Date: Fri, 9 Dec 2016 10:12:32 +0000 From: SK <fbstable@cps-intl.org> To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host Message-ID: <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org> In-Reply-To: <5849C5BF.7020005@quip.cz> References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org> <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org> <5849C5BF.7020005@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/12/2016 20:42, Miroslav Lachman wrote: > SK wrote on 2016/12/08 20:13: > >> Initially they were not visible from within the jail, but as I ran >> zfs jail testJail gT/JailS/testJail >> they were visible from inside. > > You can add zfs jail testJail gT/JailS/testJail to your jail.conf post > exec so it will be executed automatically. > Good morning Miroslav, apologies for the delayed response -- went home last night since the brain was going into "sleep" mode :P done that, with a variable so they fit right into whatever jail it is run from :D. Thanks for the pointer. >> root@testJail:/ # zfs create gT/JailS/testJail/test >> *cannot create 'gT/JailS/testJail/test': permission denied* >> root@testJail:/ # exit > > zfs list is good start. I never used zfs from within jail so I cannot > comment on permission denied. I don't know what more must be done. > I'm not sure which list you are referring to. I could not find any zfs list in FreeBSD mailing list lists > > Send us `sysctl security.jail` from host and from jail too. > > Giving the sysctl values later in the email, just one other thing in case someone does not want to see them but would still be interested on what I am trying to achieve. Right now, as it stands, I can make do with what I have achieved -- i.e., I can manage the zfs datasets from /outside/ of jail while the newly created datasets are still visible /inside/ the jail. But, what I would really like to have a) ONLY the relevant datasets for a jail are visible and can be manipulated from within the jail. I do not mind if they are visible from host (in fact, I might prefer that -- not manipulate, just see and maybe take snapshot of what is there -- helps in centralizing backups). But the Jails /must not/ see each others' datasets b) if that is not achievable, maybe not allow the jails to see the complete dataset hierarchy -- just make them feel that they are where they are in a root, but still be able to create datasets that would magically show up in the respective jails. This way, the total control is from the host itself, where no one has access to, but the datasets are restricted to different jails. Now, for the sysctl values, here they come ##### From host itself security.jail.param.sysvshm.: 0 security.jail.param.sysvsem.: 0 security.jail.param.sysvmsg.: 0 security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.tmpfs: 0 security.jail.param.allow.mount.linsysfs: 0 security.jail.param.allow.mount.linprocfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.fdescfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.vnet: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.osrelease: 32 security.jail.param.osreldate: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 0 security.jail.enforce_statfs: 1 security.jail.mount_zfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_linsysfs_allowed: 0 security.jail.mount_linprocfs_allowed: 0 security.jail.mount_procfs_allowed: 0 security.jail.mount_nullfs_allowed: 0 security.jail.mount_fdescfs_allowed: 0 security.jail.mount_devfs_allowed: 0 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.vnet: 0 security.jail.jailed: 0 #### and from inside the jail root@testJail:/ # sysctl security.jail security.jail.param.sysvshm.: 0 security.jail.param.sysvsem.: 0 security.jail.param.sysvmsg.: 0 security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.tmpfs: 0 security.jail.param.allow.mount.linsysfs: 0 security.jail.param.allow.mount.linprocfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.fdescfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.vnet: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.osrelease: 32 security.jail.param.osreldate: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 4 security.jail.enforce_statfs: 1 security.jail.mount_zfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_linsysfs_allowed: 0 security.jail.mount_linprocfs_allowed: 0 security.jail.mount_procfs_allowed: 1 security.jail.mount_nullfs_allowed: 0 security.jail.mount_fdescfs_allowed: 0 security.jail.mount_devfs_allowed: 1 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 security.jail.jail_max_af_ips: 255 security.jail.vnet: 1 security.jail.jailed: 1 root@testJail:/ # exit
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fb56ab21-026b-408d-f712-ed7479e1f269>