Re: ZFS and Jail :: nullfs mount :: nothing visible from host

Fri, 09 Dec 2016 02:13:26 -0800 

On 08/12/2016 20:42, Miroslav Lachman wrote:

SK wrote on 2016/12/08 20:13:


Initially they were not visible from within the jail, but as I ran
zfs jail testJail gT/JailS/testJail
they were visible from inside.
You can add zfs jail testJail gT/JailS/testJail to your jail.conf post exec so it will be executed automatically.
Good morning Miroslav, apologies for the delayed response -- went home last night since the brain was going into "sleep" mode :P
done that, with a variable so they fit right into whatever jail it is run from :D. Thanks for the pointer. 


root@testJail:/ # zfs create gT/JailS/testJail/test
*cannot create 'gT/JailS/testJail/test': permission denied*
root@testJail:/ # exit
zfs list is good start. I never used zfs from within jail so I cannot comment on permission denied. I don't know what more must be done.
I'm not sure which list you are referring to. I could not find any zfs list in FreeBSD mailing list lists 



Send us `sysctl security.jail` from host and from jail too.
Giving the sysctl values later in the email, just one other thing in case someone does not want to see them but would still be interested on what I am trying to achieve.
Right now, as it stands, I can make do with what I have achieved -- i.e., I can manage the zfs datasets from /outside/ of jail while the newly created datasets are still visible /inside/ the jail. 

But, what I would really like to have
a) ONLY the relevant datasets for a jail are visible and can be manipulated from within the jail. I do not mind if they are visible from host (in fact, I might prefer that -- not manipulate, just see and maybe take snapshot of what is there -- helps in centralizing backups). But the Jails /must not/ see each others' datasets
b) if that is not achievable, maybe not allow the jails to see the complete dataset hierarchy -- just make them feel that they are where they are in a root, but still be able to create datasets that would magically show up in the respective jails. This way, the total control is from the host itself, where no one has access to, but the datasets are restricted to different jails. 

Now, for the sysctl values, here they come

##### From host itself

security.jail.param.sysvshm.: 0
security.jail.param.sysvsem.: 0
security.jail.param.sysvmsg.: 0
security.jail.param.allow.mount.zfs: 0
security.jail.param.allow.mount.tmpfs: 0
security.jail.param.allow.mount.linsysfs: 0
security.jail.param.allow.mount.linprocfs: 0
security.jail.param.allow.mount.procfs: 0
security.jail.param.allow.mount.nullfs: 0
security.jail.param.allow.mount.fdescfs: 0
security.jail.param.allow.mount.devfs: 0
security.jail.param.allow.mount.: 0
security.jail.param.allow.socket_af: 0
security.jail.param.allow.quotas: 0
security.jail.param.allow.chflags: 0
security.jail.param.allow.raw_sockets: 0
security.jail.param.allow.sysvipc: 0
security.jail.param.allow.set_hostname: 0
security.jail.param.ip6.saddrsel: 0
security.jail.param.ip6.: 0
security.jail.param.ip4.saddrsel: 0
security.jail.param.ip4.: 0
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.host.: 0
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.dying: 0
security.jail.param.vnet: 0
security.jail.param.persist: 0
security.jail.param.devfs_ruleset: 0
security.jail.param.enforce_statfs: 0
security.jail.param.osrelease: 32
security.jail.param.osreldate: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.devfs_ruleset: 0
security.jail.enforce_statfs: 1
security.jail.mount_zfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_linsysfs_allowed: 0
security.jail.mount_linprocfs_allowed: 0
security.jail.mount_procfs_allowed: 0
security.jail.mount_nullfs_allowed: 0
security.jail.mount_fdescfs_allowed: 0
security.jail.mount_devfs_allowed: 0
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.vnet: 0
security.jail.jailed: 0



#### and from inside the jail
root@testJail:/ # sysctl security.jail

security.jail.param.sysvshm.: 0
security.jail.param.sysvsem.: 0
security.jail.param.sysvmsg.: 0
security.jail.param.allow.mount.zfs: 0
security.jail.param.allow.mount.tmpfs: 0
security.jail.param.allow.mount.linsysfs: 0
security.jail.param.allow.mount.linprocfs: 0
security.jail.param.allow.mount.procfs: 0
security.jail.param.allow.mount.nullfs: 0
security.jail.param.allow.mount.fdescfs: 0
security.jail.param.allow.mount.devfs: 0
security.jail.param.allow.mount.: 0
security.jail.param.allow.socket_af: 0
security.jail.param.allow.quotas: 0
security.jail.param.allow.chflags: 0
security.jail.param.allow.raw_sockets: 0
security.jail.param.allow.sysvipc: 0
security.jail.param.allow.set_hostname: 0
security.jail.param.ip6.saddrsel: 0
security.jail.param.ip6.: 0
security.jail.param.ip4.saddrsel: 0
security.jail.param.ip4.: 0
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.host.: 0
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.dying: 0
security.jail.param.vnet: 0
security.jail.param.persist: 0
security.jail.param.devfs_ruleset: 0
security.jail.param.enforce_statfs: 0
security.jail.param.osrelease: 32
security.jail.param.osreldate: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.devfs_ruleset: 4
security.jail.enforce_statfs: 1
security.jail.mount_zfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_linsysfs_allowed: 0
security.jail.mount_linprocfs_allowed: 0
security.jail.mount_procfs_allowed: 1
security.jail.mount_nullfs_allowed: 0
security.jail.mount_fdescfs_allowed: 0
security.jail.mount_devfs_allowed: 1
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.vnet: 1
security.jail.jailed: 1
root@testJail:/ # exit



_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Reply via email to