Solved Mount i-node/chardevice within jail

Al Seitsinger

Al Seitsinger

Running the following command within the jail results in the same error:
mount /dev/da0 /mnt
Code: 
mount: /dev/da0: Operation not permitted

/etc/devfs.rules (on host)
Code: 
[bastille_vnet=13]
add path 'mdctl' group operator mode 0660
add path 'md\*' group operator mode 0770

jail.conf (on host)
Code: 
securelevel = 0
devfs_ruleset = 13
ensure_statfs = 0
allow.mount
allow.mount.nullfs
allow.mount.tmpfs
allow.mount.devfs
 
The devfs rules apply to md devices only; you're trying to mount da. Also, the devfs rules are interestingly overloaded: what is the order in which the rules are applied? While mdfoo will get mode 770, it's not clear whether mdctl will get mode 660 or 770. And finally, why is the * in the quoted expression also backslash escaped? Are you sure this is the correct syntax?

Anyway, the real question is this: If you look inside the jail, what are ownership and permissions for /dev/da0 ?
 
Thanks for pointing that out. In fact, I do have the rules and permissions correct. This was originally because I couldn't mount the memory disk devices (vnode-backed) but it turned out that the error occurs when attempting to mount any chardevice.
 
As it turns out, UFS is never jail-friendly and so can never be mounted from within a jail (see: Jails and File Systems section of jail(8))
It is not possible to mount(8) or umount(8) any filesystem inside a jail unless the file system is marked jail-friendly.
Click to expand...
 
lsvfs | grep jail will show you the jail-safe file systems, of which ZFS is the only on-disk file system that is possible to manage from a jail.

You can use the mount or mount.fstab directives to mount file systems on the host-side; the first one takes a parameter in fstab(5) format, the second one to specify a full fstab file to use for the jail.

If this is some ephemeral device, you can always use the host's mount(8) command and a directory the jail has access to. You just can't mount, eg, FAT or UFS file systems directly from the jail side.
 
You must log in or register to reply here.
Back
Top