZ61DbpVTiXcW5dINqF09uUGQw4SYP6yI6xVVJYk+gU=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=AiVmhRLqCHtlg/otOZQ1SPLh6XhKIYvNsOXXX8c4x1qEctWkzk9hG5VWfIVHg5EkP 8R6zGVd3+M8aCk9gapp7Bg4k+dGZfUQ3we+RQ0+MmmR6CsnZbGTpJ/EgMANt6psg+q +3GSLOHr0b50JNRNGrPq6JaP6nE7DXlNFMCIzwfB8cS/zSNCCVLRtAMupwhHrpPmXk +uO2hOnvmmhHyqaEFgYKwqnar+ROcCagvdaePYu9/8dZyfNMv0+MSBp89RZBfrn9d+ 3zyep3RIs4/wgfgn9CXzjLGxGMY1mRlI7Dx6Mpy+umSRh/Apq7wcC01+20IWtS450x +s+7alEG+SHUQ== DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481894161; bh=iZ61DbpVTiXcW5dINqF09uUGQw4SYP6yI6xVVJYk+gU=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=nfP80H3BiCu1zBMcfIr2wSimZ1vZVb+4rmB/HCBmDQrQ9pqFmuI+w3bbU9kOFArPV Gy1IDJMlpvU9pXeqTnompVrR/TyPQplDnPn3V2kPXaor2iIxckrBYBS+DUVziFb/sh f0EP6OGtA8O7AGiB11LZmhF0n6PlunQV/a50I8Vj3NpfZYSUwcbT7R7njYe2eUZEky UXGDd6DUBYyYdtc57AhU7Jo0FgzAgYkYn/zMyh2QmxWn7En80kAldEVwp0Nep07x4/ uMNOD0obH5CS94tSw4IFL+zshT/boAjuw7XLA3cbiX1k4Wfn3d4A7dAFdUgGCWbE76 SV0ZGMsDMvPPA== Date: Fri, 16 Dec 2016 14:15:40 +0100 Message-ID: <20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW@webmail.leidinger.net> From: Alexander Leidinger To: SK Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial] References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> <584A9179.9060508@quip.cz> <584A9D89.4040003@quip.cz> <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> <584AB345.4080307@quip.cz> <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org> In-Reply-To: <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org> User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_phyLGgUE4cHaL8DaVblK1rU"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2016 13:16:03 -0000 This message is in MIME format and has been PGP signed. --=_phyLGgUE4cHaL8DaVblK1rU Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting SK (from Mon, 12 Dec 2016 17:13:27 +0000): > b) Alexander, I am still not able to do snapshot or any other action=20= =20 >=20from within my jail. My understanding is that you are using ezjail,=20= =20 >=20which might be doing something that my regular jail creation is=20=20 >=20ommitting. If you do not mind sharing your configuration steps, I=20=20 >=20can try to reproduce it at this end. If it is exactly as it is on=20=20 >=20the site you pointed to earlier, please let me know, I will follow=20= =20 >=20that verbatim (even though I do not remember seeing anything there=20= =20 >=20that I have not tried already, but I might be mistaken). Do you use quotas on the datasets you want to add to the jail? If yes,=20= =20 try=20without. The man-page of zfs tells that this value can not be=20=20 changed=20(but from the wording I would expect hat an already set value=20= =20 should=20work). ezjail is just a shell script which simplifies some things with jails.=20= =20 For=20a particular jail where I can manage the datasets which are handed=20= =20 over=20to the jail I have those settings in ezjail which correspond to=20= =20 the=20settings you can specify in jail.conf: ---snip--- export jail_xyz_leidinger_net_devfs_ruleset=3D"17" export jail_xyz_leidinger_net_zfs_datasets=3D"space/something" export jail_xyz_leidinger_net_parameters=3D"allow.mount allow.mount.zfs=20= =20 enforce_statfs=3D1" ---snip--- Check if you have allow.mount and allow.mount.zfs for the jails in question= . Note, "space/something" is not the root of the jail, it's a seperate=20=20 dataset.=20Do not add the root of the jail as a dataset. Example bellow. devfs.rules part: ---snip--- [devfsrules_unhide_zfs=3D12] add path zfs unhide [devfsrules_jail_withzfs=3D17] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_zfs ---snip--- The rc.conf inside this jail: ---snip--- zfs_enable=3D"YES" ---snip--- For one of the filesystems I have set "zfs allow" permissions, but=20=20 just=20that a specific user in the jail can do something on those FS=20=20 without=20the need to switch to root. So as long as you try to do a zfs=20= =20 create/snapshot=20with an user with UID 0 inside the jail, the "zfs=20=20 allow"=20part doesn't come into play. So assume space/jails/xyz.leidinger.net/ to be the dataset which=20=20 contains=20the root of the jail but is not attached/attributed to the=20=20 jail=20itself. space/jails/xyz.leidinger.net/data with mountpoint=3Dnone=20= =20 to=20be attributed ("zfs jail xyz space/jails/xyz.leidinger.net/data")=20= =20 to=20the jail (similar to the "space/something" in the ezjail config=20=20 above,=20I have some iocage-managed jails were this works). In this case=20= =20 you=20should be able to do from inside the jail "zfs create -o=20=20 mpuntpoint=3D/mnt space/jails/xyz.leidinger.net/data/test". > And now to everyone, I am still confused about zfs set jailed=3Don. As=20= =20 >=20I mentioned on my previous emails, as soon as I do that, the dataset=20= =20 >=20vanishes from the host system (as I understand, that is expected=20=20 >=20behaviour). Then the jail fails as it is unable to mount /dev, /proc From the zfs man page: ---snip--- After a dataset is attached to a jail and the jailed property is set,= a jailed file system cannot be mounted outside the jail, since the jail administrator might have set the mount point to an unacceptable value= . ---snip--- So yes, it is expected that it "vanishes", but it should be visible=20=20 from=20the parent host at the place inside the jail FS subtree were it=20= =20 is=20mounted there (after setting the mountpoint of the dataset). > and so on. I have to change jail.conf and comment out mount.devfs=20=20 >=20and mount.procfs -- but than in turn makes /dev/zfs unavaulable and=20= =20 >=20I cannot do anything from inside the jail. Could it be that you try to attribute the root of the jail as a=20=20 dataset=20into the jail? Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_phyLGgUE4cHaL8DaVblK1rU Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYU+j8AAoJEKrxQhqFIICEjbQQAJuO7/Xl8Pg7VtL+5iV67YeU 1tMBplCtPS4ep25gutG5065P6Ed0YVpo+mSFXgkEWxNqVjJwSd7E3Xfd1+x9d7mc QjtjfiHE98pycF97AdbMLkWwk7yOLEqM1Irfz7AB6CDK2wwVskMT7Lo0KwcH0zgy J+OcuZpVoSLxbFShWerpAJ3yGP6XCDERqNRDf+m64yLefk0kYXj2GE1StucAwsy7 nInboqxLcqwCthJ/hFx377f0Eo6W5Td/yTV0T8k5y8b4+vuZehSQihYYoiuDcXzP NNn/fDeVWYEerR+0qQMmirVFxDbCNfvQpVjzZxy6tPXrFGXlYcd7R5/a0GY0fkKQ eKjKqn3PNwF3IwgAi4fI53ekEd6gFLPfdQYM9iO73PxcVft5weUWXE2aBApAqUbh VEUInQbwE8JTlJ8w7cqi6x9sSi7Atr+iJ5qAKZ9zArGlx52i/ApwCOy692b57kaH b7G4zNFA0W5ssN6z7v2S4v3I7ED5bZqg+wywCHfZ+SFXkEK2lUhB0CvARE5ODDby hy8VbaKCou3gCv5QTyE1qns3kfILFRYTAO+UI0QcRYnaFZkBvi8bbe+gtaw8ML6e q0YQ3p4tJDnqwmK8uvXJvXm7muEbBa/A/6lZsvEzttgSrwVh/GMC5UKB/KD+9Hnl 7koYGyq1Q6kjQjvh7kBn =DQcR -----END PGP SIGNATURE----- --=_phyLGgUE4cHaL8DaVblK1rU--