From owner-freebsd-jail@freebsd.org Sat Dec 17 19:00:20 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 51F85C8564B for ; Sat, 17 Dec 2016 19:00:20 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:375::1:5]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E192812F5 for ; Sat, 17 Dec 2016 19:00:19 +0000 (UTC) (envelope-from Alexander@leidinger.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1482001189; bh=Lr3/gP3/8z61i+jQcvgtIq0UYG6/mZV0omnRrr6nxiI=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=qIhSvgpy9xRGF/aON5+Grjt7VYaxg+jNkyoqVc2KgWZy23VeT6yHW5NG9kZ6jv1cz mOZl9jgSUl8T1XoNqNrNhNx81+plwiL85Om+CVHybYIJeHr/EdDO8qggY7fOrJglS5 R9KbaaeVnfYZiydnp1kQcwfHznhDjBvIxFh0uc00pmKlSn63PyjbZm0A2Fc+ajkOR1 ieQpEGJ9rd1qvdS4bM2CVh1J/Q0bkhk8tHmjLnbAFBy1AeLtbSCYu73BqlJBSHsiFI +O7CPoY6aDUdVk0ywL9JdgF+bFi6dP8sq5aETw+Yj1tsXc0dmWcJJCM6I7e+94TrP6 jtFbB9wtu+H5w== DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1482001208; bh=Lr3/gP3/8z61i+jQcvgtIq0UYG6/mZV0omnRrr6nxiI=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Ic3iPhE3JLhKYW5ASy+IWrUrQu10uYQa0Hwdni2VpH4/qjV3Evxmz2zh0eD9IpBKS 6C55OzUWOXYcUAeDzv5csA14w9o0zWJYDTMOZszAPmLQMdMsNCPr309vkABY1v3WDH 5k1NSooPBNtWtBwKAnvopRZgUWu3R8i2SUbZ2i0WPDiVMYi+MqJB9bD237FwuJSMIe 1s7bmnU1OhgjUzlcn+q8wnQnre89bDs+rtwjGitVvWjQnR+r6ERlM9Mn88WSPjTJ/j F06BphvyV/dC+c29xiLjY6NWuV2uQoOB+7sxa5uenjD8jlnPTI87r6WLbBv5ueBRKV 9gF+gFhlPmHww== Date: Sat, 17 Dec 2016 19:59:49 +0100 Message-ID: <20161217195949.Horde.PTQ3AH5YpaT79dVSxM5UvNr@webmail.leidinger.net> From: Alexander Leidinger To: SK Cc: freebsd-jail Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial] References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> <584A9179.9060508@quip.cz> <584A9D89.4040003@quip.cz> <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> <584AB345.4080307@quip.cz> <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org> <20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW@webmail.leidinger.net> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_K9AONlVuvw9Zy4MTTLpJPDH"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Dec 2016 19:00:20 -0000 This message is in MIME format and has been PGP signed. --=_K9AONlVuvw9Zy4MTTLpJPDH Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting SK (from Fri, 16 Dec 2016 14:02:20 +0000): > On 16/12/2016 13:15, Alexander Leidinger wrote: >> For one of the filesystems I have set "zfs allow" permissions, but=20=20 >>=20just that a specific user in the jail can do something on those FS=20= =20 >>=20without the need to switch to root. So as long as you try to do a=20= =20 >>=20zfs create/snapshot with an user with UID 0 inside the jail, the=20=20 >>=20"zfs allow" part doesn't come into play. >> >> So assume space/jails/xyz.leidinger.net/ to be the dataset which=20=20 >>=20contains the root of the jail but is not attached/attributed to the=20= =20 >>=20jail itself. space/jails/xyz.leidinger.net/data with=20=20 >>=20mountpoint=3Dnone to be attributed ("zfs jail xyz=20=20 >>=20space/jails/xyz.leidinger.net/data") to the jail (similar to the=20=20 >>=20"space/something" in the ezjail config above, I have some=20=20 >>=20iocage-managed jails were this works). In this case you should be=20= =20 >>=20able to do from inside the jail "zfs create -o mpuntpoint=3D/mnt=20=20 >>=20space/jails/xyz.leidinger.net/data/test". >> > hmmm, I'm slightly confused at this point. Let me see if I can=20=20 >=20clarify that in my brain > > If I understand you correctly, what you are suggesting is, the=20=20 >=20dataset used by the jail itself for its root/base cannot be "worked=20= =20 >=20on" from within the jail, but if I define a different dataset (under=20= =20 >=20the same branch below the jail dataset), and attribute it to the=20=20 >=20jail, then I can manipulate that "other" dataset. Could you please=20= =20 >=20confirm if I understood it correctly? Correct. You need the data in the root of the jail to boot, if you then=20=20 attribute=20this dataset to the jail, it will vanish until "zfs mount=20=20 -a"=20is run (rc script inside the jail). As it will vanish during the=20= =20 boot=20of the jail (if added automatically), the rc script to mount all=20= =20 datasets=20can not be found. >>> And now to everyone, I am still confused about zfs set jailed=3Don.=20= =20 >>>=20As I mentioned on my previous emails, as soon as I do that, the=20=20 >>>=20dataset vanishes from the host system (as I understand, that is=20=20 >>>=20expected behaviour). Then the jail fails as it is unable to mount=20= =20 >>>=20/dev, /proc >> >> From the zfs man page: >> ---snip--- >> After a dataset is attached to a jail and the jailed property is set= , a >> jailed file system cannot be mounted outside the jail, since the jai= l >> administrator might have set the mount point to an unacceptable valu= e. >> ---snip--- >> >> So yes, it is expected that it "vanishes", but it should be visible=20= =20 >>=20from the parent host at the place inside the jail FS subtree were=20= =20 >>=20it is mounted there (after setting the mountpoint of the dataset). >> > I think what you are trying to tell here is, unless and until that=20=20 >=20"vanished" dataset is put to use (mounted) from inside the jail, it=20= =20 >=20will remain vanished/unusable from the host itself; however, once=20=20 >=20that dataset is put to use, the host system should be able to "see"=20= =20 >=20and maybe even work on that dataset. Could you please confirm if I=20= =20 >=20understood you correctly? Correct. A sub-dataset which is not needed to boot, or a dataset not within the=20= =20 subtree=20of the jail (and not needed to boot) can be used. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_K9AONlVuvw9Zy4MTTLpJPDH Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYVYskAAoJEKrxQhqFIICErHwP/13/s8PzZMP0lLFi4hh4SjxA FHNVhEzdapZMtYMe62vz2W3UkSxZTRsGnehnYINvh6KOd0MZ6lKAfar8dIP20qrm eIsj4qh9sWcEpkSYOpM16uEdNJ1wIdniKhd4OmR/nyMshdHHVXVtdRIDVVA6OFav lscK45Evixfb5PKhReR1zpqa747jB8v8e6vbzmg8Or+I01gugb9Wa1j2g7BZhi+N wOzIYa2Y5jn20xcCtuWG3EMbKXQATyhhfPvz/fKnedLFag4I4uoMtnCOI1iREDMk FcZMs5YKXHvQRclfMKh+zTpc+Gszf8PQsHwNlU5veTmI7jsWP6p21HxTOjL/CbNy SpIn+YQkqfCvVRGEogKHinl/ltUQnV7nT0g2kl1Od8eSHxCtJQUf0sOy0/PSBf2q 50sxX0FMWUazRNWf00BhIHcxHbj4PmW0lgh014eptKNoB2o0DF23bhD6DigE2zaC TU0rnb3cDKeUIssu3gMrx0p3JlX1Ob9eyxVPWkSJwixlgIpazwAQRBFq6O8VuftW gSDsNE7XUw3YS59kCiKMu/Sswr3pshy3pDpIONQp2j4//uFckVDMgQsbHdghCf68 oLxcoulpl4iPEBR5l0IkvSKWUoE/CRTSRRvr1O2X7PYW552NRMdWAJbiWdfG+lTk JrPpii4sGtmpFoSjh5e4 =eVue -----END PGP SIGNATURE----- --=_K9AONlVuvw9Zy4MTTLpJPDH--