ZFS and jailed environments -- best practice?
I've been playing with mixing up ZFS and jailed environments under
8.0RC, and I've hit a point where I'm just kind of wondering how
everyone else is doing it. I wanted to do this to take advantage of
delegated administration -- I want users inside a jail to be able to
control snapshot/rollback in their own homedir.
I'll break this up into what I did to get it working (I can't seem to
find a good step by step out there yet), and where I think I'm running
into what could be potential trouble.
First off, sysctl variables.
security.jail.enforce_statfs=0
security.jail.mount_allowed=1
vfs.usermount=1
I've always run jails with with enforce_statfs=1 or enforce_statfs=2. I
honestly don't see why that wouldn't work for ZFS stuff too, but in the
interests of following instructions (the zfs man page), I set it to 0.
Next, the 'zfs' dev node needs to be accessible from inside the jail.
So I created an /etc/devfs.rules file with the following:
host# cat /etc/devfs.rules
[zfsenable=10]
add path 'zfs' unhide
...and added the ruleset to the jail config in rc.conf:
jail_zfstest_devfs_ruleset=zfsenable
So far so good, the jail gets a /dev/zfs, and I can issue zfs commands.
I get 'no datasets available' from within the jail, which is exactly
what I'd expect.
So, tank/jails/jail1 is a ZFS volume, and I want tank/jails/jail1/home
to be under the control of the jail, and mounted at /home inside of it.
I stop the jail and unmount the home volume.
host# zfs umount tank/jails/jail1/home
Then enabled 'jailed mode' on the volume, and start the jail back up.
host# zfs set jailed=on tank/jails/jail1/home
In the host, lets just say the JID is 8.
host# /sbin/zfs jail 8 tank/jails/jail1/home
From that point, it appears that the host thinks that volume is not
under its own control. (good!)
host# zfs mount tank/jails/jail1/home
cannot mount 'tank/jails/jail1/home': dataset is exported to a local zone
Whew, okay. Back into the jail.
jail# zfs set mountpoint=/home tank/jails/jail1/home
jail# zfs mount -a
jail# zfs allow -s @homedir
create,clone,mount,rollback,snapshot,send,receive,compression,checksum,quota,readonly,destroy
tank/jails/jail1/home
jail# zfs allow -u user1 @homedir tank/jails/jail1/home/user1
... and by god, it works. Yay!
Here are the weird parts, or parts that make me feel like I'm not doing
something correctly.
1) From the host now -- I've got two /home partitions mounted when
displaying a 'df'. They -appear- to do the right thing... /home on the
host is correct when getting a listing, and /home in the jail is also
correct. But I can't help but feel like this is asking for trouble, or
will eat the delicious data at some point.
2) What the heck is the procedure for automating this on boot? Roll
your own? The JID shuffles, of course. I could easily whip up some
zfs jail `jls | awk '/jail1/ { print $2 }' ... junk, but where would
I put something like that? jail_afterstart0= seems to load things
in the context of the jail, not the host. And then I'd have to set
canmount=noauto on that home volume, and mount it manually from within
the jail via some startup script? Seems... like a pain in the ass for
what is otherwise a pretty blissful setup.
Really, I'm not sure what's right, what's stable, and what won't make me
totally regret doing this later. :)
Advice, discussion, or pointers elsewhere are all appreciated!
-Mahlon
--
Mahlon E. Smith
http://www.martini.nu/contact.html
pgpcOOawoJrUz.pgp
Description: PGP signature
Re: ZFS disk replacement questions
On Tue, Nov 03, 2009, Derrick Ryalls wrote: On Tue, Nov 3, 2009 at 10:21 AM, Steve Polyack kor...@comcast.net wrote: Derrick Ryalls wrote: 1) In the event of a disk failure, how do I trace back the name such as adX to a physical drive in the enclosure? Is there a way to take the drive offline then use atacontrol to spin it down or something so it is easy to identify? In my opinion you are best off using glabel(8) to give names to the disks. This way you can name them in a way that makes sense to you. Additionally, when you create the ZFS pool you will use the glabel'd names. This means that the pool will still come up properly if something causes your devices to be numbered differently (i.e. a drive dies and you happen to reboot the system). I believe ZFS does this automatically. Supposedly, if you take a working set of RAIDZ drives from one machine and put it in another, ZFS will figure out the drives since they get labelled by ZFS internally. My question concerns how to identify the physical disk in question based on the adX or glabel name? Different name in software is fine, but if the drive fails I want to make sure I pull the correct drive. This is only true if the metadata on the drives is re-read -- if your pool loses a drive and the device numbers shuffle, your pool will be FAILED on the next boot. You can, however, force the metadata to be re-read via a 'zfs export POOL', and a subsequent 'zfs import POOL'. However, using glabel avoid that step entirely, as ZFS will always see the 'right' devices in the right places, regardless of where they are physically. -Mahlon -- Mahlon E. Smith http://www.martini.nu/contact.html pgpCSPZD0VgSw.pgp Description: PGP signature
Re: Future development of Jail
On Mon, Dec 31, 2007, Karl Triebes wrote: I would like to see per-jail quotas such as the ones Andy mentions, and would like to hear if anyone would be interested in doing it for the right price. You may contact me via this list or in private. It may not be optimal, but you can always implement a real hard quota with a jailed environment simply by using a loopback (md) device. -- Mahlon E. Smith http://www.martini.nu/contact.html pgpOnDsTjJp97.pgp Description: PGP signature
Re: Openldap problem
On Thu, May 18, 2006, Darryl Hoar wrote: [...] suffix dc=osborneinternal, dc=com rootdn cn=Manager, dc=osborneinternal, dc=com rootpw secret [...] when I try to do a : mailman# ldapadd -D 'dc=osborneinternal, dc=com' -f directory.ldif -W the system prompts Enter LDAP Password: I type in my password exactly as it is in the slapd.conf. So in the above slapd.conf it would be the password secret without quotes. No, its not really the word secret, and yes its internal so its intended to be a clear text password. The system replies with : ldap_bind: Invalid credentials how the heck do I get this to work ? You aren't using the rootdn specified in the above configuration. If you want to auth against your rootdn, the correct command line would be: % ldapadd -xWD 'cn=Manager,dc=osborneinternal,dc=com' directory.ldif -- Mahlon E. Smith [EMAIL PROTECTED] | http://www.martini.nu/ pgpMlbvmRe7xw.pgp Description: PGP signature
DES password hashes and 5.3
Hey all. I've got a 5.3-BETA7 box here that is acting as a NIS master, supporting a mixture of clients. Lowest common denominator, as usual, is DES. Steps I took: o Enabled the 'des_users' class in login.conf. o Ran cap_mkdb /etc/login.conf. o Changed the login class for the users I want to have DES passwords for in the password file. o Updated the password for the user with passwd. shell ~ sudo grep mahlon /etc/master.passwd mahlon:$1...:1001:1000:des_users:0:0:Mahlon Smith:/home/mahlon:/bin/tcsh It is still an md5 password. Did I miss a step somewhere along the way, or was something changed since 4.10 that I didn't catch? (I seem to recall nothing additional being required in 4.x.) -Mahlon Mahlon E. Smith jabber id: [EMAIL PROTECTED] http://www.martini.nu/ get pgp key: [EMAIL PROTECTED] .. One of the best examples of democracy in action is a lynch mob. pgpxmx9hDBLHe.pgp Description: PGP signature
Re: ftp best practices
On Tue, Mar 18, 2003, Defryn, Guy wrote: One thing I would like to prevent is the visibility of the config files in the directory. I tried setting the shell to nonexistent but ftp does not seem to allow that. Another option is to use pureftpd with the -x and -X flags. This won't prevent the files from being visible, but it will prevent any tampering via ftp. -Mahlon Mahlon E. Smithjabber id: [EMAIL PROTECTED] http://www.martini.nu/ get pgp key: [EMAIL PROTECTED] If you sit down at a poker game and don't see a sucker, get up. You're the sucker. pgp0.pgp Description: PGP signature
