Hello,
I realize this kind of question has already been asked, but I was unable to find an answer to my problem in old posts or in google.
Background: I'm creating a web server where domain names must be absolutely isolated from each others. So I plan to create a jail for each domain/IP. Some of these domains are used by many people to publish web pages (think http://web/~login/).
I want to use ZFS inside each jail, so that I can :
- set quotas for each user/web site
- periodically create/destroy snapshots of each filesystem, so every user can browse past versions of h(is|er) own files
I've installed a brand new FreeBSD 10.1 Release server, installed
I've set some
My first jail uses these settings /usr/local/etc/ezjail/perso_jail :
I've created a dedicated tank/ezjail/perso-jail/user for use inside my jail:
Then I try to mount the new FS inside the jail:
But it fails.
In the jail perso-jail, /user is supposed to hold about 1 hundred personnel filesystems, all mounted inside the jail as soon as this jail "starts". I need to be able to enforce quota (from outside the jail, if I've understood correctly the limitations). I need to be able to create/destroy snapshots inside the jail. And finally, each user needs to be able to access h(is|er) own snapshots by browsing ~/.zfs/snapshot/.
Of course, an intruder should not be able to access "foreign" zfs filesystems/datasets from within the jail.
What is the best way to achieve this?
thanks.
I realize this kind of question has already been asked, but I was unable to find an answer to my problem in old posts or in google.
Background: I'm creating a web server where domain names must be absolutely isolated from each others. So I plan to create a jail for each domain/IP. Some of these domains are used by many people to publish web pages (think http://web/~login/).
I want to use ZFS inside each jail, so that I can :
- set quotas for each user/web site
- periodically create/destroy snapshots of each filesystem, so every user can browse past versions of h(is|er) own files
I've installed a brand new FreeBSD 10.1 Release server, installed
ezjail
, created my first jail.I've set some
sysctl
on host:
Code:
security.jail.enforce_statfs=1 (tried with 0 too)
security.jail.mount_allowed=1
security.jail.mount_devfs_allowed=1
security.jail.mount_zfs_allowed=1
Code:
export jail_perso_jail_hostname="perso-clone"
export jail_perso_jail_ip="lo1|127.0.1.1,em0|PUBLIC-IP-ADDR"
export jail_perso_jail_rootdir="/Sites/perso-jail"
export jail_perso_jail_exec_start="/bin/sh /etc/rc"
export jail_perso_jail_exec_stop=""
export jail_perso_jail_mount_enable="YES"
export jail_perso_jail_devfs_enable="YES"
export jail_perso_jail_devfs_ruleset="devfsrules_jail"
export jail_perso_jail_procfs_enable="YES"
export jail_perso_jail_fdescfs_enable="YES"
export jail_perso_jail_image=""
export jail_perso_jail_imagetype="zfs"
export jail_perso_jail_attachparams=""
export jail_perso_jail_attachblocking=""
export jail_perso_jail_forceblocking=""
export jail_perso_jail_zfs_datasets="tank/ezjail/perso-jail/user"
export jail_perso_jail_cpuset=""
export jail_perso_jail_fib=""
export jail_perso_jail_parentzfs="tank/ezjail"
export jail_perso_jail_parameters=""
export jail_perso_jail_post_start_script=""
export jail_perso_jail_retention_policy=""
Code:
zfs create -o mountpoint=/user tank/ezjail/perso-jail/user
zfs set jailed=on tank/ezjail/perso-jail/user
zfs jail $JID tank/ezjail/perso-jail/user
Code:
ezjail-admin console perso-jail
zfs mount tank/ezjail/perso-jail/user
cannot mount 'tank/ezjail/perso-jail/user': Insufficient privileges
In the jail perso-jail, /user is supposed to hold about 1 hundred personnel filesystems, all mounted inside the jail as soon as this jail "starts". I need to be able to enforce quota (from outside the jail, if I've understood correctly the limitations). I need to be able to create/destroy snapshots inside the jail. And finally, each user needs to be able to access h(is|er) own snapshots by browsing ~/.zfs/snapshot/.
Of course, an intruder should not be able to access "foreign" zfs filesystems/datasets from within the jail.
What is the best way to achieve this?
thanks.