Is NFS jail-friendly now??

You can mount nfs share with jail's fstab entry.
Code:
# The jail definition for jail1
thinjail1 {
    host.hostname = "jail1.domain.local";
    path = "/usr/local/jails/jail1";
    interface = "re0";
    ip4.addr = 10.0.0.17;
    mount.fstab = "/usr/local/jails/jail1.fstab";
}
 
Hello vejnovic,

Do you mean to
1. ezjail-admin console myjail
2. ee /etc/fstab
3. insert
# The jail definition for jail1
Code:
thinjail1 {
   host.hostname = "jail1.domain.local";
    path = "/usr/local/jails/jail1";
    interface = "re0";
    ip4.addr = 10.0.0.17;
    mount.fstab = "/usr/local/jails/jail1.fstab";
}
and save
4. restart myjail

I just tried the above. It does not work... (am I missing something??)

I saw people suggesting mounting on host, then nullfs mounting to the jailed path. I am curious why not simply mounting to the jailed path directly in the first place. Is there a difference doing so? Thanks
 
What you can do is to mount_nfs on the jail-host. This makes these directories available to nullfs mount them into your jail. You can define null-mounts readonly and readwrite as you like. This requires a separate fstab.your_jail which has to be defined in jail.conf.

So to answer your question if jails are "nfs-friendly": No they are not because that would make it possible to break out of the jail. With nullfs-mount you define before the jail is started what access is possible and that cannot be altered from within the jail.

Is it still a desirable feature in the future?
No this would be no feature but breaking the security design.
 
You can't mount filesystems within a jail, regardless if it's NFS or any other filesystem, unless you set allow.mount. See jail(8).

What you can do however is let the host mount the filesystem on the jail when the jail starts. See mount.fstab, also in jail(8).

Code:
             allow.mount
                     privileged users inside the jail will be able to mount
                     and unmount file system types marked as jail-friendly.
                     The lsvfs(1) command can be used to find file system
                     types available for mount from within a jail.  This per-
                     mission is effective only if enforce_statfs is set to a 
                     value lower than 2.

Code:
     mount.fstab
             An fstab(5) format file containing filesystems to mount before
             creating a jail.
 
Back
Top