# Is NFS jail-friendly now??



## kusanagiyang (May 13, 2016)

Dear friends,

I tried to mount NFS share in a jailed environment since last week, but could not.

The last thread on the subject is ->
https://forums.freebsd.org/threads/10324/#post-62858
and last kern request is ->
https://lists.freebsd.org/pipermail/freebsd-fs/2012-August/014879.html

They are a few years old...  Is it still a desirable feature in the future? or should we stick with doing the mounting in the host?  thanks


----------



## Crest (May 17, 2016)

Run `lsvfs | grep jail` to find out.


----------



## vejnovic (May 17, 2016)

You can mount nfs share with jail's fstab entry.

```
# The jail definition for jail1
thinjail1 {
    host.hostname = "jail1.domain.local";
    path = "/usr/local/jails/jail1";
    interface = "re0";
    ip4.addr = 10.0.0.17;
    mount.fstab = "/usr/local/jails/jail1.fstab";
}
```


----------



## kusanagiyang (Dec 23, 2016)

Hello vejnovic,

Do you mean to
1. `ezjail-admin console myjail`
2. `ee /etc/fstab`
3. insert
# The jail definition for jail1

```
thinjail1 {
   host.hostname = "jail1.domain.local";
    path = "/usr/local/jails/jail1";
    interface = "re0";
    ip4.addr = 10.0.0.17;
    mount.fstab = "/usr/local/jails/jail1.fstab";
}
```
and save
4. restart myjail

I just tried the above. It does not work...  (am I missing something??)

I saw people suggesting mounting on host, then nullfs mounting to the jailed path. I am curious why not simply mounting to the jailed path directly in the first place.  Is there a difference doing so?  Thanks


----------



## getopt (Dec 23, 2016)

What you can do is to `mount_nfs` on the jail-host. This makes these directories available to nullfs mount them into your jail. You can define null-mounts readonly and readwrite as you like. This requires a separate fstab.your_jail which has to be defined in jail.conf.

So to answer your question if jails are "nfs-friendly": No they are not because that would make it possible to break out of the jail. With nullfs-mount you define before the jail is started what access is possible and that cannot be altered from within the jail.



kusanagiyang said:


> Is it still a desirable feature in the future?


 No this would be no feature but breaking the security design.


----------



## SirDice (Dec 23, 2016)

You can't mount filesystems within a jail, regardless if it's NFS or any other filesystem, unless you set allow.mount. See jail(8).

What you can do however is let the host mount the filesystem on the jail when the jail starts. See mount.fstab, also in jail(8).


```
allow.mount
                     privileged users inside the jail will be able to mount
                     and unmount file system types marked as jail-friendly.
                     The lsvfs(1) command can be used to find file system
                     types available for mount from within a jail.  This per-
                     mission is effective only if enforce_statfs is set to a 
                     value lower than 2.
```


```
mount.fstab
             An fstab(5) format file containing filesystems to mount before
             creating a jail.
```


----------

