ZFS Share a ZFS dataset with multiple jails

tuaris

tuaris

I guess in some way this defeats the purpose of a jail. In some other way, I think it adds an extra layer of separation.

I'd like to know if I can allow two jails to access a ZFS dataset at the same time. The main requirement being that both jails can use the zfs utility (from within the jail, not outside) to create/delete snapshots and child datasets. The use case for this would be that one jail is responsible creating & deleting datasets/snapshots. The other jail would mount a read-only dataset from a snapshot.
 
To me, it's hard to see your point. You think add an extra layer of separation, but where? Between the root user of the host for a given datatset? This makes no sense. You cannot avoid the root user to manage the system.

What jails are good for is to run a software that offers some services (typically exposed to a network) and if that software is compromised, an attacker is limited to the jail (as the name supposes), so it would be difficult to reach the host. Another advantage is to have a software unit which is somewhat independent from the host.

But maybe I didn't understand what you want to achieve.
 
tuaris said:
I'd like to know if I can allow two jails to access a ZFS dataset at the same time. The main requirement being that both jails can use the zfs utility (from within the jail, not outside) to create/delete snapshots and child datasets. The use case for this would be that one jail is responsible creating & deleting datasets/snapshots. The other jail would mount a read-only dataset from a snapshot.
Click to expand...
Two jails can access a dataset at the same time. I do this myself, with one jail that generates data for a certain purpose that goes into a certain dataset, and a couple of other jails that utilize that data. In my case I use nullfs to mount the dataset to the jails as rw and ro respectively.

As for letting the jail manipulate the dataset, this can be accomplished as long as the correct parameters are set in /etc/jail.conf and the jail has the jailed property set. I have a backup jail that receives zfs snapshots and can manage the backup dataset. I use the following jail config options for that:

Code: 
allow.mount;
allow.mount.zfs;
exec.created="zfs jail backups primary/jails/backups/zfsreceive";
enforce_statfs=1;
 
You must log in or register to reply here.
Back
Top