Date: Wed, 15 Mar 2017 08:19:32 +0000 From: Arthur Chance <freebsd@qeng-ho.org> To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11 - /etc/fstab Message-ID: <fe6dc47a-d40d-e502-9944-efcf2e76e4ba@qeng-ho.org> In-Reply-To: <ccf600c6c585f31bb688eba1befd91b7.squirrel@webmail.harte-lyne.ca> References: <752326cf454b5045b8759e7a4a163a23.squirrel@webmail.harte-lyne.ca> <8e5c5be426784129a426acf656748826@dweimer.net> <ccf600c6c585f31bb688eba1befd91b7.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14/03/2017 20:59, James B. Byrne via freebsd-questions wrote: > > On Tue, March 14, 2017 16:01, Dean E. Weimer wrote: > >>> >> >> Look at man jail, search for mount.fstab, that's probably what you >> need. >> I use it for mounting nullfs file systems to my jails, haven't tried >> with these special file systems though. >> > > I read the man page which is why I first looked in the ezjail > configuration file for this particular jail to see if the ability to > mount these special file-systems was enabled. It appeared to be. I > then updated the /etc/fstab.jailname file to have the desired > entries: > > # cat /etc/fstab.hllidempiere > /usr/jails/basejail /usr/jails/hllidempiere/basejail nullfs ro 0 0 > fdesc /dev/fd fdescfs rw 0 0 > proc /proc procfs rw 0 0 > > However, when I start the jail, log on to it, and perform a mount > command this is all I see: > > # mount > zroot/ROOT/default on / (zfs, local, noatime, nfsv4acls) > > Thus my question. If your jail.conf has "enforce_statfs = 2" in it the jail can't report any mounts other than its root. You should be able to see all mounts from the host. The best test when in the jail is whether you can see /proc or not. If so, the jail system is doing its job of mounting the extra filesystems *before* the jail starts, which means you can safely prevent the jail from doing mounts itself, improving security. The only reason for having /etc/fstab in the jail is to stop the rc scripts complaining about it being missing, and an empty file is sufficient for that. Note that looking for /dev/fd isn't quite the same. devd provides a vestigial /dev/fd itself, containing just 0, 1 & 2 (i.e. stdin, stdout & stderr). If fdesc is mounted you might see other file descriptors depending on what your shell has open. -- By June 1949, people had begun to realize that it was not so easy to get a program right as had at one time appeared. It was on one of my journeys between the EDSAC room and the punching equipment that the realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs. -- Maurice Wilkes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fe6dc47a-d40d-e502-9944-efcf2e76e4ba>