I just thought I'd post here to make sure what I'm doing is actually the right way to do this.
On my host, I have a ZFS datset,
in jail.conf, I will have the following (with unrelated items redacted):
And the two fstab files are as follows:
Now, as far as I understand, this should be everything I need for a basic shared configuration without opening up any unexpected security holes, correct? I'll need to ensure that UID and GIDs are appropriately assigned within each relevant jail to ensure correct permissions, but besides that this is everything? Or am I overlooking anything?
On my host, I have a ZFS datset,
data/shared. There are two relevant jails, jail1 and jail2. jail1 needs rw access to the dataset, and jail2 needs ro access. In this situation jail1 contains the service that creates the files originally, and jail2 (and others) just read the files without modifying them.in jail.conf, I will have the following (with unrelated items redacted):
Code:
jail1 {
allow.mount.nullfs;
mount.fstab="/etc/fstab.jail1";
path="/jails/jail1";
}
jail2 {
allow.mount.nullfs;
mount.fstab="/etc/fstab.jail2";
path="/jails/jail2";
}And the two fstab files are as follows:
Code:
/etc/fstab.jail1:
/data/shared /jails/jail1/shared nullfs rw 0 0
----
/etc/fstab.jail2:
/data/shared /jails/jail2/shared nullfs ro 0 0Now, as far as I understand, this should be everything I need for a basic shared configuration without opening up any unexpected security holes, correct? I'll need to ensure that UID and GIDs are appropriately assigned within each relevant jail to ensure correct permissions, but besides that this is everything? Or am I overlooking anything?