How can I mount a nullfs inside a jail (iocage)?

R

rainer_d

I have the following in /etc/sysctl.conf:

Code: 
security.jail.mount_allowed=1
#security.jail.param.allow.mount=1

security.jail.param.allow.mount.nullfs=1
security.jail.mount_nullfs_allowed=1

security.jail.param.allow.mount.devfs=1
security.jail.mount_devfs_allowed=1

and for the jail:

Code: 
(jailhost </root>) 0 # iocage get all php70 |grep mount
allow_mount:1
allow_mount_devfs:1
allow_mount_nullfs:1
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
jail_zfs_mountpoint:none
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly


Yet, I get a permission denied when I try to nullfs mount something inside the jail.

Is that even possible?
 
There might be a need for you to set the devfs.rules in /etc/ AND/OR setup a fstab file for the jail. It has to be mounted on boot.
 
I've got

jail_devfs_enable="YES"
jail_devfs_ruleset="devfsrules_jail"
jail_nullfs_enable="YES"
(if the later exists at all)

Code: 
(jailhost </root>) 0 # cat /etc/devfs.rules
# Devices usually found in a jail.
#
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
 
It's been a while since I messed with devfs inside a jail but as far as I know you also need this:

Code: 
#       sysvmsg = new;
#       sysvshm = new;
#       sysvsem = new;

#       devfs_ruleset = 2;
#       enforce_statfs = 1;
(uncommented of course).

See also jail(8).
 
You typically mount filesystem from the host. You can add filesystems specific for the jail to /etc/fstab.<jailname>.

That said, it is possible to mount filesystems from within a jail. What exactly are you trying to mount?
 
SirDice: He said nullfs. Most likely, one or more apps require it. I get it done with the above suggestions though I use ezjail not iocage.
 
Hi,

I have been setting up jails (using iocage) for Plex, NZBGet, Sonarr, Radarr, Lidarr, etc. who all need access to the same zfs datasets. So I am using nullfs. I have not had to concern myself with setting nullfs specific parameters for the jails.

From the host, I issue the following:

Code: 
% doas iocage fstab -a <jail_name> <mountpoint_on_host> <mountpoint_on_jail> nullfs <permissions> 0 0

% doas iocage fstab -a darkhorse /medialake2/movies /mnt/movies nullfs rw 0 0

This seems to work well.
 
Lamia said:
@SirDice: He said nullfs.
Click to expand...
Yes.

Code: 
root@molly:~ # cat /etc/fstab.ports
/usr/src                /jails/j-ports/usr/src                  nullfs  ro      0       0
/usr/ports              /jails/j-ports/usr/ports                        nullfs  ro      0       0
/usr/ports/distfiles    /jails/j-ports/usr/ports/distfiles      nullfs  ro      0       0
/usr/ports/packages     /jails/j-ports/usr/ports/packages               nullfs  ro      0       0
/usr/local/poudriere/data       /jails/j-ports/data             nullfs  ro      0       0
/storage/release        /jails/j-ports/storage/release          nullfs  ro      0       0
/storage/release/11-stable      /jails/j-ports/storage/release/11-stable                nullfs  ro      0       0
All nullfs(5) from the host, for a jail named ports. They're all read-only but read/write shouldn't be a problem. This jail only runs a webserver to host them, it doesn't need write access.

Code: 
root@molly:~ # jls
   JID  IP Address      Hostname                      Path
     1  192.168.10.202  j-ports.dicelan.home          /jails/j-ports
If you can mount it, you can use /etc/fstab.<jailname>. The nice thing about this set up is that the filesystems are automatically mounted/unmounted when the jail starts/stops. Most of the time you can get away with having the host mount whatever filesystem you need. Which is why I was interested to know what needs to be done from inside the jail.
 
So you need to mount it at the host-level.
I thought it was possible to issue the mount inside the jail.

OK, looking at the iocage fstab man-page, that's also cool.

Thanks.
 
You must log in or register to reply here.
Back
Top