Date: Mon, 21 Jan 2019 11:42:42 -0500 From: "Michael W. Lucas" <mwlucas@michaelwlucas.com> To: jail@freebsd.org Subject: delegating ZFS of jail's root directory Message-ID: <20190121164242.GB91955@mail.michaelwlucas.com>
next in thread | raw e-mail | index | archive | help
Hi,
Two more book research questions, sorry. If the answer is "it doesn't
work that way," cool, I'll document and move on. It looks like ZFS
delegation isn't widely used.
1) It seems I can successfully delegate managing ZFS datasets to a jail,
sort of. A restart removes my ability to destroy and rename datasets I
created, though.
2) I can't delegate the jail's root to the jail. Obvious question: CAN
you delegate a jail's root dataset, or am I chasing an impossibility
here?
Details:
Real hardware, running yesterday's -current:
FreeBSD storm 13.0-CURRENT FreeBSD 13.0-CURRENT r343219 GENERIC amd64
Here's my jail.conf.
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
filedump {
host.hostname="filedump.mwl.io";
ip4.addr="203.0.113.224";
path="/jail/filedump/zroot";
persist=true;
mount.devfs=true;
allow.mount=true;
allow.mount.zfs=true;
enforce_statfs=1;
exec.poststart="/sbin/zfs jail filedump jail/filedump/zroot";
exec.poststop="/sbin/zfs unjail filedump jail/filedump/zroot";
}
/jail/filedump/zroot contains FreeBSD 12.0 base.tgz extract.
# ls /jail/filedump/zroot/
.cshrc dev media root var
.profile etc mnt sbin
COPYRIGHT jail net sys
bin lib proc tmp
boot libexec rescue usr
Initial ZFS "jailed" parameter:
# zfs get -r jailed jail/filedump
NAME PROPERTY VALUE SOURCE
jail/filedump jailed off default
jail/filedump/zroot jailed off default
jail/filedump/zroot/cdr jailed on local
jail/filedump/zroot/home jailed on local
jail/filedump/zroot/home/mwl jailed on inherited from jail/filedump/zroot/home
Running "service jail start filedump" gives me a working jail. I can
create and destroy datasets.
root@filedump:~ # zfs create jail/filedump/zroot/home/abc
root@filedump:~ # zfs destroy jail/filedump/zroot/home/abc
Gonna recreate that dataset for testing purposes:
root@filedump:~ # zfs create jail/filedump/zroot/home/abc
Now back to the host, restart the jail, and:
root@filedump:~ # zfs destroy jail/filedump/zroot/home/abc
cannot unmount '/jail/filedump/zroot/home/abc': Operation not permitted
I created this dataset within the jail, and can manage it only so long
as it's the same jail instance. A restart wrecks my ability to manage
the dataset.
Second problem:
I would also like to delegate management of the jail's root fileset,
so on the host I run:
# zfs set jailed=on jail/filedump/zroot
# service jail start filedump
Starting jails: cannot start jail "filedump":
jail: filedump: mount.devfs: /jail/filedump/zroot/dev: No such file or directory
.
Which--of course, the root dir isn't mounted, so /dev can't be mounted.
I'm vaguely confident I've heard of people delegating management of
the root dataset to the jail, though I can't find it. Am I
misremembering?
Thanks,
==ml
--
Michael W. Lucas https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190121164242.GB91955>