delegating ZFS of jail's root directory

Michael W. Lucas mwlucas at michaelwlucas.com
Mon Jan 21 16:42:54 UTC 2019 

Hi,

Two more book research questions, sorry. If the answer is "it doesn't
work that way," cool, I'll document and move on. It looks like ZFS
delegation isn't widely used.

1) It seems I can successfully delegate managing ZFS datasets to a jail,
sort of. A restart removes my ability to destroy and rename datasets I
created, though.

2) I can't delegate the jail's root to the jail. Obvious question: CAN
you delegate a jail's root dataset, or am I chasing an impossibility
here?

Details:

Real hardware, running yesterday's -current:

FreeBSD storm 13.0-CURRENT FreeBSD 13.0-CURRENT r343219 GENERIC  amd64


Here's my jail.conf.

exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";

filedump {
  host.hostname="filedump.mwl.io";
  ip4.addr="203.0.113.224";
  path="/jail/filedump/zroot";
  persist=true;
  mount.devfs=true;
  allow.mount=true;
  allow.mount.zfs=true;
  enforce_statfs=1;
  exec.poststart="/sbin/zfs jail filedump jail/filedump/zroot";
  exec.poststop="/sbin/zfs unjail filedump jail/filedump/zroot";
}

/jail/filedump/zroot contains FreeBSD 12.0 base.tgz extract.

# ls /jail/filedump/zroot/
.cshrc          dev             media           root            var
.profile        etc             mnt             sbin
COPYRIGHT       jail            net             sys
bin             lib             proc            tmp
boot            libexec         rescue          usr

Initial ZFS "jailed" parameter:

# zfs get -r jailed jail/filedump
NAME                          PROPERTY  VALUE   SOURCE
jail/filedump                 jailed    off     default
jail/filedump/zroot           jailed    off     default
jail/filedump/zroot/cdr       jailed    on      local
jail/filedump/zroot/home      jailed    on      local
jail/filedump/zroot/home/mwl  jailed    on      inherited from jail/filedump/zroot/home


Running "service jail start filedump" gives me a working jail. I can
create and destroy datasets.

root at filedump:~ # zfs create jail/filedump/zroot/home/abc
root at filedump:~ # zfs destroy jail/filedump/zroot/home/abc

Gonna recreate that dataset for testing purposes:

root at filedump:~ # zfs create jail/filedump/zroot/home/abc

Now back to the host, restart the jail, and:

root at filedump:~ # zfs destroy jail/filedump/zroot/home/abc
cannot unmount '/jail/filedump/zroot/home/abc': Operation not permitted

I created this dataset within the jail, and can manage it only so long
as it's the same jail instance. A restart wrecks my ability to manage
the dataset.



Second problem:

I would also like to delegate management of the jail's root fileset,
so on the host I run:

# zfs set jailed=on jail/filedump/zroot
# service jail start filedump
Starting jails: cannot start jail  "filedump":
jail: filedump: mount.devfs: /jail/filedump/zroot/dev: No such file or directory
.

Which--of course, the root dir isn't mounted, so /dev can't be mounted.


I'm vaguely confident I've heard of people delegating management of
the root dataset to the jail, though I can't find it. Am I
misremembering?

Thanks,

==ml

-- 
Michael W. Lucas 	https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...

More information about the freebsd-jail mailing list