Hi list, I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am using ezjail again to set up a nested jail. My goal is to eventually have my jails use these nested jails as containers for certain services. However, I am not able to mount a nested fdescfs. When I leave out fdesc, the nested jail starts up just fine. There is no allow.mount.fdescfs. Do we need one? Cheers, Ruben ruben at test:~ % sudo ezjail-admin onestart nested1 Starting jails: cannot start jail "nested1": mount: .: Operation not permitted jail: nested1: /sbin/mount -t fdescfs . /opt/jails/nested1/dev/fd: failed . /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider to migrate to /etc/jail.conf. Error: Could not onestart nested1. You need to onestart it by hand. ruben at test:~ % sysctl -a | egrep jail\|mount | grep -v param vfs.usermount: 0 vfs.ffs.compute_summary_at_mount: 0 debug.softdep.softdep_mounts: 0 security.jail.jailed: 1 security.jail.vnet: 0 security.jail.jail_max_af_ips: 255 security.jail.set_hostname_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.sysvipc_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.chflags_allowed: 0 security.jail.mount_allowed: 1 security.jail.mount_devfs_allowed: 1 security.jail.mount_nullfs_allowed: 1 security.jail.mount_procfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_zfs_allowed: 1 security.jail.enforce_statfs: 1 security.jail.devfs_ruleset: 4 ruben at test:~ % sudo /sbin/mount -vt devfs . /opt/jails/nested1/dev/ devfs on /opt/jails/nested1/dev (devfs) ruben at test:~ % sudo /sbin/mount -vt fdescfs . /opt/jails/nested1/dev/fd/ mount: .: Operation not permitted devfs on /opt/jails/nested1/dev (devfs) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140818/675c4979/attachment.sig>
On 8/18/2014 6:26 AM, Ruben van Staveren wrote:> Hi list, > > I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am using ezjail again to set up a nested jail. My goal is to eventually have my jails use these nested jails as containers for certain services. > > However, I am not able to mount a nested fdescfs. When I leave out fdesc, the nested jail starts up just fine. > > There is no allow.mount.fdescfs. Do we need one? > > Cheers, > RubenThat's probably the answer. It seems a little inelegant to have this proliferation of pesudo-fs type allowances, but it's the direction we've gone. In the meantime, you could pre-mount the child jails' fdescfs when the parent jails are created. That's pretty messy, especially considering it means you have to first pre-mount their devfs as well. But it's likely all the permissions will allow. - Jamie