Mounting ZFS "jailed datasets"
1,106 views
Skip to first unread message
Rick Morris
Feb 25, 2018, 1:51:35 PM2/25/18
to iocage
The FreeBSD Handbook talks about dedicating ZFS datasets to specific jails (see section 19.4.12. ZFS and Jails -- https://www.freebsd.org/doc/handbook/zfs-zfs.html#zfs-zfs-jail)
Can this method work with Iocage jails?
The documentation is way too brief for a ZFS newb. Can anyone here explain a) what exactly it means for for the "dataset to be controlled from within a jail"? As in, how is this different from a standard jail's filesystem?
If this method will work, would it be enough to do the following:
Can this method work with Iocage jails?
The documentation is way too brief for a ZFS newb. Can anyone here explain a) what exactly it means for for the "dataset to be controlled from within a jail"? As in, how is this different from a standard jail's filesystem?
If this method will work, would it be enough to do the following:
- create an Iocage jail
- create a jailed dataset
- mount the dataset in the jail via "iocage fstab"
If this will work, can someone give me a simple example of how to do this? Still unclear on how the device descriptor would be named within the jail.
Thanks much!
Brandon Schneider
Feb 26, 2018, 9:59:46 AM2/26/18
to Rick Morris, iocage
Mounting a dataset (or directory) via iocage fstab will be what's called a nullfs mount. That will let you access the data, but a jailed dataset is not the same thing.
This passes a ZFS dataset *into* the jail for you to manipulate with zfs.
Here's a full example for you:
This passes a ZFS dataset *into* the jail for you to manipulate with zfs.
Here's a full example for you:
root@freenas:~ # zfs create tank/foo_dataset
root@freenas:~ # zfs create tank/foo_dataset/dataset_in_jail
root@freenas:~ # iocage create -n foo -r 11.1-RELEASE
root@freenas:~ # zfs list -r tank/foo_dataset
NAME USED AVAIL REFER MOUNTPOINT
tank/foo_dataset 176K 17.9G 88K /mnt/tank/foo_dataset
tank/foo_dataset/dataset_in_jail 88K 17.9G 88K /mnt/tank/foo_dataset/dataset_in_jail
root@freenas:~ # iocage create -n foo -r 11.1-RELEASE
foo successfully created!
root@freenas:~ # iocage set jail_zfs=on jail_zfs_dataset=foo_dataset/dataset_in_jail foo
Property: jail_zfs has been updated to on
Property: jail_zfs_dataset has been updated to foo_dataset/dataset_in_jail
root@freenas:~ # iocage exec foo zfs list
foo is not running, starting jail
Command output:
NAME USED AVAIL REFER MOUNTPOINT
tank 1.31G 17.9G 88K /mnt/tank
tank/foo_dataset 176K 17.9G 88K /mnt/tank/foo_dataset
tank/foo_dataset/dataset_in_jail 88K 17.9G 88K /mnt/tank/foo_dataset/dataset_in_jail
root@freenas:~ # iocage exec foo zfs set mountpoint=/data tank/foo_dataset/dataset_in_jail
root@freenas:~ # iocage exec foo zfs mount -a
root@freenas:~ # iocage exec foo df -h
Filesystem Size Used Avail Capacity Mounted on
tank/iocage/jails/foo/root 19G 969M 18G 5% /
devfs 1.0K 1.0K 0B 100% /dev
fdescfs 1.0K 1.0K 0B 100% /dev/fd
tank/foo_dataset/dataset_in_jail 18G 88K 18G 0% /mnt/data
--
You received this message because you are subscribed to the Google Groups "iocage" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iocage+un...@googlegroups.com.
To post to this group, send email to ioc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/iocage/5bd86863-1b0d-45a6-979e-14e791d52da4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
- Brandon
Rick Morris
Feb 26, 2018, 10:14:55 PM2/26/18
to iocage
Ahh, very cool. So you can actually perform other ZFS operations on your dataset from within the jail. As in, make snapshots, additional sub-datasets, etc...?
Whereas, if I understand rightly, a nullfs-mounted dataset will be controlled completely from outside the jail.
Are there performance benefits or drawbacks between the jailed dataset approach and the nullfs approach?
Whereas, if I understand rightly, a nullfs-mounted dataset will be controlled completely from outside the jail.
Are there performance benefits or drawbacks between the jailed dataset approach and the nullfs approach?
Brandon Schneider
Feb 27, 2018, 8:43:02 AM2/27/18
to Rick Morris, iocage
Correct. And I haven't benchmarked either very heavily but nullfs performs very well.
To view this discussion on the web visit https://groups.google.com/d/msgid/iocage/27d343cc-4517-443b-8619-ef0bb1c367bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
- Brandon
Rick Morris
Mar 3, 2018, 3:03:56 PM3/3/18
to iocage
I appreciate this example, and it works fine when creating an additional dataset on the same ZFS root as the jail, but is there a way to make it use a dataset from a different root? So far I can't find a way, because the in your example, the root is implied. For example if I tried
zfs create tank2/foo_dataset
zfs create tank2/foo_dataset/dataset_in_jail
I see no way to specify an alternate root. Is there a way to set it, or am I stuck only mounting datasets on the same root?
Thanks,
Rick
zfs create tank2/foo_dataset
zfs create tank2/foo_dataset/dataset_in_jail
I see no way to specify an alternate root. Is there a way to set it, or am I stuck only mounting datasets on the same root?
Thanks,
Rick
On Monday, February 26, 2018 at 9:59:46 AM UTC-5, Brandon Schneider wrote:
Brandon Schneider
Mar 3, 2018, 5:40:04 PM3/3/18
to Rick Morris, iocage
Same root only for now
To view this discussion on the web visit https://groups.google.com/d/msgid/iocage/1dd4994d-3fbb-4b05-afd0-926b44050da5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
- Brandon
Reply all
Reply to author
Forward
0 new messages