Solved Jailed ZFS: cannot create 'zpool/jails/nfs/test': permission denied

[Ferocious1881]

After starting the jail with jail -crm -f /etc/jail.conf.d/nfs.conf, when I try to create a new filesystem jexec nfs zfs create -o mountpoint=/test zpool/jails/nfs/test I get the error

cannot create 'zpool/jails/nfs/test': permission denied

Configuration:
/etc/jail.conf.d/nfs.conf

nfs {
exec.clean;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_console_${name}.log";

allow.raw_sockets;
allow.mount;
allow.mount.zfs;
mount.devfs;
enforce_statfs = 2;
devfs_ruleset = 16;

path = "/jails/${name}";
host.hostname = "${name}";

$id = "6";
$ip = "192.168.0.${id}/24";
$gateway = "192.168.0.1";
$bridge = "bridge0";
$epair = "epair${id}";

vnet;
vnet.interface = "${epair}b";

exec.created  += "zfs jail nfs zpool/jails/nfs";
exec.prestart  = "/sbin/ifconfig ${epair} create up";
exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}";
exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up";
exec.start    += "/sbin/ifconfig ${epair}b ${ip} up";
exec.start    += "/sbin/route add default ${gateway}";
exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a";
exec.poststop += "/sbin/ifconfig ${epair}a destroy";
exec.release  += "zfs unjail nfs zpool/jails/nfs";
}

/etc/devfs.rules

[devfs_rules_nfs_jail=16]

 

[DaLynX]

       allow.mount.zfs
           privileged  users inside    the jail will be able to mount and un-
           mount the ZFS file system.  This    permission is  effective  only
           together     with  allow.mount and only when enforce_statfs    is set
           to a value lower    than 2.     See zfs(8) for    information on how  to
           configure the ZFS filesystem to operate from within a jail.

You need to set your enforce_statfs to 0 or 1.

 

[Ferocious1881]

       allow.mount.zfs
           privileged  users inside    the jail will be able to mount and un-
           mount the ZFS file system.  This    permission is  effective  only
           together     with  allow.mount and only when enforce_statfs    is set
           to a value lower    than 2.     See zfs(8) for    information on how  to
           configure the ZFS filesystem to operate from within a jail.

You need to set your enforce_statfs to 0 or 1.

changed enforce_statfs to 1 same error persists.

 

[Ferocious1881]

Note

After a dataset is attached to    a jail and the jailed property is set,
     a  jailed  file  system cannot    be mounted outside the jail, since the
     jail administrator might have set the mount point to an  unacceptable
     value.

from the manpage ZFS-JAIL(8)()

 

[DaLynX]

Maybe this then: https://man.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+14.1-RELEASE+and+Ports

To  allow  management    of  the    dataset    from within a jail, the    jailed
     property has to be set    and the    jail needs access to the /dev/zfs  de-
     vice.    The quota property cannot be changed from within a jail.

So you need to permit /dev/zfs in your devfs ruleset.

 

[garrett]

Permission denied error also occurs when zfs dataset property jailed is not set to on. I have mounted the dataset and set jailed property within my jail.conf:

jailname {
    ...
    exec.created += "zfs set mountpoint=\"/usr/local/poudriere\" zroot/poudriere";
    exec.created += "zfs set jailed=on zroot/poudriere";
    ...
}