I am trying to expose a hierarchy of home directories to a number of FreeBSD jails. The home directories are configured such that each is a unique ZFS dataset. The jails are used for development work and hence are created and destroyed on a regular basis.
My first thought was simply to use nullfs to mount /home
inside the jail, but nullfs doesn't provide any way to access subordinate filesystems.
My second thought was to export the directories via NFS and then run the automounter daemon (amd) inside each jail. This would have Just Worked...if it were possible to perform NFS mounts inside a jail. But it's not.
My third thought was to run amd on the host and provision nullfs mounts into the jails...but amd support for nullfs doesn't exist.
My fourth thought was to go back to exporting the directories using NFS, because of course amd works with NFS, right? Unfortunately, rather than mounting a directory on the target mountpoint, amd likes to mount things in a temporary location (/.amd_mnt/...
) and then create a symlink...which, of course, is useless inside the jail environment.
So maybe you could use nullfs to expose a subdirectory of /.amd_mnt
to the jail? No! This brings us back to my first attempt, in which we find that there is no way to access subordinate filesystems using nullfs.
And then my head exploded.
Is there a good solution for what I'm trying to do? A bad solution would be to run a script after booting the jail that would create multiple nullfs mountpoints for each home directory, but this is pretty clunky -- it would need to be run periodically to take into account new directories or removed directories. So basically I would have to write a bad automounter.
There must be a better way. Help me, Serverfault, you're my only hope!
UPDATE 1: It occurred to me that I might be able to solve part of the problem with pam_mount
, although this would at best be incomplete. Also, it's not clear from the documentation whether or not pam_mount
can automatically create the target mountpoint. If it requires the mountpoint to exist a priori, this solution wouldn't be any better than the bad automounter I've already proposed.
UPDATE 2: As discussed in the answers below, setting VFCF_JAIL
on the NFS filesystem does allow jails to perform NFS mounts. Unfortunately, the automounter continues to behave that are unhelpful, and when run in a jail appears to be very good at getting wedged in such a way that a system reboot is necessary to remove the process entry.
Why, hello there Lars! That's a fascinating question you've asked, and after some research I may have found an answer for you.
According to this and other posts out there, it may be possible to set the
VFCF_JAIL
attribute on the NFS filesystem provider, which would in theory allow jails to perform NFS mounts. This may, in turn, allow one to run amd inside the jail...which would neatly solve this issue.I'll try rebuilding the kernel this evening to see how things work out. It's not necessarily the greatest solution (since it means you need to make sure this change persists across future kernel updates), but it would be interesting if it works.
And remember...