mounting fdescfs in a nested/hierarchical jail?

Ruben van Staveren ruben at verweg.com
Mon Aug 18 12:26:19 UTC 2014 

Hi list,

I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am using ezjail again to set up a nested jail. My goal is to eventually have my jails use these nested jails as containers for certain services.

However, I am not able to mount a nested fdescfs. When I leave out fdesc, the nested jail starts up just fine.

There is no allow.mount.fdescfs. Do we need one?

Cheers,
	Ruben




ruben at test:~ % sudo ezjail-admin onestart nested1
Starting jails: cannot start jail  "nested1": 
mount: .: Operation not permitted
jail: nested1: /sbin/mount -t fdescfs . /opt/jails/nested1/dev/fd: failed
.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider to migrate to /etc/jail.conf.
Error: Could not onestart nested1.
  You need to onestart it by hand.



ruben at test:~ % sysctl -a | egrep jail\|mount | grep -v param
vfs.usermount: 0
vfs.ffs.compute_summary_at_mount: 0
debug.softdep.softdep_mounts: 0
security.jail.jailed: 1
security.jail.vnet: 0
security.jail.jail_max_af_ips: 255
security.jail.set_hostname_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.mount_allowed: 1
security.jail.mount_devfs_allowed: 1
security.jail.mount_nullfs_allowed: 1
security.jail.mount_procfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_zfs_allowed: 1
security.jail.enforce_statfs: 1
security.jail.devfs_ruleset: 4


ruben at test:~ % sudo /sbin/mount -vt devfs . /opt/jails/nested1/dev/
devfs on /opt/jails/nested1/dev (devfs)
ruben at test:~ % sudo /sbin/mount -vt fdescfs . /opt/jails/nested1/dev/fd/
mount: .: Operation not permitted
devfs on /opt/jails/nested1/dev (devfs)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140818/675c4979/attachment.sig>

More information about the freebsd-stable mailing list