From owner-freebsd-questions@freebsd.org Tue Feb 4 21:44:09 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DAD09235E7E for ; Tue, 4 Feb 2020 21:44:09 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from boulangerie.foucry.net (boulangerie.foucry.net [62.210.131.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48ByrS3yRZz4dJk for ; Tue, 4 Feb 2020 21:44:08 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from tamanoir.foucry.net (localhost [127.0.0.1]) by boulangerie.foucry.net (Postfix) with ESMTP id 6A9D071D2E for ; Tue, 4 Feb 2020 22:44:04 +0100 (CET) X-Virus-Scanned: amavisd-new at foucry.net Received: from boulangerie.foucry.net ([127.0.0.1]) by tamanoir.foucry.net (mail.foucry.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSYCt3KxUyam for ; Tue, 4 Feb 2020 22:44:03 +0100 (CET) Received: from mithril.localdomain (dontpanic.foucry.net [80.67.176.134]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by boulangerie.foucry.net (Postfix) with ESMTPSA id 9925671D2D for ; Tue, 4 Feb 2020 22:44:03 +0100 (CET) Received: from foucry.net (mithril.foucry.net [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mithril.localdomain (Postfix) with ESMTPS id 0E852280D9 for ; Tue, 4 Feb 2020 22:44:06 +0100 (CET) Date: Tue, 4 Feb 2020 22:44:04 +0100 From: Jacques Foucry To: freebsd-questions@freebsd.org Subject: jail and dedicated zfs dataset Message-ID: <20200204214404.GB36588@foucry.net> Mail-Followup-To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 48ByrS3yRZz4dJk X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=foucry.net (policy=none); spf=fail (mx1.freebsd.org: domain of jacques@foucry.net does not designate 62.210.131.96 as permitted sender) smtp.mailfrom=jacques@foucry.net X-Spamd-Result: default: False [-1.27 / 15.00]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.997,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.991,0]; IP_SCORE(-0.28)[ip: (-1.42), ipnet: 62.210.0.0/16(-0.20), asn: 12876(0.22), country: FR(0.00)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:12876, ipnet:62.210.0.0/16, country:FR]; TAGGED_FROM(0.00)[freebsd]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[foucry.net : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2020 21:44:09 -0000 Hi folks, I'm trying to create a jail (for the mail) with a dedicated zfs dataset. On the host, the dataset in tank/root/mails wiht /var/mail as mountpoint. jailed property in on # zfs get mountpoint tank/root/mails NAME PROPERTY VALUE SOURCE tank/root/mails mountpoint /var/mail local # zfs get jailed tank/root/mails NAME PROPERTY VALUE SOURCE tank/root/mails jailed on local I also set allow properties: # zfs allow tank/root/mails ---- Permissions on tank/root/mails ---------------------------------- Local+Descendent permissions: user root mount group wheel create,destroy,mount,snapshot My /etc/jail.conf=B9 definition for the dataset is: exec.poststart =3D "/sbin/zfs jail mail tank/root/mails"; exec.poststart +=3D "zfs mount -a"; exec.stop =3D "/sbin/zfs unjail mail tank/root/mails"; persist=3Dtrue; mount.fstab=3D"/etc/fstab.${name}"; On the guest, things seems good: # zfs allow tank/root/mails ---- Permissions on tank/root/mails ---------------------------------- Local+Descendent permissions: user root mount group wheel create,destroy,mount,snapshot # zfs list NAME USED AVAIL REFER MOUNTPOINT tank 42.2G 6.92T 88K legacy tank/root 36.7G 6.92T 3.60G legacy tank/root/mails 200K 6.92T 88K /var/mail But the dataset in not mounted: # df -h /var/mail Filesystem Size Used Avail Capacity Mounted on tank/root/jails/mail 6.9T 2.9G 6.9T 0% / And mounting by hand failed: # zfs mount -a cannot mount 'tank/root/mails': Insufficient privileges What could be wrong? The /var/mail mount point permissions? The host /var= /mail permissions (that should not be used)? Something in zfs allow? =B9 I know there is the old ezjail or iocage, but I'm more comfortable wi= th the system way. Thanks for you help if you can. --=20 Jacques Foucry