Re: ZFS and Jail :: nullfs mount :: nothing visible from host

Fri, 09 Dec 2016 08:51:12 -0800 

Quoting SK <fbsta...@cps-intl.org> (from Thu, 8 Dec 2016 19:13:15 +0000):
@Alexander : I checked out your link. It is interesting, but you are using ezjail which I am trying to avoid. I have nothing against it, but I think making it working without too many additional layer of obfuscation will help me learn it better. So, thanks again, and sorry I cannot use that solution right now.
My comment was targeted to the devfs rule to unhide /dev/zfs (and as I see this is what you did), this is independed from the context (plain jail, ezjail, iocage, ...). 



Current status
the main system (host) has gT as the pool/dataset, where the root is mounted. I have created two more datasets 
# zfs list
NAME                USED  AVAIL  REFER  MOUNTPOINT
gT                 10.3G   199G  9.51G  legacy
gT/JailS            832M   199G    20K  /JailS
gT/JailS/testJail   546K   199G   827M  /JailS/testJail


Initially they were not visible from within the jail, but as I ran
zfs jail testJail gT/JailS/testJail
they were visible from inside.


This means it works, else you would be able to see anything.


HOWEVER, I am unable to do any manipulation whatsoever from within the jail.
root@testJail:/ # zfs list
NAME                USED  AVAIL  REFER  MOUNTPOINT
gT                 10.3G   199G  9.51G  legacy
gT/JailS            832M   199G    20K  /JailS
gT/JailS/testJail   546K   199G   827M  /JailS/testJail
root@testJail:/ # zfs snapshot gT/JailS/testJail@test
*cannot create snapshots : permission denied*
root@testJail:/ # zfs create gT/JailS/testJail/test
*cannot create 'gT/JailS/testJail/test': permission denied*
root@testJail:/ # exit


Hmmm.... no immediate idea for that one...

I definitively are able to snapshot inside my jails.
Apart from the <jail>:rc.conf:zfs_enable="YES" which you already got told about... wait, do you have increased the security level ("sysctl kern.securelevel") of the host?
Even after the jail was able to see the dataset, the following sysctl was still zero 
security.jail.mount_zfs_allowed: 0
I think this is needed if you want to import a pool (zpool import) from a device (which is made visible in the devfs) or file.
I changed it to one, but that didn't seem to have the desired effect (should have I restarted?)
A restart of the jail may be needed to have this setting take effect, but not the host. 

Bye,
Alexander.


--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF

Attachment: pgpoHhhzqq8je.pgp
Description: Digitale PGP-Signatur

Reply via email to