Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-19 Thread Miroslav Lachman 

Alexander Leidinger wrote on 2016/12/19 20:54:

Quoting Miroslav Lachman <000.f...@quip.cz> (from Mon, 19 Dec 2016
18:57:39 +0100):


Alexander Leidinger wrote on 2016/12/19 17:56:


Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016
13:20:31 +0100):



I don't expect it to be in the docs. I try to come up with something for
the man page for zfs (for the "attach to jail" part), but anyone shall
feel free to beat me with this.

Anyone with an idea where in the jail man page we should add something
too (I only had a look at the zfs man page when this issue came up)?


It would be nice to have this mentioned in zfs(8) man page (that user
in jail cannot manage jail's root dataset but can manage some
sub-dataset not required to boot the jail)


What about this? Better wording welcome.
---snip---
Index: zfs.8
===
--- zfs.8   (Revision 298108)
+++ zfs.8   (Arbeitskopie)
@@ -450,8 +450,11 @@
  dataset can be attached to a jail by using the
  .Qq Nm Cm jail
  subcommand. You cannot attach a dataset to one jail and the children
of the
-same dataset to another jails. To allow management of the dataset from
within
-a jail, the
+same dataset to another jails. You can also not attach the root file
system
+of the jail or any dataset which needs to be mounted before the zfs rc
script
+is run inside the jail, as it would be attached unmounted until it is
+mounted from the rc script inside the jail. To allow management of the
+dataset from within a jail, the
  .Sy jailed
  property has to be set and the jail needs access to the
  .Pa /dev/zfs
---snip---


And there can be some useful example in jail(8) man page in EXAMPLES.
There is section "Jails and File Systems" and there can be new section
"Manage ZFS from within jail" with basic notes about required jail
params, zfs set jailed property and example "hierarchy". (and warning
about gotchas with jailed=0 on jail's root directory)


Are you willing to come up with some text-only version/draft/outline for
this one?


I am not good at English but I will try something.

Thank you!

Miroslav Lachman


___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-19 Thread Alexander Leidinger 
Quoting Miroslav Lachman <000.f...@quip.cz> (from Mon, 19 Dec 2016  
18:57:39 +0100):



Alexander Leidinger wrote on 2016/12/19 17:56:


Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016
13:20:31 +0100):

Alexander Leidinger wrote on 2016/12/17 19:59:

Quoting SK  (from Fri, 16 Dec 2016 14:02:20



Correct.

You need the data in the root of the jail to boot, if you then attribute
this dataset to the jail, it will vanish until "zfs mount -a" is run (rc
script inside the jail). As it will vanish during the boot of the jail
(if added automatically), the rc script to mount all datasets can not be
found.


[...]


I think what you are trying to tell here is, unless and until that
"vanished" dataset is put to use (mounted) from inside the jail, it
will remain vanished/unusable from the host itself; however, once that
dataset is put to use, the host system should be able to "see" and
maybe even work on that dataset. Could you please confirm if I
understood you correctly?


Correct.

A sub-dataset which is not needed to boot, or a dataset not within the
subtree of the jail (and not needed to boot) can be used.


Thank you for this information! If it is somewhere in the docs it is
well hidden to me :)


I don't expect it to be in the docs. I try to come up with something for
the man page for zfs (for the "attach to jail" part), but anyone shall
feel free to beat me with this.

Anyone with an idea where in the jail man page we should add something
too (I only had a look at the zfs man page when this issue came up)?


It would be nice to have this mentioned in zfs(8) man page (that  
user in jail cannot manage jail's root dataset but can manage some  
sub-dataset not required to boot the jail)


What about this? Better wording welcome.
---snip---
Index: zfs.8
===
--- zfs.8   (Revision 298108)
+++ zfs.8   (Arbeitskopie)
@@ -450,8 +450,11 @@
 dataset can be attached to a jail by using the
 .Qq Nm Cm jail
 subcommand. You cannot attach a dataset to one jail and the children of the
-same dataset to another jails. To allow management of the dataset from within
-a jail, the
+same dataset to another jails. You can also not attach the root file system
+of the jail or any dataset which needs to be mounted before the zfs rc script
+is run inside the jail, as it would be attached unmounted until it is
+mounted from the rc script inside the jail. To allow management of the
+dataset from within a jail, the
 .Sy jailed
 property has to be set and the jail needs access to the
 .Pa /dev/zfs
---snip---

And there can be some useful example in jail(8) man page in  
EXAMPLES. There is section "Jails and File Systems" and there can be  
new section "Manage ZFS from within jail" with basic notes about  
required jail params, zfs set jailed property and example  
"hierarchy". (and warning about gotchas with jailed=0 on jail's root  
directory)


Are you willing to come up with some text-only version/draft/outline  
for this one?


Bye,
Alexander.
--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


pgpiPSC9kMRZ8.pgp
Description: Digitale PGP-Signatur

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-19 Thread Miroslav Lachman 

Alexander Leidinger wrote on 2016/12/19 17:56:


Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016
13:20:31 +0100):

Alexander Leidinger wrote on 2016/12/17 19:59:

Quoting SK  (from Fri, 16 Dec 2016 14:02:20



Correct.

You need the data in the root of the jail to boot, if you then attribute
this dataset to the jail, it will vanish until "zfs mount -a" is run (rc
script inside the jail). As it will vanish during the boot of the jail
(if added automatically), the rc script to mount all datasets can not be
found.


[...]


I think what you are trying to tell here is, unless and until that
"vanished" dataset is put to use (mounted) from inside the jail, it
will remain vanished/unusable from the host itself; however, once that
dataset is put to use, the host system should be able to "see" and
maybe even work on that dataset. Could you please confirm if I
understood you correctly?


Correct.

A sub-dataset which is not needed to boot, or a dataset not within the
subtree of the jail (and not needed to boot) can be used.


Thank you for this information! If it is somewhere in the docs it is
well hidden to me :)


I don't expect it to be in the docs. I try to come up with something for
the man page for zfs (for the "attach to jail" part), but anyone shall
feel free to beat me with this.

Anyone with an idea where in the jail man page we should add something
too (I only had a look at the zfs man page when this issue came up)?


It would be nice to have this mentioned in zfs(8) man page (that user in 
jail cannot manage jail's root dataset but can manage some sub-dataset 
not required to boot the jail)


And there can be some useful example in jail(8) man page in EXAMPLES. 
There is section "Jails and File Systems" and there can be new section 
"Manage ZFS from within jail" with basic notes about required jail 
params, zfs set jailed property and example "hierarchy". (and warning 
about gotchas with jailed=0 on jail's root directory)


Miroslav Lachman
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-19 Thread Alexander Leidinger 


Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016  
13:20:31 +0100):

Alexander Leidinger wrote on 2016/12/17 19:59:

Quoting SK  (from Fri, 16 Dec 2016 14:02:20 +):



If I understand you correctly, what you are suggesting is, the dataset
used by the jail itself for its root/base cannot be "worked on" from
within the jail, but if I define a different dataset (under the same
branch below the jail dataset), and attribute it to the jail, then I
can manipulate that "other" dataset. Could you please confirm if I
understood it correctly?


Correct.

You need the data in the root of the jail to boot, if you then attribute
this dataset to the jail, it will vanish until "zfs mount -a" is run (rc
script inside the jail). As it will vanish during the boot of the jail
(if added automatically), the rc script to mount all datasets can not be
found.


[...]


I think what you are trying to tell here is, unless and until that
"vanished" dataset is put to use (mounted) from inside the jail, it
will remain vanished/unusable from the host itself; however, once that
dataset is put to use, the host system should be able to "see" and
maybe even work on that dataset. Could you please confirm if I
understood you correctly?


Correct.

A sub-dataset which is not needed to boot, or a dataset not within the
subtree of the jail (and not needed to boot) can be used.


Thank you for this information! If it is somewhere in the docs it is  
well hidden to me :)


I don't expect it to be in the docs. I try to come up with something  
for the man page for zfs (for the "attach to jail" part), but anyone  
shall feel free to beat me with this.


Anyone with an idea where in the jail man page we should add something  
too (I only had a look at the zfs man page when this issue came up)?


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


pgpYU_3k8pU6p.pgp
Description: Digitale PGP-Signatur