Date: Fri, 9 Dec 2016 12:11:53 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: SK <fbstable@cps-intl.org>, freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host Message-ID: <584A9179.9060508@quip.cz> In-Reply-To: <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org> References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org> <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org> <5849C5BF.7020005@quip.cz> <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org>
next in thread | previous in thread | raw e-mail | index | archive | help
SK wrote on 2016/12/09 11:12: >> zfs list is good start. I never used zfs from within jail so I cannot >> comment on permission denied. I don't know what more must be done. >> > I'm not sure which list you are referring to. I could not find any zfs > list in FreeBSD mailing list lists I mean your command "zfs list", because normally "zfs list" inside jail print: "no datasets available" :) > But, what I would really like to have > > a) ONLY the relevant datasets for a jail are visible and can be > manipulated from within the jail. I do not mind if they are visible from > host (in fact, I might prefer that -- not manipulate, just see and maybe > take snapshot of what is there -- helps in centralizing backups). But > the Jails /must not/ see each others' datasets zfs create gT/JailS/testJail zfs set jailed=on gT/JailS/testJail << Did you set this property? # (populate & start jail) zfs jail testJail gT/JailS/testJail > b) if that is not achievable, maybe not allow the jails to see the > complete dataset hierarchy -- just make them feel that they are where > they are in a root, but still be able to create datasets that would > magically show up in the respective jails. This way, the total control > is from the host itself, where no one has access to, but the datasets > are restricted to different jails. What is visible is controlled by enforce_statfs values. If you create /tank/jail/alpha and set this path to you first jail no other jail will know about it. > Now, for the sysctl values, here they come sysctls seem OK, I am out of ideas now. maybe I will have time next week to try this on my test setup. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?584A9179.9060508>