From owner-freebsd-jail@FreeBSD.ORG Sun Feb 3 14:55:07 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 55A1E6B5; Sun, 3 Feb 2013 14:55:07 +0000 (UTC) (envelope-from lukasz@wasikowski.net) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mx1.freebsd.org (Postfix) with ESMTP id 1113CA88; Sun, 3 Feb 2013 14:55:07 +0000 (UTC) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mail.wasikowski.net (Postfix) with ESMTP id 2512F46F; Sun, 3 Feb 2013 15:54:58 +0100 (CET) X-Virus-Scanned: amavisd-new at wasikowski.net Received: from mail.wasikowski.net ([91.204.91.44]) by mail.wasikowski.net (scan.wasikowski.net [91.204.91.44]) (amavisd-new, port 10026) with ESMTP id f_7hc1LEVGUa; Sun, 3 Feb 2013 15:54:57 +0100 (CET) Received: from [192.168.168.2] (89-72-12-251.dynamic.chello.pl [89.72.12.251]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: lukasz@wasikowski.net) by mail.wasikowski.net (Postfix) with ESMTPSA id BBB2F46B; Sun, 3 Feb 2013 15:54:57 +0100 (CET) Message-ID: <510E7A41.3070101@wasikowski.net> Date: Sun, 03 Feb 2013 15:54:57 +0100 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: freebsd-fs@freebsd.org, freebsd-jail@freebsd.org Subject: Problem with zfs mount all in jails X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Feb 2013 14:55:07 -0000 Hi, I've got a problem with automation of zfs mount in a jail. I'm using 9.1-STABLE r246099 and ezjail to manage jails. Each jail has it's own dataset, and I want to delegate another dataset(s) which can be managed from inside a jail. 1. Dataset for jail: # zfs list jinx/jails/jtest NAME USED AVAIL REFER MOUNTPOINT jinx/jails/jtest 50.7M 18.5G 1.59M /data/jails/jtest 2. Dataset for injail management: # zfs list jinx/jails/jtest/www NAME USED AVAIL REFER MOUNTPOINT jinx/jails/jtest/www 63K 18.5G 32K /data/www # zfs get jailed jinx/jails/jtest/www NAME PROPERTY VALUE SOURCE jinx/jails/jtest/www jailed on local 3. Some ezjail settings for this jail (/usr/local/etc/ezjail/jtest file): export jail_jtest_rootdir="/data/jails/jtest" export jail_jtest_mount_enable="YES" export jail_jtest_devfs_enable="YES" export jail_jtest_devfs_ruleset="devfsrules_jail" export jail_jtest_parameters="allow.mount.zfs=1 allow.mount=1 enforce_statfs=1 allow.raw_sockets=1" export jail_jtest_zfs_datasets="jinx/jails/jtest/www" 4. In jail's rc.conf zfs is enabled: # grep zfs /data/jails/jtest/etc/rc.conf zfs_enable="YES" 5. I start jail (service ezjail start) and got this: # jexec 1 zfs get mounted jinx/jails/jtest/www NAME PROPERTY VALUE SOURCE jinx/jails/jtest/www mounted no - But when I run: # jexec 1 service zfs start dataset gets mounted # jexec 1 zfs get mounted jinx/jails/jtest/www NAME PROPERTY VALUE SOURCE jinx/jails/jtest/www mounted yes - What am I missing? Why is zfs mount -a (which should be invoked by /etc/rc.d/zfs) not launched on jail start but works when I run zfs service manually? -- best regards, Lukasz Wasikowski From owner-freebsd-jail@FreeBSD.ORG Mon Feb 4 11:06:46 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6AD7195A for ; Mon, 4 Feb 2013 11:06:46 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 5C825D06 for ; Mon, 4 Feb 2013 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r14B6kqM028797 for ; Mon, 4 Feb 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r14B6jk8028791 for freebsd-jail@FreeBSD.org; Mon, 4 Feb 2013 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Feb 2013 11:06:45 GMT Message-Id: <201302041106.r14B6jk8028791@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 15 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Feb 5 18:33:08 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 18B884F9; Tue, 5 Feb 2013 18:33:08 +0000 (UTC) (envelope-from lukasz@wasikowski.net) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mx1.freebsd.org (Postfix) with ESMTP id CD811ECB; Tue, 5 Feb 2013 18:33:07 +0000 (UTC) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mail.wasikowski.net (Postfix) with ESMTP id 2F4AE9B2; Tue, 5 Feb 2013 19:33:03 +0100 (CET) X-Virus-Scanned: amavisd-new at wasikowski.net Received: from mail.wasikowski.net ([91.204.91.44]) by mail.wasikowski.net (scan.wasikowski.net [91.204.91.44]) (amavisd-new, port 10026) with ESMTP id k4l11_ZCYQZ7; Tue, 5 Feb 2013 19:33:02 +0100 (CET) Received: from [192.168.168.2] (89-72-12-251.dynamic.chello.pl [89.72.12.251]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: lukasz@wasikowski.net) by mail.wasikowski.net (Postfix) with ESMTPSA id CA51B9AD; Tue, 5 Feb 2013 19:33:02 +0100 (CET) Message-ID: <5111505E.6030105@wasikowski.net> Date: Tue, 05 Feb 2013 19:33:02 +0100 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: freebsd-fs@freebsd.org, freebsd-jail@freebsd.org Subject: zfs in jail - cannot mount: Insufficient privileges X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2013 18:33:08 -0000 FreeBSD 9.1-STABLE r246099, zfs in jail, unprivileged user is unable to mount dataset. In jail: # sysctl vfs.usermount security.jail.enforce_statfs security.jail.mount_zfs_allowed security.jail.mount_allowed security.jail.jailed vfs.usermount: 1 security.jail.enforce_statfs: 0 security.jail.mount_zfs_allowed: 1 security.jail.mount_allowed: 1 security.jail.jailed: 1 # zfs allow jinx/jails/jtest/testset ---- Permissions on jinx/jails/jtest/testset ------------------------- Permission sets: @testperms clone,create,destroy,mount,quota,readonly,receive,rollback,send,snapshot Local+Descendent permissions: user testuser @testperms # zfs get mountpoint jinx/jails/jtest/testset NAME PROPERTY VALUE SOURCE jinx/jails/jtest/testset mountpoint /testset local # getfacl /testset # file: /testset # owner: testuser # group: testuser owner@:rwxp--aARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow # su - testuser $ zfs create jinx/jails/jtest/testset/testdir cannot mount 'jinx/jails/jtest/testset/testdir': Insufficient privileges filesystem successfully created, but not mounted Is it a bug or am I missing something? root can create dataset in this jail without any problem: # zfs create jinx/jails/jtest/testset/testdir2 && zfs list jinx/jails/jtest/testset/testdir2 NAME USED AVAIL REFER MOUNTPOINT jinx/jails/jtest/testset/testdir2 31K 18.4G 31K /testset/testdir2 On host user can create and mount dataset, problem appears only in jail. -- best regards, Lukasz Wasikowski From owner-freebsd-jail@FreeBSD.ORG Fri Feb 8 18:42:30 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C84F783D for ; Fri, 8 Feb 2013 18:42:30 +0000 (UTC) (envelope-from lkchen@k-state.edu) Received: from ksu-out.merit.edu (ksu-out.merit.edu [207.75.117.133]) by mx1.freebsd.org (Postfix) with ESMTP id 8896686E for ; Fri, 8 Feb 2013 18:42:30 +0000 (UTC) X-Merit-ExtLoop1: 1 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFAGVGFVHPS3TT/2dsb2JhbABCAxaGN7o+FnOCHwEBBSNiAg0YAgINGQIdPBmIEQydaI5ViSqJCgSBH4txgRoFghaBEwOIZo5bjzaDHoFRNQ X-IronPort-AV: E=Sophos;i="4.84,630,1355115600"; d="scan'208";a="30451284" X-MERIT-SOURCE: KSU Received: from ksu-sfpop-mailstore02.merit.edu ([207.75.116.211]) by sfpop-ironport03.merit.edu with ESMTP; 08 Feb 2013 13:42:24 -0500 Date: Fri, 8 Feb 2013 13:42:24 -0500 (EST) From: "Lawrence K. Chen, P.Eng." To: freebsd-jail@freebsd.org Message-ID: <1467410895.13243627.1360348944428.JavaMail.root@k-state.edu> In-Reply-To: <315628769.12225723.1360192719342.JavaMail.root@k-state.edu> Subject: Re: routing issue with Jail hosts :: suggestion requested MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [129.130.0.183] X-Mailer: Zimbra 7.2.2_GA_2852 (ZimbraWebClient - GC24 (Linux)/7.2.2_GA_2852) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2013 18:42:30 -0000 Hmm, I had started to write a blog posting about how I ended up with a similar situation, and using fib to solve it. Though we decided to go in a different direction for production deployments of FreeBSD in our datacenter...of which there aren't any yet. I should see about finishing the posting sometime. ----- Original Message ----- > On Tue, Jan 08, 2013 at 12:39:44PM -0800, Devin Teske wrote: > > Maybe giving each of the jails their own networking stack would > > help? > > > > Do you know about VIMAGE? > > > > I have a boot script that makes it easy to test out this > > new/experimental (yet very stable) feature: > > > > http://druidbsd.sf.net/vimage.shtml > > VIMAGE (vnet option of jails) can do this but may be a bit overkill. > Creating two routing tables and use jail__fib in rc.conf to > assing > each jail to a certain routing table should be enough to do the > trick. > -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library