NFS mount from a jail

[rainbowwarrior]

Hi,

i have a NFS-Server on a remote machine and try to mount a nfs share from a jail. The Jail is allowed from the NFS-Server and i can see that my jail is really allowed:

rpc.mountd: authenticated mount request from 172.33.22.2:737 for /directory (/directory)

When i trying to mount, i get always this message:

mount -t nfs hostname:/directory/ /mnt
mount_nfs: /mnt, : Operation not permitted

I hope someone can help me.

 

[DutchDaemon]

Are you permitted to mount something on /mnt?

 

[bjs]

the best way to do this would to be to mount it from the jailhost

mount -t nfs hostname:/directory/ /jailhost/path/to/jail/mnt

 

[rainbowwarrior]

Are you permitted to mount something on /mnt?

No, i'm not.

I checked:

 sysctl -a |grep -i security.jail.mount
security.jail.mount_allowed: 1

the best way to do this would to be to mount it from the jailhost

Yes, i agree and this is running. But we won't do that. We would like to do this from a jailclient.

Thanks

 

[rainbowwarrior]

Hi,

is there no possibility to mount a nfs drive from inside a jail?

 

[SirDice]

From jail(1):

Jails and File Systems
It is not possible to mount(8) or umount(8) any file system inside a jail unless the file system is marked jail-friendly and the jail's allow.mount parameter is set.

I'm not sure NFS constitutes a jail-friendly filesystem.

 

[rainbowwarrior]

May its not Jail-friendly, unfortunately i havn't a choice.

 

[rainbowwarrior]

the best way to do this would to be to mount it from the jailhost

This is a problem too. I cannot access some of the nfs shares from inside a jail.

 

[rainbowwarrior]

Ups, i cannot edit my last post, im sorry.

When i mount nfs shares on a jail host from other jails which are nfs-servers, then i cannot access them from inside a jail. Sounds weird, but's true, we have running nfs servers on jails.

 

[SirDice]

Make sure mountd, rpcbind and nfsd are all bound to the jail's IP address. By default they will bind to all addresses.

 

[rainbowwarrior]

Hi,

thanks for you're reply!

At first i want to mount a NFS Share from inside a Jail. I would be happy, when anyone have an howto therefore.

The second way i test at the moment is to mount nfs shares on a jail host into the jail client directory.
When i mount nfs shares from for example a debian system, then i havn't any problem. I can access the share on the jail host and from the jail client.

Wenn i mount a nfs share on a jail host from another jail ( from another jail host ), then i cannot access the share from the jail client. Sorry i can't explain it better...

Make sure mountd, rpcbind and nfsd are all bound to the jail's IP address. By default they will bind to all addresses.

The Jail which provide the NFS Share is using unfsd:

rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100000    4 local    111  rpcbind
    100000    3 local    111  rpcbind
    100000    2 local    111  rpcbind
    100003    3   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    1   udp   2049  mountd
    100005    3   udp   2049  mountd
    100005    1   tcp   2049  mountd
    100005    3   tcp   2049  mountd

cat /etc/rc.conf 
sshd_enable="YES"
rpcbind_enable="YES"
rpcbind_flags="-h ipfromjail"
mountd_enable="YES"
unfsd_enable="YES"

I started the unfsd as user www, with the option -l ipfromjail.

But the bind IP-Adress make nothing different. When i access the share from jail client, i get permission denied. When i do a "ls -al" i cannot list the mounted directory.

 

[SirDice]

unfsd?

Mountd and nfsd also need the -h flag to bind them to a specific IP address.

 

[rainbowwarrior]

unfsd?

file `type -p unfsd`
/usr/local/sbin/unfsd: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.1, dynamically linked (uses shared libs), FreeBSD-style, not stripped

 man unfsd | head -n 15
unfsd(8)							      unfsd(8)



NAME
       unfsd - NFS server process

SYNOPSIS
       /usr/sbin/unfsd [options]

DESCRIPTION
       The  unfsd program implements the MOUNT and NFS version 3 protocols. It
       listens for client requests, performs them on the local	filesystem  of
       the  server,  and  then	returns  the  results of the operations to the
       clients.

My colleague had with nfsd as a nfs-server inside a jail a problem, this i because we use unfsd.

Mountd and nfsd also need the -h flag to bind them to a specific IP address.

We use unfsd instead of nfsd. And unfsd have started with a ip bind option:

root    79143  0.0  0.0  6692  1512  ??  SsJ  11:01AM   0:00.03 /usr/sbin/rpcbind -h jailip
www     79150  0.0  0.1  8780  5892  ??  SsJ  11:01AM   0:00.57 /usr/local/sbin/unfsd -l jailip

I added the flag for mountd too. But nothing changed.

 

[SirDice]

Did you try it with the 'standard' fbsd nfsd?

Do note that nfsd and mountd are only needed on the server side. The client only needs rpcbind.

 

[rainbowwarrior]

nfsd don't start in my jail

 

[SirDice]

Make sure the kernel module is loaded on the host. Jails aren't allowed to load kernel modules.

 

[rainbowwarrior]

kldstat 
Id Refs Address            Size     Name
 1    2 0xffffffff80100000 b4be40   kernel
 2    1 0xffffffff80c4c000 14d8     accf_http.ko

How can i load the correct kernel module?

 

[SirDice]

GENERIC already has the NFSSERVER option. If you have a custom kernel you can add it.
If you add nfsserver_enable="YES" to /etc/rc.conf it will load the kernel module automatically if needed.

 

[venture37]

unfsd?

net/unfs3 in ports