Date: Fri, 16 Dec 2016 14:15:40 +0100 From: Alexander Leidinger <Alexander@leidinger.net> To: SK <fbstable@cps-intl.org> Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial] Message-ID: <20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW@webmail.leidinger.net> In-Reply-To: <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org> References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org> <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org> <5849C5BF.7020005@quip.cz> <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org> <584A9179.9060508@quip.cz> <b53fba06-bb7d-06d8-34a4-4677805fb175@cps-intl.org> <584A9D89.4040003@quip.cz> <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> <584AB345.4080307@quip.cz> <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.
--=_phyLGgUE4cHaL8DaVblK1rU
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Quoting SK <fbstable@cps-intl.org> (from Mon, 12 Dec 2016 17:13:27 +0000):
> b) Alexander, I am still not able to do snapshot or any other action=20=
=20
>=20from within my jail. My understanding is that you are using ezjail,=20=
=20
>=20which might be doing something that my regular jail creation is=20=20
>=20ommitting. If you do not mind sharing your configuration steps, I=20=20
>=20can try to reproduce it at this end. If it is exactly as it is on=20=20
>=20the site you pointed to earlier, please let me know, I will follow=20=
=20
>=20that verbatim (even though I do not remember seeing anything there=20=
=20
>=20that I have not tried already, but I might be mistaken).
Do you use quotas on the datasets you want to add to the jail? If yes,=20=
=20
try=20without. The man-page of zfs tells that this value can not be=20=20
changed=20(but from the wording I would expect hat an already set value=20=
=20
should=20work).
ezjail is just a shell script which simplifies some things with jails.=20=
=20
For=20a particular jail where I can manage the datasets which are handed=20=
=20
over=20to the jail I have those settings in ezjail which correspond to=20=
=20
the=20settings you can specify in jail.conf:
---snip---
export jail_xyz_leidinger_net_devfs_ruleset=3D"17"
export jail_xyz_leidinger_net_zfs_datasets=3D"space/something"
export jail_xyz_leidinger_net_parameters=3D"allow.mount allow.mount.zfs=20=
=20
enforce_statfs=3D1"
---snip---
Check if you have allow.mount and allow.mount.zfs for the jails in question=
.
Note, "space/something" is not the root of the jail, it's a seperate=20=20
dataset.=20Do not add the root of the jail as a dataset. Example bellow.
devfs.rules part:
---snip---
[devfsrules_unhide_zfs=3D12]
add path zfs unhide
[devfsrules_jail_withzfs=3D17]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_zfs
---snip---
The rc.conf inside this jail:
---snip---
zfs_enable=3D"YES"
---snip---
For one of the filesystems I have set "zfs allow" permissions, but=20=20
just=20that a specific user in the jail can do something on those FS=20=20
without=20the need to switch to root. So as long as you try to do a zfs=20=
=20
create/snapshot=20with an user with UID 0 inside the jail, the "zfs=20=20
allow"=20part doesn't come into play.
So assume space/jails/xyz.leidinger.net/ to be the dataset which=20=20
contains=20the root of the jail but is not attached/attributed to the=20=20
jail=20itself. space/jails/xyz.leidinger.net/data with mountpoint=3Dnone=20=
=20
to=20be attributed ("zfs jail xyz space/jails/xyz.leidinger.net/data")=20=
=20
to=20the jail (similar to the "space/something" in the ezjail config=20=20
above,=20I have some iocage-managed jails were this works). In this case=20=
=20
you=20should be able to do from inside the jail "zfs create -o=20=20
mpuntpoint=3D/mnt space/jails/xyz.leidinger.net/data/test".
> And now to everyone, I am still confused about zfs set jailed=3Don. As=20=
=20
>=20I mentioned on my previous emails, as soon as I do that, the dataset=20=
=20
>=20vanishes from the host system (as I understand, that is expected=20=20
>=20behaviour). Then the jail fails as it is unable to mount /dev, /proc
From the zfs man page:
---snip---
After a dataset is attached to a jail and the jailed property is set,=
a
jailed file system cannot be mounted outside the jail, since the jail
administrator might have set the mount point to an unacceptable value=
.
---snip---
So yes, it is expected that it "vanishes", but it should be visible=20=20
from=20the parent host at the place inside the jail FS subtree were it=20=
=20
is=20mounted there (after setting the mountpoint of the dataset).
> and so on. I have to change jail.conf and comment out mount.devfs=20=20
>=20and mount.procfs -- but than in turn makes /dev/zfs unavaulable and=20=
=20
>=20I cannot do anything from inside the jail.
Could it be that you try to attribute the root of the jail as a=20=20
dataset=20into the jail?
Bye,
Alexander.
--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_phyLGgUE4cHaL8DaVblK1rU
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYU+j8AAoJEKrxQhqFIICEjbQQAJuO7/Xl8Pg7VtL+5iV67YeU
1tMBplCtPS4ep25gutG5065P6Ed0YVpo+mSFXgkEWxNqVjJwSd7E3Xfd1+x9d7mc
QjtjfiHE98pycF97AdbMLkWwk7yOLEqM1Irfz7AB6CDK2wwVskMT7Lo0KwcH0zgy
J+OcuZpVoSLxbFShWerpAJ3yGP6XCDERqNRDf+m64yLefk0kYXj2GE1StucAwsy7
nInboqxLcqwCthJ/hFx377f0Eo6W5Td/yTV0T8k5y8b4+vuZehSQihYYoiuDcXzP
NNn/fDeVWYEerR+0qQMmirVFxDbCNfvQpVjzZxy6tPXrFGXlYcd7R5/a0GY0fkKQ
eKjKqn3PNwF3IwgAi4fI53ekEd6gFLPfdQYM9iO73PxcVft5weUWXE2aBApAqUbh
VEUInQbwE8JTlJ8w7cqi6x9sSi7Atr+iJ5qAKZ9zArGlx52i/ApwCOy692b57kaH
b7G4zNFA0W5ssN6z7v2S4v3I7ED5bZqg+wywCHfZ+SFXkEK2lUhB0CvARE5ODDby
hy8VbaKCou3gCv5QTyE1qns3kfILFRYTAO+UI0QcRYnaFZkBvi8bbe+gtaw8ML6e
q0YQ3p4tJDnqwmK8uvXJvXm7muEbBa/A/6lZsvEzttgSrwVh/GMC5UKB/KD+9Hnl
7koYGyq1Q6kjQjvh7kBn
=DQcR
-----END PGP SIGNATURE-----
--=_phyLGgUE4cHaL8DaVblK1rU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW>