ZFS Why can't my non-root account mount jailed ZFS filesystems?


I'm using FreeBSD 10.2-RELEASE-p16 amd64. My goal's to make a jail within which a non-root account can receive ZFS snapshots, and save them within a jailed ZFS filesystem.

I'm able to create and mount ZFS filesystems using the jail's root account, with no problems. Yet when I use a non-root account in the jail, I see this:

jail$ zfs create z/j/d.net/jail/j/z0
cannot mount 'z/j/d.net/jail/j/z0': Insufficient privileges
filesystem successfully created, but not mounted
Here's my configuration:

jail$ id
uid=1200(zfs) gid=1200(zfs) groups=1200(zfs)
jail$ zfs allow z/j/d.net/jail/j
---- Permissions on z/j/d.net/jail/j ------------------------------
Local+Descendent permissions:
        user zfs canmount,compression,create,mount,mountpoint,receive
---- Permissions on z ------------------------------------------------
Local+Descendent permissions:
        user zfs create,hold,mount,mountpoint,receive,send,snapshot
jail$ ls -ld /j
drwxr-xr-x  7 zfs  zfs  7 May 28 19:13 /j
jail$ zfs get jailed,mounted,mountpoint z/j/d.net/jail/j
NAME                 PROPERTY    VALUE       SOURCE
z/j/d.net/jail/j  jailed      on          local
z/j/d.net/jail/j  mounted     yes         -
z/j/d.net/jail/j  mountpoint  /j          local
jail$ sysctl vfs.usermount security.jail.mount_allowed security.jail.mount_zfs_allowed security.jail.enforce_statfs
vfs.usermount: 1
security.jail.mount_allowed: 1
security.jail.mount_zfs_allowed: 1
security.jail.enforce_statfs: 1
jail$ ls -l /dev/zfs
crw-rw-rw-  1 root  operator  0x4b May  5 23:11 /dev/zfs
jail$ zfs mount
z/j/d.net/jail               /
z/j/d.net/jail/j             /j
If anybody feels like making suggestions, I'd sure appreciate it. Thanks so much for reading!
Did you use the zfs jail command to assign a specific dataset to the jail?
SirDice, thanks so much for replying.

Yeah, I have these in the jail's /etc/jail.conf section, to associate the filesystem with the jail when it starts:

exec.poststart = "/sbin/zfs jail jail z/j/d.net/jail/j";
exec.prestop = "/sbin/zfs unjail jail z/j/d.net/jail/j";

Also, the jail's root account is able to make and mount new filesystems under z/j/d.net/jail/j, so it sure smells to me like a permission check failing.

For now, I decided to go ahead with receiving replications in to the jail using the jail's root account, and using an ssh key locked down to zfs receive. It was either that, or go with a non-root account and receive replications straight in to the base system. Yet I really like the idea of being able to receive replicated filesystems with mount points that conflict with those in the base system with impunity. Plus, the assurance that the filesystems will never be mounted by the base system (since jailed=on) is very reassuring to me.