jails, ZFS, deprecated jail variables and poudriere problems

Alexander Leidinger Alexander at leidinger.net
Wed Aug 28 11:57:36 UTC 2019 

Quoting "O. Hartmann" <ohartmann at walstatt.org> (from Tue, 27 Aug 2019  
10:11:54 +0200):

> We have a single ZFS pool (raidz), call it pool00 and this pool00 conatins a
> ZFS dataset pool00/poudriere which we want to exclusively attach to a jail.
> pool00/poudriere contains a complete clone of a former, now decomissioned
> machine and is usable by the host bearing the jails. The jail, named  
> poudriere,
> has these config parameters set in /etc/jail.conf as recommended:
>
>         enforce_statfs=         "0";
>
>         allow.raw_sockets=      "1";
>
>         allow.mount=            "1";
>         allow.mount.zfs=        "1";

The line above is what is needed, and what is replacing the sysctl  
you've found.

>         allow.mount.devfs=      "1";
>         allow.mount.fdescfs=    "1";
>         allow.mount.procfs=     "1";
>         allow.mount.nullfs=     "1";
>         allow.mount.fusefs=     "1";
>
> Here I find the first confusing observation. I can't interact with  
> the dataset
> and its content within the jail. I've set the "jailed" property of
> pool00/poudriere via "zfs set jailed=on pool00/poudriere" and I also have to
> attach the jailed dataset manually via "zfs jail poudriere  
> pool00/poudriere" to
> the (running) jail. But within the jail, listing ZFS's mountpoints reveal:
>
> NAME                USED  AVAIL  REFER  MOUNTPOINT
> pool00             124G  8.62T  34.9K  /pool00
> pool00/poudriere   34.9K  8.62T  34.9K  /pool/poudriere
>
> but nothing below /pool/poudriere is visible to the jail. Being confused I

Please be more verbose what you mean by "interact" and "is visible".

Do zfs commands on the dataset work?

Note, I don't remember if you can manage the root of the jail, but at  
least subsequent jails should be possible to manage. I don't have a  
jail where the root is managed in the jail, just additional ones.  
Those need to have set a mountpoint after the initial jailing and then  
maybe even be mounted for the first time.

Please also check /etc/defaults/devfs.rules if the jail rule contains  
an unhide entry for zfs.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20190828/b58adf5b/attachment.sig>

More information about the freebsd-current mailing list