Hello all,
I have some rather naiive questions re: hierarchical jails. For a start, when I try to start a jail within a jail I get
My setup is as follows:
/etc/jail.conf on the host:
In the 'outer' jail, I can verify that the
Is there something obvious I'm missing?
In addition, I'm confused how the hierarchical jails are meant to work with zfs jailed property: would the child jails be able to mount the child zfs datasets of the 'outer' jail? The documentation suggests otherwise. Is the hierarchical jail feature used much at all, and what are the typical scenarios? For me, it seems appealing to arrange jails into hierarchies like work.{project1,project2,...}, labs.{test1, test2,...} etc - is there anyone on this forum who is using a similar setup?
Thanks!
leveche
I have some rather naiive questions re: hierarchical jails. For a start, when I try to start a jail within a jail I get
Code:
root@outer:/ # jail -c inner
mount: .: Operation not permitted
jail: test1: /sbin/mount -t devfs -oruleset=4 . /jail/inner/dev: failed
My setup is as follows:
/etc/jail.conf on the host:
Code:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
host.hostname = "$name.mylab.example.org";
path = /jail/$name;
interface = em1;
ip4.addr = 10.1.1.$ip;
outer {
children.max = 128;
ip4.addr = 10.1.1.4,10.1.1.5;
allow.mount = true;
allow.mount.devfs = true;
allow.mount.zfs = true;
}
In the 'outer' jail, I can verify that the
mount_devfs_allow
parameter is set, but not sure what the security.jail.param.allow
settings are:
Code:
security.jail.mount_procfs_allowed: 0
security.jail.mount_zfs_allowed: 1
security.jail.mount_devfs_allowed: 1
security.jail.param.allow.mount.procfs: 0
security.jail.param.allow.mount.zfs: 0
security.jail.param.allow.mount.devfs: 0
security.jail.param.allow.mount.: 0
security.jail.param.devfs_ruleset: 0
security.jail.devfs_ruleset: 0
security.jail.mount_allowed: 1
Is there something obvious I'm missing?
In addition, I'm confused how the hierarchical jails are meant to work with zfs jailed property: would the child jails be able to mount the child zfs datasets of the 'outer' jail? The documentation suggests otherwise. Is the hierarchical jail feature used much at all, and what are the typical scenarios? For me, it seems appealing to arrange jails into hierarchies like work.{project1,project2,...}, labs.{test1, test2,...} etc - is there anyone on this forum who is using a similar setup?
Thanks!
leveche