jail with mount.devfs inside a jail

zirias@

Developer
Hi all,

I'm trying to create a jail with mounted devfs inside another jail and get the following error:
Code:
builder# jail -c host=inherit path=/usr/local/poudriere/jails/sysbuilder mount.devfs command=/bin/sh
mount: .: Operation not permitted
jail: /sbin/mount -t devfs -oruleset=4 . /usr/local/poudriere/jails/sysbuilder/dev: failed
But the following works:
Code:
builder# /sbin/mount -t devfs . /usr/local/poudriere/jails/sysbuilder/dev
Of course I don't want to have a full devfs in my jail. Why does it fail when the ruleset option is given?

Configuration of the "outer" jail is as follows:
Code:
exec.start    = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
mount.fstab = "/var/jail/${name}.fstab";
host.hostname = "${name}.home.palmen-it.de";
allow.noset_hostname;

path = "/var/jail/${name}/jail";

builder {
     ip4.addr =    192.168.99.41, 127.0.0.1;
     interface = tap0;
     ip6 = inherit;
     children.max = 20;
     allow.mount;
     allow.mount.devfs;
     allow.mount.procfs;
     allow.mount.linprocfs;
     allow.mount.zfs;
     allow.mount.nullfs;
     allow.mount.tmpfs;
     allow.raw_sockets;
     allow.socket_af;
     allow.sysvipc;
     allow.chflags;
     enforce_statfs=1;
     exec.poststart="zfs jail builder zroot/poudriere && jexec builder zfs mount -a";
     exec.prestop="jexec builder zfs umount -a && zfs unjail builder zroot/poudriere";
}
Thanks,
Felix
 
Could something like this fit in somewhere?
Code:
devfs -m /usr/local/jail-1/dev rule -s 4 applyset
devfs -m /usr/local/jail-1/dev rule apply path tun0 unhide
You can hide or unhide anything you want.
 
Thanks for the idea, I didn't try to apply the ruleset after mounting. Unfortunately, this doesn't work either:
Code:
builder# devfs -m /usr/local/poudriere/jails/sysbuilder/dev rule -s 4 applyset
devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted
Is this by design? Maybe I just overlooked some allow.* setting necessary for the "parent" jail?

[edit] -- even if this won't work at all, I'd be thankful for an explanation. So -- anyone giving me EITHER an idea I didn't have myself yet OR an explanation of these error-messages will get a very sincere, conscious, thoughtful and meaningful click on this great "thanks" button :)
 
Here I am, 5 years later, same situation, same problem:

Code:
[root@jail-testing:/] $ service jail start
Starting jails:mount: .: Operation not permitted
jail: freshports: /sbin/mount -t devfs -oruleset=4 . /jails/freshports/dev: failed
.
[root@jail-testing:/] $
 
It seems to work for me.
Here my jail.conf
Code:
path = "/jails/$name";
host.hostname = "$name";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
ip4 = inherit;
ip6 = inherit;
mount.devfs;
mount.fdescfs;
allow.mount;
allow.mount.devfs;
allow.mount.fdescfs;
allow.mount.nullfs;
allow.mount.tmpfs;
allow.mount.procfs;
allow.mount.zfs;
enforce_statfs=1;
children.max=100;
allow.socket_af;
allow.raw_sockets;
allow.chflags;
allow.sysvipc;
a {
devfs_ruleset="20";
}
And my devfs.rules

Code:
[a=20]
add include $devfsrules_hide_all  
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'mixer*' unhide
add path 'dsp*' unhide
add path 'zfs*' unhide
 
Thank you. Tried that, same issue.

Code:
Starting jails:mount: .: Operation not permitted
jail: freshports: /sbin/mount -t devfs -oruleset=20 . /jails/freshports/dev: failed
.
 
Which makes me wonder, since jail-testing is a jail, which is launching the above jail, is there something missing from the jail.conf on the host which launches jail-testing.
 
My missing magic was

Code:
devfs_ruleset=0

My working /etc/jail.conf is:

Code:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
path = /jails/$name;
allow.raw_sockets;
securelevel = 2;
exec.consolelog="/var/tmp/jail-$name";

host.hostname = "$name.int.unixathome.org";

persist;
test01 {
    host.hostname = "test01";

    ip4 = inherit;
    persist;

    devfs_ruleset=0;

    allow.mount=true;
    enforce_statfs=1;
    allow.mount.devfs;
    allow.mount.procfs;
}
 
Back
Top