ZFS and jailed environments -- best practice?
I've been playing with mixing up ZFS and jailed environments under 8.0RC, and I've hit a point where I'm just kind of wondering how everyone else is doing it. I wanted to do this to take advantage of delegated administration -- I want users inside a jail to be able to control snapshot/rollback in their own homedir. I'll break this up into what I did to get it working (I can't seem to find a good step by step out there yet), and where I think I'm running into what could be potential trouble. First off, sysctl variables. security.jail.enforce_statfs=0 security.jail.mount_allowed=1 vfs.usermount=1 I've always run jails with with enforce_statfs=1 or enforce_statfs=2. I honestly don't see why that wouldn't work for ZFS stuff too, but in the interests of following instructions (the zfs man page), I set it to 0. Next, the 'zfs' dev node needs to be accessible from inside the jail. So I created an /etc/devfs.rules file with the following: host# cat /etc/devfs.rules [zfsenable=10] add path 'zfs' unhide ...and added the ruleset to the jail config in rc.conf: jail_zfstest_devfs_ruleset=zfsenable So far so good, the jail gets a /dev/zfs, and I can issue zfs commands. I get 'no datasets available' from within the jail, which is exactly what I'd expect. So, tank/jails/jail1 is a ZFS volume, and I want tank/jails/jail1/home to be under the control of the jail, and mounted at /home inside of it. I stop the jail and unmount the home volume. host# zfs umount tank/jails/jail1/home Then enabled 'jailed mode' on the volume, and start the jail back up. host# zfs set jailed=on tank/jails/jail1/home In the host, lets just say the JID is 8. host# /sbin/zfs jail 8 tank/jails/jail1/home From that point, it appears that the host thinks that volume is not under its own control. (good!) host# zfs mount tank/jails/jail1/home cannot mount 'tank/jails/jail1/home': dataset is exported to a local zone Whew, okay. Back into the jail. jail# zfs set mountpoint=/home tank/jails/jail1/home jail# zfs mount -a jail# zfs allow -s @homedir create,clone,mount,rollback,snapshot,send,receive,compression,checksum,quota,readonly,destroy tank/jails/jail1/home jail# zfs allow -u user1 @homedir tank/jails/jail1/home/user1 ... and by god, it works. Yay! Here are the weird parts, or parts that make me feel like I'm not doing something correctly. 1) From the host now -- I've got two /home partitions mounted when displaying a 'df'. They -appear- to do the right thing... /home on the host is correct when getting a listing, and /home in the jail is also correct. But I can't help but feel like this is asking for trouble, or will eat the delicious data at some point. 2) What the heck is the procedure for automating this on boot? Roll your own? The JID shuffles, of course. I could easily whip up some zfs jail `jls | awk '/jail1/ { print $2 }' ... junk, but where would I put something like that? jail_afterstart0= seems to load things in the context of the jail, not the host. And then I'd have to set canmount=noauto on that home volume, and mount it manually from within the jail via some startup script? Seems... like a pain in the ass for what is otherwise a pretty blissful setup. Really, I'm not sure what's right, what's stable, and what won't make me totally regret doing this later. :) Advice, discussion, or pointers elsewhere are all appreciated! -Mahlon -- Mahlon E. Smith http://www.martini.nu/contact.html pgpcOOawoJrUz.pgp Description: PGP signature
Re: ZFS disk replacement questions
On Tue, Nov 03, 2009, Derrick Ryalls wrote: On Tue, Nov 3, 2009 at 10:21 AM, Steve Polyack kor...@comcast.net wrote: Derrick Ryalls wrote: 1) In the event of a disk failure, how do I trace back the name such as adX to a physical drive in the enclosure? Is there a way to take the drive offline then use atacontrol to spin it down or something so it is easy to identify? In my opinion you are best off using glabel(8) to give names to the disks. This way you can name them in a way that makes sense to you. Additionally, when you create the ZFS pool you will use the glabel'd names. This means that the pool will still come up properly if something causes your devices to be numbered differently (i.e. a drive dies and you happen to reboot the system). I believe ZFS does this automatically. Supposedly, if you take a working set of RAIDZ drives from one machine and put it in another, ZFS will figure out the drives since they get labelled by ZFS internally. My question concerns how to identify the physical disk in question based on the adX or glabel name? Different name in software is fine, but if the drive fails I want to make sure I pull the correct drive. This is only true if the metadata on the drives is re-read -- if your pool loses a drive and the device numbers shuffle, your pool will be FAILED on the next boot. You can, however, force the metadata to be re-read via a 'zfs export POOL', and a subsequent 'zfs import POOL'. However, using glabel avoid that step entirely, as ZFS will always see the 'right' devices in the right places, regardless of where they are physically. -Mahlon -- Mahlon E. Smith http://www.martini.nu/contact.html pgpCSPZD0VgSw.pgp Description: PGP signature
Re: Future development of Jail
On Mon, Dec 31, 2007, Karl Triebes wrote: I would like to see per-jail quotas such as the ones Andy mentions, and would like to hear if anyone would be interested in doing it for the right price. You may contact me via this list or in private. It may not be optimal, but you can always implement a real hard quota with a jailed environment simply by using a loopback (md) device. -- Mahlon E. Smith http://www.martini.nu/contact.html pgpOnDsTjJp97.pgp Description: PGP signature
Re: Openldap problem
On Thu, May 18, 2006, Darryl Hoar wrote: [...] suffix dc=osborneinternal, dc=com rootdn cn=Manager, dc=osborneinternal, dc=com rootpw secret [...] when I try to do a : mailman# ldapadd -D 'dc=osborneinternal, dc=com' -f directory.ldif -W the system prompts Enter LDAP Password: I type in my password exactly as it is in the slapd.conf. So in the above slapd.conf it would be the password secret without quotes. No, its not really the word secret, and yes its internal so its intended to be a clear text password. The system replies with : ldap_bind: Invalid credentials how the heck do I get this to work ? You aren't using the rootdn specified in the above configuration. If you want to auth against your rootdn, the correct command line would be: % ldapadd -xWD 'cn=Manager,dc=osborneinternal,dc=com' directory.ldif -- Mahlon E. Smith [EMAIL PROTECTED] | http://www.martini.nu/ pgpMlbvmRe7xw.pgp Description: PGP signature
DES password hashes and 5.3
Hey all. I've got a 5.3-BETA7 box here that is acting as a NIS master, supporting a mixture of clients. Lowest common denominator, as usual, is DES. Steps I took: o Enabled the 'des_users' class in login.conf. o Ran cap_mkdb /etc/login.conf. o Changed the login class for the users I want to have DES passwords for in the password file. o Updated the password for the user with passwd. shell ~ sudo grep mahlon /etc/master.passwd mahlon:$1...:1001:1000:des_users:0:0:Mahlon Smith:/home/mahlon:/bin/tcsh It is still an md5 password. Did I miss a step somewhere along the way, or was something changed since 4.10 that I didn't catch? (I seem to recall nothing additional being required in 4.x.) -Mahlon Mahlon E. Smith jabber id: [EMAIL PROTECTED] http://www.martini.nu/ get pgp key: [EMAIL PROTECTED] .. One of the best examples of democracy in action is a lynch mob. pgpxmx9hDBLHe.pgp Description: PGP signature
Re: ftp best practices
On Tue, Mar 18, 2003, Defryn, Guy wrote: One thing I would like to prevent is the visibility of the config files in the directory. I tried setting the shell to nonexistent but ftp does not seem to allow that. Another option is to use pureftpd with the -x and -X flags. This won't prevent the files from being visible, but it will prevent any tampering via ftp. -Mahlon Mahlon E. Smithjabber id: [EMAIL PROTECTED] http://www.martini.nu/ get pgp key: [EMAIL PROTECTED] If you sit down at a poker game and don't see a sucker, get up. You're the sucker. pgp0.pgp Description: PGP signature