The ZFS file system is nicely integrated with Solaris’ zones. It came to my mind a long ago that will be very cool to integrate ZFS with FreeBSD jails.
People are talking for a long time about making jails more feature full, but mostly on networking front – my multiple IPs in jail patch, Marko Zec vimage, etc., but they forget about storage.
Unfortunately we can’t allow jail’s administrators to access raw disks/partitions (GEOM providers), create file systems on them and mount those file systems. The reason is that we can’t handle corrupted file system metadata, which will allow someone from within a jail to write some garbage to file system partition and panic entire system.
And here comes ZFS. ZFS can very nicely be used for such needs, because we operate on raw disks only when we operate on pools. When we operate on file systems, we don’t have access to raw disks anymore.
The basic idea is to allow pool management only from outside a jail, and assign ZFS file systems to the jails.
For example:
main# zfs create tank/jail
main# zfs set jailed=on tank/jail
main# zfs jail 1 tank/jail
Now from within a jail we can:
jail# zfs create tank/jail/home
jail# zfs create tank/jail/home/pjd
jail# zfs create tank/jail/home/pawel
jail# zfs snapshot tank/jail/home/pjd@backup
jail# zfs destroy tank/jail/home/pawel
jail# zfs rollback tank/jail/home/pjd@backup
jail# zfs set compression=on tank/jail/home/pjd
I’ll use this slot to keep list of dataset names accessable inside the jail.Good, now we need to allow for mounting/unmounting file systems from within a jail.
I added security.jail.mount_allowed sysctl, which when set to 1, grants PRIV_VFS_MOUNT and PRIV_VFS_UNMOUNT privileges to jailed root. I’m not really happy with this sysctl, because currently it allows to mount file systems like devfs and procfs from within a jail, which is very wrong, especially for devfs.
We also need to set security.jail.enforce_statfs to 0, so zfs command can see mounted file systems.
What is described to this point is already implemented and work.
I’d also like to add ‘jails’ property, which tells to which jails the given dataset is attached.
Great site. Well done!
Thanks for sharing your site!
Awesome site. I enjoyed reading it
Thanks. This is an interesting article.
You have a great site. I enjoyed reading it!
[...] ZFS and FreeBSD jails « My work [...]
feel this type of blog have to increase more and more. for further information about me check this website
Interesting post. I normally comment AFTER reading the posts I visit.
tks for sharing,nice post!!
Great site
Great site. Well done! Thanks
thanks a lot!
Wow,great post! thank you for your sharing.
Great site. Thanks a lot
Thanks a lot. Great site.
Great content
ed hardy
its very nice blog and i got very good information here….
Hey I am an IT help desk guy, I read the post, its really nice post. Thank you for sharing the information with all, I have take your link and share with my friends
I would like to say that this blog really convinced me to do it! Thanks, very good post.
like this article.I can learn a lot from your words.Thank you very much.
its very nice blog and i got very good information here….