From owner-freebsd-jail@freebsd.org Fri Dec 9 10:13:00 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 437E6C6E393 for ; Fri, 9 Dec 2016 10:13:00 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4A0D22B for ; Fri, 9 Dec 2016 10:12:59 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cFIAe-000N11-S4; Fri, 09 Dec 2016 10:12:54 +0000 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> From: SK Message-ID: Date: Fri, 9 Dec 2016 10:12:32 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <5849C5BF.7020005@quip.cz> X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED,HTML_MESSAGE autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 10:13:00 -0000 On 08/12/2016 20:42, Miroslav Lachman wrote: > SK wrote on 2016/12/08 20:13: > >> Initially they were not visible from within the jail, but as I ran >> zfs jail testJail gT/JailS/testJail >> they were visible from inside. > > You can add zfs jail testJail gT/JailS/testJail to your jail.conf post > exec so it will be executed automatically. > Good morning Miroslav, apologies for the delayed response -- went home last night since the brain was going into "sleep" mode :P done that, with a variable so they fit right into whatever jail it is run from :D. Thanks for the pointer. >> root@testJail:/ # zfs create gT/JailS/testJail/test >> *cannot create 'gT/JailS/testJail/test': permission denied* >> root@testJail:/ # exit > > zfs list is good start. I never used zfs from within jail so I cannot > comment on permission denied. I don't know what more must be done. > I'm not sure which list you are referring to. I could not find any zfs list in FreeBSD mailing list lists > > Send us `sysctl security.jail` from host and from jail too. > > Giving the sysctl values later in the email, just one other thing in case someone does not want to see them but would still be interested on what I am trying to achieve. Right now, as it stands, I can make do with what I have achieved -- i.e., I can manage the zfs datasets from /outside/ of jail while the newly created datasets are still visible /inside/ the jail. But, what I would really like to have a) ONLY the relevant datasets for a jail are visible and can be manipulated from within the jail. I do not mind if they are visible from host (in fact, I might prefer that -- not manipulate, just see and maybe take snapshot of what is there -- helps in centralizing backups). But the Jails /must not/ see each others' datasets b) if that is not achievable, maybe not allow the jails to see the complete dataset hierarchy -- just make them feel that they are where they are in a root, but still be able to create datasets that would magically show up in the respective jails. This way, the total control is from the host itself, where no one has access to, but the datasets are restricted to different jails. Now, for the sysctl values, here they come ##### From host itself security.jail.param.sysvshm.: 0 security.jail.param.sysvsem.: 0 security.jail.param.sysvmsg.: 0 security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.tmpfs: 0 security.jail.param.allow.mount.linsysfs: 0 security.jail.param.allow.mount.linprocfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.fdescfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.vnet: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.osrelease: 32 security.jail.param.osreldate: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 0 security.jail.enforce_statfs: 1 security.jail.mount_zfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_linsysfs_allowed: 0 security.jail.mount_linprocfs_allowed: 0 security.jail.mount_procfs_allowed: 0 security.jail.mount_nullfs_allowed: 0 security.jail.mount_fdescfs_allowed: 0 security.jail.mount_devfs_allowed: 0 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.vnet: 0 security.jail.jailed: 0 #### and from inside the jail root@testJail:/ # sysctl security.jail security.jail.param.sysvshm.: 0 security.jail.param.sysvsem.: 0 security.jail.param.sysvmsg.: 0 security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.tmpfs: 0 security.jail.param.allow.mount.linsysfs: 0 security.jail.param.allow.mount.linprocfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.fdescfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.vnet: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.osrelease: 32 security.jail.param.osreldate: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 4 security.jail.enforce_statfs: 1 security.jail.mount_zfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_linsysfs_allowed: 0 security.jail.mount_linprocfs_allowed: 0 security.jail.mount_procfs_allowed: 1 security.jail.mount_nullfs_allowed: 0 security.jail.mount_fdescfs_allowed: 0 security.jail.mount_devfs_allowed: 1 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 security.jail.jail_max_af_ips: 255 security.jail.vnet: 1 security.jail.jailed: 1 root@testJail:/ # exit