unknown ZFS property: jailed

S

serverhamster

Code: 
zfs get all <filesystem>
Here you see the property jailed, but zfs(1) makes no mention of it.

A bit of googling solves pieces of the puzzle. Apparently it is used for exporting zfs filesystems to a jail. But what next? I have a jail called 'ftp' and tried the following:
Code: 
# jls
   JID  IP Address      Hostname                      Path
     2  192.168.0.4     ftp.example.com                   /jail/ftp
# sysctl security.jail.enforce_statfs=0
security.jail.enforce_statfs: 2 -> 0
# sysctl security.jail.mount_allowed=1
security.jail.mount_allowed: 0 -> 1
Now, I'd like to export the zfs filesysem rpool/JAIL/test
Code: 
# zfs set jailed=on rpool/JAIL/test
# zfs jail 2 rpool/JAIL/test
Then, go to the jail and list zfs filesystems:
Code: 
# jexec 2 tcsh
ftp# zfs list
internal error: failed to initialize ZFS library
What am I doing wrong, and is there some documentation about this?
 
Please note I've not used ZFS within jails yet but I may be able to shed some light on some of the issues.

As far as I can see, the ZFS man pages are pretty much straight from Solaris. I've noticed a few things that don't apply to FreeBSD, or things that only apply to FreeBSD that are missing. This is probably why the jail property (which is specific to FreeBSD) doesn't show up.

Also you need to make the /dev/zfs device available to the jails which might be locked down if you're using devfs rules.

I came across the following serverfault question the other day where the author seemed to answer his own question with some useful information.
http://serverfault.com/questions/278013/is-there-a-tool-for-managing-freebsd-jails-that-knows-about-zfs
 
Thanks. I managed to get quite a bit further.
A /etc/devfs.rules is needed:
Code: 
[ftp_ruleset=10]
add include $devfsrules_jail
add path zfs unhide
After that, restart the jail and the filesystems with property jailed=on can be exported.

There is one problem remaining. How can I make sure
Code: 
zfs jail 1 rpool/JAIL/test
is executed on reboot? The JID might change.

(Also, the output of df and even zfs list is now quite confusing because it lists mountpoints, but doesn't mention that the mountpoint is in a jail.)
 
My jail name (rc.conf name) is www and its path is /jails/www/:

To set the zfs jail option on the /data directory inside the jail (or zroot/jails/www/data in the host):

in rc.conf:
Code: 
jail_www_exec_poststart0="/jails/www.start"

http://www.start :
Code: 
#!/bin/sh

# replace www by your jail path or jail hostname
id=`jls | awk '/www/ { print $1 }'`

zfs jail $id zroot/jails/www/data

# ... some other stuffs
 
I could have sworn I'd seen that option mentioned in the zfs(8) man page. But alas, it isn't there.

Have you tried using the jail's name instead of its JID?

I've set a name on my jail with:
Code: 
jail_intranetz_flags="-l -U root -n intranetz"

After that you can do:
# jexec internetz /bin/tcsh

Not sure if it works with zfs jail though but if it works it would solve the 'unknown' JID problem.
 
You must log in or register to reply here.
Back
Top