A sharing folder between jails on ezjail

Hello community,

First, I'm really impressed to see freebsd community, all around the world, ready to share.

I starting with apologies, if you see to much mistakes with my English.

I started, since 2 months now, to "play" with FreeBSD, my purpose is to create a personal server for sharing files and media at home and outside.

I will re-install FreeBSD from scratch and I have a clear mind of what I want, but even if I have read ton of things, I'm still not sure how to do it.

OK, thank's Fawst, but what do you want?

I want to set on FreeBSD 10.3 three jails with ezjail :

- nextcloud
- pyload
- plex

And share across those jails a folder call media.

I don't want this folder on my host, but inside one of previously mentioned jails and mounted inside the others.

My question is, is it possible to mount this kind of folder? How can I do it? Basejail or flavors configuration?

Thank you very much for your help.
 
It's possible to do this from one jail to another but it's tricky. For example, what if the 'source' jail is down? How about updates or a complete reinstall of the jail?

The simplest solution (simple usually works best) is to create the directory on the host. And then use nullfs(5) to mount this directory on each of the jails.

I have, for example, poudriere running on the host creating package repositories. And I have one simple jail with nginx that has the poudriere data directory mounted read-only using nullfs(5). That way I can safely allow access to the files through the jail's web server.
 
Thank you for your fast response

I don't want to create the folder on the host by a security purpose, but it is a simply personal guess. If a file containing malicious things and it's read from folder on host, my host will be hurt or only the jail who read it ?
 
You also can use the mount option in /etc/fstab.nextcloud, /etc/fstab.pyload and /etc/fstab.plex.

Add the following line as an example:
/media /jails/plex/media nullfs ro 0 0

Putting media folder in /usr/basejail will not be any different then putting media folder in /mnt/media. Using fstab will control what folders will be accessible to jails. There's no way jails can access folders outside what is already defined in fstab.
 
If I undestrand well, Remington, I should do :

Code:
cd /usr/basejail
Code:
mkdir media

Then in /etc/fstab.nextcloud

Code:
# nextcloud will be used to manage files
Code:
/media /jails/nextcloud/media nullfs rw 0 0

Then in /etc/fstab.pyload

Code:
# pyload will be used to download files
Code:
/media /jails/pyload/media nullfs rw 0 0

Then in /etc/fstab.plex

Code:
# plex only need to read files in media
Code:
/media /jails/plex/media nullfs ro 0 0

That can be work ?
 
In your fstab files, it will be like this:
Code:
/basejail/media  /jails/plex/media nullfs rw 0 0

You will also need to create a media folder in /jails/plex as well.

Basejail is read-only so you will need to make another mount for read-write functionality.
 
Thank you

So, for the read-write I need to mount a folder in the host?

I start to understand, thank you for your help
 
If a file containing malicious things and it's read from folder on host, my host will be hurt or only the jail who read it ?
It's a non-issue because the host can always read everything inside every jail. Malicious files in and of themselves are harmless, they're just a bunch of bytes. They don't spontaneously become active. As long as you don't execute the malicious code the files will just sit there doing nothing.
 
Thank you

So, for the read-write I need to mount a folder in the host?

I start to understand, thank you for your help

Yes, fstab must use host's file system even full path for jails. Mount will not work inside jail so everything must be done from host.
 
On my limited knowledge, if Plex read the file it's like execute or not?
No. Just reading the bytes doesn't execute those bytes, it's just data being passed along.

It is however possible if, for example, the audio player doesn't handle a file properly, a bug could trigger execution of code embedded within that file. However, this requires certain bugs in the process handling the audio stream, bad programming, a specially prepared file and a lot of bad luck.

The specially prepared file may trigger such a bug with application A but application B (which doesn't have this bug) will just read it and the embedded code would never be executed.
 
Oh nice, we start to get close to solved my questions but before can you tell me what is wrong with this following :

I try this before writing to you, as I told you I play with FreeBSD :)

I start by creating a media folder directly at root point

Code:
mkdir media
chmod 777 -r /media

I know, this is a really bad thing to perform a chmod 777 on a folder, but to try things, it's pretty stratefoward.

I had an external storage of /media on nextcloud, due to chmod 777 I had somes pictures in /media folder.

after that I mount /media in the plex jail

Code:
mount_nullfs /media /jail/plex/mnt/media

Then I was able to see pictures added previously

Next day I reboot the server and add new picture using the external storage on nextcloud, but when I perform

Code:
cd /jail/plex/mnt/media
ls

I didn't see news pictures added, I saw only first pictures added.

So what I missing ? put path in /etc/fstab.plex ?
 
Thank you very musch for this reply.

To make things usefull, let resume.

If you want to share folder between jails, make it simply.

The simplest solution (simple usually works best) is to create the directory on the host. And then use nullfs(5) to mount this directory on each of the jails.

But if you have question on security, don't worry, files will be only read.

No. Just reading the bytes doesn't execute those bytes, it's just data being passed along.

It is however possible if, for example, the audio player doesn't handle a file properly, a bug could trigger execution of code embedded within that file. However, this requires certain bugs in the process handling the audio stream, bad programming, a specially prepared file and a lot of bad luck.

The specially prepared file may trigger such a bug with application A but application B (which doesn't have this bug) will just read it and the embedded code would never be executed.

In my case it's will look like this :

Create a media folder and add sub-folder you want.

Code:
mkdir media
cd /media
mkdir Films
mkdir Photos
mkdir TVShows

Then you change permission of your folder

Code:
chmod -R 760 /media
chown -R :www /media

with this group can read and write in this folder.

I suppose jails are already set and in each jails, in my case, nextcloud, plex and pyload all this service are runing with the same group www and a media folder was already create under /mnt.

We mount the folder media on each jails

Code:
mont_nullfs /media /usr/jail/plex/mnt/media
mont_nullfs /media /usr/jail/pyload/mnt/media
mont_nullfs /media /usr/jail/nexcloud/mnt/media

then we add this following path on each /etc/fstab.JAILNAME

Code:
vi /etc/fstab.plex
/media /usr/jail/plex/mnt/media nullfs ro 0 0

Code:
vi /etc/fstab.pyload
/media /usr/jail/pyload/mnt/media nullfs rw 0 0

Code:
vi /etc/fstab.nexcloud
/media /usr/jail/nextcloud/mnt/media nullfs rw 0 0

In nexcloud web interface add the folder media as an external storage.

If it's all correct you will be able to add or remove media files with nexcloud and pyload. But only read it from plex.

Do you think this is a correct way to do it ? If not, I will edit this post
 
Back
Top