Date: Fri, 10 Feb 2023 22:08:38 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260160] zfs jailed: snapshots not accessible Message-ID: <bug-260160-227-2NGl6pitdO@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-260160-227@https.bugs.freebsd.org/bugzilla/> References: <bug-260160-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260160 --- Comment #25 from Jim Long <freebsd-bugzilla@umpquanet.com> --- For those affected by this regression who are looking for a workaround that eliminates (or rather, automates) the need to run 'jail -m ...' on each jail that requires access to its snapshots: This simple change to the globals section of /etc/jail.conf uses the "exec.poststart" hook to have /etc/rc.d/jail spawn a small subshell process after each jail is started (either at boot time or by "service jail [re]start"). >From man 8 jail: exec.poststart Command(s) to run in the system environment after a jail is created, and after any exec.start commands have completed. This is very much a temporary hack until a proper fix is merged into the codebase, but the method appears to be both effective and minimally intrusi= ve: /etc/jail.conf: # Global: # .. whatever global stuff you already have zfs.mount_snapshot =3D 1; exec.poststart =3D "( /bin/sleep 30; /usr/sbin/jail -m $name ) &"; # ... and whatever else you like ... jail1 { # ... your normal per-jail parameters here } jail2 { # ... your normal per-jail parameters here } If you prefer not to do this globally, the "poststart" directive can be del= eted from the global context and inserted into each individual jail where it is needed. For my purposes the global context is more convenient, because my primary u= se case is several jailed Samba instances where I want to allow end-user acces= s to ZFS snapshots of the data share, so that users can access backups without a= ny sysadmin intervention. A secondary use case is to simply allow root-users = of jailed FreeBSD instances to access snapshot backups of their own system fil= es. In both cases, however, it is also desired that the root user of the jail N= OT be able to destroy snapshots. Hence the reason for not simply setting "jailed=3Don" and delegating the entire ZFS filesystem to the jail. Effect= ively this makes the backups readable by the jail, but immutable by even the jail root. HTH, Jim --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260160-227-2NGl6pitdO>