Date: Tue, 4 Feb 2020 22:56:54 -0800 From: David Christensen <dpchrist@holgerdanske.com> To: freebsd-questions@freebsd.org Subject: Re: jail and dedicated zfs dataset Message-ID: <bb55f226-5e35-77db-0219-03ef972853f4@holgerdanske.com> In-Reply-To: <20200204214404.GB36588@foucry.net> References: <20200204214404.GB36588@foucry.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-02-04 13:44, Jacques Foucry wrote: > Hi folks, > > I'm trying to create a jail (for the mail) with a dedicated zfs dataset. > > On the host, the dataset in tank/root/mails wiht /var/mail as mountpoint. > jailed property in on > > # zfs get mountpoint tank/root/mails > NAME PROPERTY VALUE SOURCE > tank/root/mails mountpoint /var/mail local > > # zfs get jailed tank/root/mails > NAME PROPERTY VALUE SOURCE > tank/root/mails jailed on local > > I also set allow properties: > # zfs allow tank/root/mails > ---- Permissions on tank/root/mails ---------------------------------- > Local+Descendent permissions: > user root mount > group wheel create,destroy,mount,snapshot > > > My /etc/jail.conf¹ definition for the dataset is: > > exec.poststart = "/sbin/zfs jail mail tank/root/mails"; > exec.poststart += "zfs mount -a"; > exec.stop = "/sbin/zfs unjail mail tank/root/mails"; > persist=true; > mount.fstab="/etc/fstab.${name}"; > > On the guest, things seems good: > > # zfs allow tank/root/mails > ---- Permissions on tank/root/mails ---------------------------------- > Local+Descendent permissions: > user root mount > group wheel create,destroy,mount,snapshot > > # zfs list > NAME USED AVAIL REFER MOUNTPOINT > tank 42.2G 6.92T 88K legacy > tank/root 36.7G 6.92T 3.60G legacy > tank/root/mails 200K 6.92T 88K /var/mail > > But the dataset in not mounted: > > # df -h /var/mail > Filesystem Size Used Avail Capacity Mounted on > tank/root/jails/mail 6.9T 2.9G 6.9T 0% / > > And mounting by hand failed: > # zfs mount -a > cannot mount 'tank/root/mails': Insufficient privileges > > What could be wrong? The /var/mail mount point permissions? The host /var/mail > permissions (that should not be used)? Something in zfs allow? > > > ¹ I know there is the old ezjail or iocage, but I'm more comfortable with the > system way. > > > Thanks for you help if you can. I have a SOHO LAN with a FreeBSD server and jails for CVS and Samba. I (mostly) followed along with Chapter 22 of Lucas AF3E [1]: 2020-02-04 22:30:15 toor@soho ~ # freebsd-version 12.1-RELEASE-p1 2020-02-04 22:30:23 toor@soho ~ # uname -a FreeBSD soho.tracy.holgerdanske.com 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC amd64 I created a top-level ZFS dataset in my root pool for jails. I then created a dataset for each jail. I did not modify any of the ZFS properties: 2020-02-04 22:30:25 toor@soho ~ # zfs list -r soho_zroot/jail NAME USED AVAIL REFER MOUNTPOINT soho_zroot/jail 2.81G 6.40G 132K /jail soho_zroot/jail/cvs 1.09G 6.40G 1016M /jail/cvs soho_zroot/jail/samba 1.72G 6.40G 1.60G /jail/samba The bulk CVS and the Samba data are in separate datasets in another pool: 2020-02-04 22:35:34 toor@soho ~ # zfs list | egrep 'p1/ds2/(cvs|samba) ' p1/ds2/cvs 469M 1.71T 88K /jail/cvs/var/local/cvs p1/ds2/samba 921G 1.71T 96K /jail/samba/var/local/samba Each has their mountpoint property set inside the corresponding jail: 2020-02-04 22:35:40 toor@soho ~ # zfs get mountpoint p1/ds2/cvs p1/ds2/samba NAME PROPERTY VALUE SOURCE p1/ds2/cvs mountpoint /jail/cvs/var/local/cvs received p1/ds2/samba mountpoint /jail/samba/var/local/samba received Here is my jail configuration file: 2020-02-04 22:32:41 toor@soho ~ # cat /etc/jail.conf $j="/jail"; path="$j/$name"; host.hostname="$name.tracy.holgerdanske.com"; exec.clean; exec.start="sh /etc/rc"; exec.stop="sh /etc/rc.shutdown"; mount.devfs; cvs { ip4.addr="192.168.5.23"; } samba { ip4.addr="192.168.5.24"; } I tried ezjail(7) and discovered that it is unsupported. Lucas covers iocage(8) in FMJAIL [2], but my needs are simple and I too prefer basic system tools. David [1] https://mwl.io/nonfiction/os#af3e [2] https://mwl.io/nonfiction/os#fmjail
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bb55f226-5e35-77db-0219-03ef972853f4>