jails Mount ZFS dataset in jail

[tOsYZYny]

I am presently using nullfs to mount a ZFS dataset in a jail; however, I would like to mount the ZFS dataset directly so that I can hopefully take snapshots directly in the jail without having to do that on the host.

I have assigned the dataset to the jail:

exec.created   += "zfs jail workstation dataset";
exec.release   += "zfs unjail workstation dataset";

/etc/jail.conf.d/workstation.conf

   allow.mount=true;
    allow.mount.zfs=true;
    enforce_statfs=1;
    allow.mount.fusefs=1;

I have also attempted to mount the datasets using:
zfs mount -a

While zfs list in the jail does properly list the ZFS dataset as I expect, I don't see anything mounted unless I use nullfs on the host. While that works well, ideally, I'd be able to use ZFS directly so that I can manage snapshots.

 

[SirDice]

Did you set this?

     allow.mount.zfs
             privileged users inside the jail will be able to mount and
             unmount the ZFS file system.  This permission is effective only
             together with allow.mount and only when enforce_statfs is set to
             a value lower than 2.  See zfs(8) for information on how to
             configure the ZFS filesystem to operate from within a jail.

 

[tOsYZYny]

Yes, that is set in the jail.conf. I updated my configuration above.

 

[tOsYZYny]

I am also unable to create zfs snapshots in the jail:

zap snap 10y z_1000.1/media/staging
zfs snapshot z_1000.1/media/staging@20230924.11.38

In any case, they both result in:

cannot create snapshots : permission denied

Again, when the jail is created, I assign the dataset to the jail as indicated above. I'm wondering what else I need to do to make it work as expected.

 

[patmaddox]

Here's a config that I've used for poudriere and bastille:

pkg {
  # additions / changes
  allow.mount;
  allow.mount.devfs;
  allow.mount.zfs;
  allow.mount.nullfs;
  allow.mount.tmpfs;
  allow.mount.procfs;
  children.max = 10;
  devfs_ruleset = 4;
  enforce_statfs = 1;
  securelevel = 0; # defaults to 2, can use 2 with USE_TMPFS in poudriere
  exec.created += 'zfs jail pkg zroot/jdata/pkg';
  
  # bastille defaults
  exec.clean;
  exec.consolelog = /var/log/bastille/pkg_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = pkg;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/pkg/fstab;
  path = /usr/local/bastille/jails/pkg/root;

  interface = bastille0;
  ip4.addr = 172.16.1.4;
  ip6 = disable;
}

Someone pointed out that it should also include exec.poststop += 'zfs unjail pkg zroot/jdata/pkg';

 

[tOsYZYny]

Thanks, let me give 'er a try and report back.

Interestingly, you can set the securelevel in the jail directly. I had been setting that inside the jail. I wonder if the end result is the same.

Also, I had exec.release += 'zfs unjail ...'. Perhaps that will make more sense once I get it properly jailed.

 

[tOsYZYny]

Hmm, it is still not working. So, I have always been able to see the pool in the jail, but it is not mounted where I expect it to be. It is mounted on the host.

For my own edification, the line:

exec.consolelog = <file>;

Captures the startup / init to that logfile? Yes, I just tested, that. Awesome.

 

[tOsYZYny]

What is zfs jail <dataset> supposed to do? If it is letting me see the dataset with zfs list, then that works. If it is supposed to let me take snapshots in the jail, that isn't working for me. Additionally, it isn't being mounted.

 

[icecoke]

Hi,
did you had success in the meantime? And when, how?
Do you have openzfs (which FreeBSD Version)?