ZFS and FreeBSD jails

March 18, 2007 by · 394 Comments 

The ZFS file system is nicely integrated with Solaris’ zones. It came to my mind a long ago that will be very cool to integrate ZFS with FreeBSD jails.

People are talking for a long time about making jails more feature full, but mostly on networking front – my multiple IPs in jail patch, Marko Zec vimage, etc., but they forget about storage.

Unfortunately we can’t allow jail’s administrators to access raw disks/partitions (GEOM providers), create file systems on them and mount those file systems. The reason is that we can’t handle corrupted file system metadata, which will allow someone from within a jail to write some garbage to file system partition and panic entire system.

And here comes ZFS. ZFS can very nicely be used for such needs, because we operate on raw disks only when we operate on pools. When we operate on file systems, we don’t have access to raw disks anymore.

The basic idea is to allow pool management only from outside a jail, and assign ZFS file systems to the jails.

For example:

main# zfs create tank/jail
main# zfs set jailed=on tank/jail
main# zfs jail 1 tank/jail

Now from within a jail we can:

jail# zfs create tank/jail/home
jail# zfs create tank/jail/home/pjd
jail# zfs create tank/jail/home/pawel
jail# zfs snapshot tank/jail/home/pjd@backup
jail# zfs destroy tank/jail/home/pawel
jail# zfs rollback tank/jail/home/pjd@backup
jail# zfs set compression=on tank/jail/home/pjd

I’ll use this slot to keep list of dataset names accessable inside the jail.Good, now we need to allow for mounting/unmounting file systems from within a jail.

I added security.jail.mount_allowed sysctl, which when set to 1, grants PRIV_VFS_MOUNT and PRIV_VFS_UNMOUNT privileges to jailed root. I’m not really happy with this sysctl, because currently it allows to mount file systems like devfs and procfs from within a jail, which is very wrong, especially for devfs.

We also need to set security.jail.enforce_statfs to 0, so zfs command can see mounted file systems.

What is described to this point is already implemented and work.

I’d also like to add ‘jails’ property, which tells to which jails the given dataset is attached.