Date: Fri, 16 Dec 2016 14:15:40 +0100 From: Alexander Leidinger <Alexander@leidinger.net> To: SK <fbstable@cps-intl.org> Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial] Message-ID: <20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW@webmail.leidinger.net> In-Reply-To: <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org> References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org> <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org> <5849C5BF.7020005@quip.cz> <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org> <584A9179.9060508@quip.cz> <b53fba06-bb7d-06d8-34a4-4677805fb175@cps-intl.org> <584A9D89.4040003@quip.cz> <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> <584AB345.4080307@quip.cz> <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed. --=_phyLGgUE4cHaL8DaVblK1rU Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting SK <fbstable@cps-intl.org> (from Mon, 12 Dec 2016 17:13:27 +0000): > b) Alexander, I am still not able to do snapshot or any other action=20= =20 >=20from within my jail. My understanding is that you are using ezjail,=20= =20 >=20which might be doing something that my regular jail creation is=20=20 >=20ommitting. If you do not mind sharing your configuration steps, I=20=20 >=20can try to reproduce it at this end. If it is exactly as it is on=20=20 >=20the site you pointed to earlier, please let me know, I will follow=20= =20 >=20that verbatim (even though I do not remember seeing anything there=20= =20 >=20that I have not tried already, but I might be mistaken). Do you use quotas on the datasets you want to add to the jail? If yes,=20= =20 try=20without. The man-page of zfs tells that this value can not be=20=20 changed=20(but from the wording I would expect hat an already set value=20= =20 should=20work). ezjail is just a shell script which simplifies some things with jails.=20= =20 For=20a particular jail where I can manage the datasets which are handed=20= =20 over=20to the jail I have those settings in ezjail which correspond to=20= =20 the=20settings you can specify in jail.conf: ---snip--- export jail_xyz_leidinger_net_devfs_ruleset=3D"17" export jail_xyz_leidinger_net_zfs_datasets=3D"space/something" export jail_xyz_leidinger_net_parameters=3D"allow.mount allow.mount.zfs=20= =20 enforce_statfs=3D1" ---snip--- Check if you have allow.mount and allow.mount.zfs for the jails in question= . Note, "space/something" is not the root of the jail, it's a seperate=20=20 dataset.=20Do not add the root of the jail as a dataset. Example bellow. devfs.rules part: ---snip--- [devfsrules_unhide_zfs=3D12] add path zfs unhide [devfsrules_jail_withzfs=3D17] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_zfs ---snip--- The rc.conf inside this jail: ---snip--- zfs_enable=3D"YES" ---snip--- For one of the filesystems I have set "zfs allow" permissions, but=20=20 just=20that a specific user in the jail can do something on those FS=20=20 without=20the need to switch to root. So as long as you try to do a zfs=20= =20 create/snapshot=20with an user with UID 0 inside the jail, the "zfs=20=20 allow"=20part doesn't come into play. So assume space/jails/xyz.leidinger.net/ to be the dataset which=20=20 contains=20the root of the jail but is not attached/attributed to the=20=20 jail=20itself. space/jails/xyz.leidinger.net/data with mountpoint=3Dnone=20= =20 to=20be attributed ("zfs jail xyz space/jails/xyz.leidinger.net/data")=20= =20 to=20the jail (similar to the "space/something" in the ezjail config=20=20 above,=20I have some iocage-managed jails were this works). In this case=20= =20 you=20should be able to do from inside the jail "zfs create -o=20=20 mpuntpoint=3D/mnt space/jails/xyz.leidinger.net/data/test". > And now to everyone, I am still confused about zfs set jailed=3Don. As=20= =20 >=20I mentioned on my previous emails, as soon as I do that, the dataset=20= =20 >=20vanishes from the host system (as I understand, that is expected=20=20 >=20behaviour). Then the jail fails as it is unable to mount /dev, /proc From the zfs man page: ---snip--- After a dataset is attached to a jail and the jailed property is set,= a jailed file system cannot be mounted outside the jail, since the jail administrator might have set the mount point to an unacceptable value= . ---snip--- So yes, it is expected that it "vanishes", but it should be visible=20=20 from=20the parent host at the place inside the jail FS subtree were it=20= =20 is=20mounted there (after setting the mountpoint of the dataset). > and so on. I have to change jail.conf and comment out mount.devfs=20=20 >=20and mount.procfs -- but than in turn makes /dev/zfs unavaulable and=20= =20 >=20I cannot do anything from inside the jail. Could it be that you try to attribute the root of the jail as a=20=20 dataset=20into the jail? Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_phyLGgUE4cHaL8DaVblK1rU Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYU+j8AAoJEKrxQhqFIICEjbQQAJuO7/Xl8Pg7VtL+5iV67YeU 1tMBplCtPS4ep25gutG5065P6Ed0YVpo+mSFXgkEWxNqVjJwSd7E3Xfd1+x9d7mc QjtjfiHE98pycF97AdbMLkWwk7yOLEqM1Irfz7AB6CDK2wwVskMT7Lo0KwcH0zgy J+OcuZpVoSLxbFShWerpAJ3yGP6XCDERqNRDf+m64yLefk0kYXj2GE1StucAwsy7 nInboqxLcqwCthJ/hFx377f0Eo6W5Td/yTV0T8k5y8b4+vuZehSQihYYoiuDcXzP NNn/fDeVWYEerR+0qQMmirVFxDbCNfvQpVjzZxy6tPXrFGXlYcd7R5/a0GY0fkKQ eKjKqn3PNwF3IwgAi4fI53ekEd6gFLPfdQYM9iO73PxcVft5weUWXE2aBApAqUbh VEUInQbwE8JTlJ8w7cqi6x9sSi7Atr+iJ5qAKZ9zArGlx52i/ApwCOy692b57kaH b7G4zNFA0W5ssN6z7v2S4v3I7ED5bZqg+wywCHfZ+SFXkEK2lUhB0CvARE5ODDby hy8VbaKCou3gCv5QTyE1qns3kfILFRYTAO+UI0QcRYnaFZkBvi8bbe+gtaw8ML6e q0YQ3p4tJDnqwmK8uvXJvXm7muEbBa/A/6lZsvEzttgSrwVh/GMC5UKB/KD+9Hnl 7koYGyq1Q6kjQjvh7kBn =DQcR -----END PGP SIGNATURE----- --=_phyLGgUE4cHaL8DaVblK1rU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW>