jails Can't unmount zfs datasets in jail

I'm stumped here - trying to delegate a zfs dataset to a jail (using another pool) within iocage...

My config has what appear to be all the proper settings to allow a root user in the jail to manage zfs, and it all seems to work, but I cannot unmount any datasets.

Here's the config:
JSON:
{
    "allow_mount": 1,
    "allow_mount_devfs": 1,
    "allow_mount_zfs": 1,
    "basejail": 1,
    "boot": 1,
    "enforce_statfs": "0",
    "exec_created": "zfs set jailed=on data/jail-mounts/zfsmount; zfs jail ioc-zfsmount data/jail-mounts/zfsmount
",
    "host_hostname": "zfsmount",
    "host_hostuuid": "zfsmount",
    "last_started": "2021-11-09 00:22:58",
    "release": "12.2-RELEASE-p10"
}

I have the various sysctl-related settings, lowered "enforce_statfs" to 0 (also was trying with 1), and I run some "exec_created" hooks here to ensure that the dataset has the "jailed" parameter enabled and to tie the jail and dataset together.

It seems to work in every other way. I can create new datasets in the jail, destroy them, create snapshots, etc. It's just the unmount that fails (both 'zfs unmount data/jail-mounts/zfsmount' and 'umount /jailmount').

Code:
root@zfsmount:~ # mount | grep jailmount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
root@zfsmount:~ # ls /jailmount/
foo    PG
root@zfsmount:~ # zfs unmount data/jail-mounts/zfsmount/PG
cannot unmount '/zroot/iocage/jails/zfsmount/root/jailmount/PG': Operation not permitted
root@zfsmount:~ #
root@zfsmount:~ # zfs unmount data/jail-mounts/zfsmount
cannot unmount '/zroot/iocage/jails/zfsmount/root/jailmount/PG': Operation not permitted
root@zfsmount:~ #
root@zfsmount:~ # umount /jailmount
umount: unmount of /zroot/iocage/jails/zfsmount/root/jailmount failed: Operation not permitted
root@zfsmount:~ # umount /jailmount/PG
umount: unmount of /zroot/iocage/jails/zfsmount/root/jailmount/PG failed: Operation not permitted

I'm totally not sure what I'm doing wrong here or if this is just some weird zfs/jail bug.
 
Is the filesystem in use perhaps? Some service that's running and has files locked in that dataset?
 
Is the filesystem in use perhaps? Some service that's running and has files locked in that dataset?
Nope - it's just an experiment, so I'm the only one in this vm, and I'm not mounting it anywhere that any daemon or anything would want to use it ("/jailmount").
 
Can you unmount from the host ?
This is an interesting one...

I can, but only with "umount". If I use "zfs unmount data/jail-mounts/zfsmount", even with the jail stopped, the command returns without error, but the dataset remains mounted. This might just be normal zfs behavior for a dataset with the "jailed" property set though to prevent accidents?

Example:

Code:
[root@clweb1TEST /home/spork]# mount|grep jail-mount
[root@clweb1TEST /home/spork]#
[root@clweb1TEST /home/spork]# iocage start zfsmount
* Starting zfsmount
  + Started OK
  + Using devfs_ruleset: 1001 (iocage generated default)
  + Using IP options: ip4.saddrsel=1 ip4=new ip6.saddrsel=1 ip6=new
  + Starting services OK
  + Executing poststart OK
[root@clweb1TEST /home/spork]# mount|grep jail-mount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
[root@clweb1TEST /home/spork]# iocage console zfsmount
root@zfsmount:~ # mount | grep jail-mounts
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
root@zfsmount:~ # logout
[root@clweb1TEST /home/spork]# iocage stop zfsmount
* Stopping zfsmount
  + Executing prestop OK
  + Stopping services OK
  + Removing devfs_ruleset: 1001 OK
  + Removing jail process OK
  + Executing poststop OK
[root@clweb1TEST /home/spork]# mount|grep jail-mount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
[root@clweb1TEST /home/spork]# zfs unmount data/jail-mounts/zfsmount/PG
[root@clweb1TEST /home/spork]# zfs unmount data/jail-mounts/zfsmount
[root@clweb1TEST /home/spork]# mount|grep jail-mount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
[root@clweb1TEST /home/spork]# umount /zroot/iocage/jails/zfsmount/root/jailmount/PG
[root@clweb1TEST /home/spork]# umount /zroot/iocage/jails/zfsmount/root/jailmount
[root@clweb1TEST /home/spork]# mount|grep jail-mount
[root@clweb1TEST /home/spork]#
 
I am in the same situation, i can manage dataset from jail, mount/snapshot it, but i can't umount snapshots nor destroy snapshots.
I can manage snapshots of that dataset without problems from the physical host.

I have the following jail parameters:
allow.mount=1
allow.mount.zfs=1
enforce_statfs=1
exec.poststart = 'zfs jail PostgreSQL00 zroot/data_PostgreSQL00';

The dataset was created with the following commands:
zfs create -o mountpoint=/var/db/postgres/data15 -o canmount=noauto zroot/data_PostgreSQL00
And applied jail-friendly parameter:
zfs set jailed=on zroot/data_PostgreSQL00

Am i doing anything wrong? Maybe its a bug?
 
Back
Top