Alexander Leidinger wrote on 2016/12/19 17:56:Quoting Miroslav Lachman <[email protected]> (from Sun, 18 Dec 2016 13:20:31 +0100):Alexander Leidinger wrote on 2016/12/17 19:59:Quoting SK <[email protected]> (from Fri, 16 Dec 2016 14:02:20Correct. You need the data in the root of the jail to boot, if you then attribute this dataset to the jail, it will vanish until "zfs mount -a" is run (rc script inside the jail). As it will vanish during the boot of the jail (if added automatically), the rc script to mount all datasets can not be found.[...]I think what you are trying to tell here is, unless and until that "vanished" dataset is put to use (mounted) from inside the jail, it will remain vanished/unusable from the host itself; however, once that dataset is put to use, the host system should be able to "see" and maybe even work on that dataset. Could you please confirm if I understood you correctly?Correct. A sub-dataset which is not needed to boot, or a dataset not within the subtree of the jail (and not needed to boot) can be used.Thank you for this information! If it is somewhere in the docs it is well hidden to me :)I don't expect it to be in the docs. I try to come up with something for the man page for zfs (for the "attach to jail" part), but anyone shall feel free to beat me with this. Anyone with an idea where in the jail man page we should add something too (I only had a look at the zfs man page when this issue came up)?It would be nice to have this mentioned in zfs(8) man page (that user in jail cannot manage jail's root dataset but can manage some sub-dataset not required to boot the jail)
What about this? Better wording welcome. ---snip--- Index: zfs.8 =================================================================== --- zfs.8 (Revision 298108) +++ zfs.8 (Arbeitskopie) @@ -450,8 +450,11 @@ dataset can be attached to a jail by using the .Qq Nm Cm jail subcommand. You cannot attach a dataset to one jail and the children of the -same dataset to another jails. To allow management of the dataset from within -a jail, the +same dataset to another jails. You can also not attach the root file system +of the jail or any dataset which needs to be mounted before the zfs rc script +is run inside the jail, as it would be attached unmounted until it is +mounted from the rc script inside the jail. To allow management of the +dataset from within a jail, the .Sy jailed property has to be set and the jail needs access to the .Pa /dev/zfs ---snip---
And there can be some useful example in jail(8) man page in EXAMPLES. There is section "Jails and File Systems" and there can be new section "Manage ZFS from within jail" with basic notes about required jail params, zfs set jailed property and example "hierarchy". (and warning about gotchas with jailed=0 on jail's root directory)
Are you willing to come up with some text-only version/draft/outline for this one?
Bye, Alexander. -- http://www.Leidinger.net [email protected]: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org [email protected] : PGP 0x8F31830F9F2772BF
pgpiPSC9kMRZ8.pgp
Description: Digitale PGP-Signatur
