Home / server / Questions / 278013
Accepted
larsks
Asked: 2011-06-08 13:20:41 +0800 CST

Is there a tool for managing FreeBSD jails that knows about ZFS?

  • 772

ZFS under FreeBSD lets one assign filesystems to a jail, such that an account in the jail with the appropriate privileges can access the filesystem, create new subordinate filesystems, and so forth. At least with 8-STABLE, these features are not integrated into the existing /etc/rc.d/jail script. The basic process looks something like:

sysctl -w security.jail.enforce_statfs=0
sysctl -w security.jail.mount_allowed=1
zfs set jailed=on <filesystem>
zfs jail <jid> <filesystem>

And also requires exposing the zfs device node inside the jail.

At the same time, there appear to be a profusion of tools out there (ezjail, jailer, warden, and generally /usr/ports/sysutils/*jail*) that claim to be easier/better/more powerful/etc, but most of which appear to only be lightly maintained and not really much of a win vs. the standard jail script.

I would like to avoid reinventing the wheel. Is there a jail management tool out there that is well integrated with ZFS? I'm looking for something that would take care of setting up the necessary devfs rules, sysctl settings, and zfs attributes when booting a jail...and ideally permit name-based references to jails, which while supported by many of the third-party tools is tragically missing from the stock jail script.

freebsd zfs jail

3 Answers

  1. Best Answer

    After poking around a little bit, it turns out that recent version of ezjail already have this support. The key parts are the following configuration options in /usr/local/etc/ezjail.conf:

    ezjail_use_zfs="YES"
ezjail_jailzfs="tank/jails"

    And using -c zfs when creating a jail, like this:

    ezjail-admin create -c zfs myjail 192.168.1.10

    You associate ZFS datasets with a jail using the ezjail-admin config command (you can't do this as part of the create command):

    ezjail-admin config -z tank/data/myjail myjail

    This assumes you have set up the ZFS dataset and configured the appropriate sysctl settings and devfs rules to make this work.

    Your ZFS dataset(s) need to have the jailed option set:

    zfs set jailed=on tank/data/myjail

    You want the following in /etc/sysctl.conf:

    # support zfs in jails
security.jail.mount_allowed=1
security.jail.enforce_statfs=0

    And I use the following devfs ruleset for jails configured with ezjail:

    [devfsrules_zfsjail=100]
add include $devfsrules_jail
add path zfs unhide
    • 4

  2. The accepted answer (ezjail) has been unmaintained since 2015. There are a few projects that are actively maintained:

    • CBSD
    • iocage
    • my own Mail Toaster 6, since 2001. Versions of MT < 6 were in perl. MT6 is entirely in bash and is dependent on ZFS.
    • 1

  3. CBSD (at http://www.bsdstore.ru/en/about.html) has good knowledge of ZFS.

    • 0