From owner-freebsd-jail@freebsd.org  Thu Dec  8 17:11:39 2016
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70428C6E03A
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Thu,  8 Dec 2016 17:11:39 +0000 (UTC)
 (envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 013DE192B
 for <freebsd-jail@freebsd.org>; Thu,  8 Dec 2016 17:11:38 +0000 (UTC)
 (envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 3C079284C0;
 Thu,  8 Dec 2016 18:11:36 +0100 (CET)
Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz
 [86.49.16.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id DC7D1284BC;
 Thu,  8 Dec 2016 18:11:34 +0100 (CET)
Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host
To: SK <fbstable@cps-intl.org>, freebsd-jail <freebsd-jail@freebsd.org>
References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org>
 <584986D0.3040109@quip.cz>
 <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <58499446.3050403@quip.cz>
Date: Thu, 8 Dec 2016 18:11:34 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101
 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2016 17:11:39 -0000

SK wrote on 2016/12/08 17:41:
> On 08/12/2016 16:14, Miroslav Lachman wrote:
>> SK wrote on 2016/12/08 15:22:
>>
>>> So far I have tried to follow as many google results as possible using
>>> jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few
>>> sites coming up again and again but they were talking about ezjail (not
>>> that I have anything against it, but I would prefer to be able to use
>>> the base system as it is -- might help me learn a few things that ezjail
>>> will hide from me :D)
>>
>> If you want to manage ZFS dataset from withing a jail, then you need
>> to use zfs set jailed=on property (see man zfs). But this data set
>> cannot be mounted as nullfs, it should be dedicated to the jail.
>>
>> You don't need ezjail because ezjail cannot do anything more than you
>> can do. It is just a shell script wrapper.
>>
>> Miroslav Lachman
>>
> Hi Miroslav
>
> Thank you for your response. I tried setting it up like that (use zfs
> set jailed=on), and that did not work. I could not even run zfs from
> within the jail. Maybe I did something wrong -- so I am setting up a
> test box where I can try them all out.
>
> I also came across these links
> https://clinta.github.io/freebsd-jails-the-hard-way/
> http://aaron.baugher.biz/unix/freebsd-jails-zfs-1
>
> I will give these a try. However, neither confirms (or maybe I missed
> it) if I can manage/manupulate the zfs datasets from within the jail --
> and that seems to be the logical approach based on various emails on the
> mailing lists. So, what I am really after is some kind of a
> pointer/direction, maybe even a rough sketch of a how-to, that would
> help in getting started at least. I am not new to jails -- it is just
> that so far most of my jails were on UFS systems and I never encountered
> this issue of data mismatch between what the Jail can see and what the
> host can see.

Did you read man page carefully? Do you have /dev/zfs visible inside 
jails /dev/? If not, you need to create your own rule inside 
/etc/devfs.rules


    Jails
      A ZFS dataset can be attached to a jail by using the "zfs jail" 
subcom‐
      mand. You cannot attach a dataset to one jail and the children of the
      same dataset to another jails. To allow management of the dataset from
      within a jail, the jailed property has to be set and the jail needs
      access to the /dev/zfs device. The quota property cannot be 
changed from
      within a jail. See jail(8) for information on how to allow 
mounting ZFS
      datasets from within a jail.

      A ZFS dataset can be detached from a jail using the "zfs unjail" 
subcom‐
      mand.

      After a dataset is attached to a jail and the jailed property is 
set, a
      jailed file system cannot be mounted outside the jail, since the jail
      administrator might have set the mount point to an unacceptable value.


What are jails properties? Do you have something like this?

enforce_statfs=1 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1 
allow.mount.devfs=1

Then you need to run
zfs jail $JID tank/jail/testJail    (put the real UID of running jail 
and path to dedicated dataset)

Miroslav Lachman