# FreeBSD 9.0 + ZFS Jailed Filesystem



## royvandam (Feb 6, 2012)

Problem:
In FreeBSD 9.0 ZFS has been upgraded to v28. With this upgrade comes a combination of two new commands: *zfs jail* and *zfs unjail*. The man page describes: "A ZFS dataset can be attached to a jail by using the "zfs jail" subcommand." From what I understand so far is that a jail can now be provided with its own ZFS filesystem as root. And administrators inside the jail can then safely manage it on there own. However the FreeBSD ZFS documentation is kind of lacking information concerning all the new fancy stuff. And I just can't seem to find a specific example of how to implement this within a jails setup.

Details:
I have successfully created a base configuration, took a snapshot of that and cloned it into a new jail. This new jail 'testbox' runs fine in the current configuration. But I would like to benefit from the above described ZFS functionalities. The ZFS jail subcommand takes "jailid filesystem" as arguments. But this seems to me like a typical 'Chicken or the egg' problem where as you first need to have the jail running before you can supply the command with a jailid. And therefore required to first start the jail on a non-jailed filesystem...

Can anyone provide me with more information or details on how to preform and implement this stuff into my configuration? The server I am using runs a custom build FreeBSD 9.0 and boots from ZFS.

Many thanks in advance! 

I have added a stripped down version of my setup:

```
# Create filesystems
zfs create zroot/usr/jails
zfs create zroot/usr/jails/base
zfs create zroot/usr/jails/hosts
zfs create zroot/usr/jails/shared

# Install FreeBSD world
cp /usr/src
make installworld SRCCONF=/etc/src.conf.jail DESTDIR=/usr/jails/base
make distribution SRCCONF=/etc/src.conf.jail DESTDIR=/usr/jails/base
touch /usr/jails/base/etc/fstab
echo "WRKDIRPREFIX=/usr/obj" >> /usr/jails/base/etc/make.src
echo "DISTDIR=/usr/shared/distfiles" >> /usr/jails/base/etc/make.src
echo "PACKAGES=/usr/shared/packages" >> /usr/jails/base/etc/make.src
chroot /usr/jails/base/ /bin/sh # Do some more config

# Create snapshot and new clone
zfs snapshot zroot/usr/jails/base@clean
zfs clone zroot/usr/jails/base@clean zroot/usr/jails/hosts/testbox
touch /usr/jails/conf/textbox.fstab
```

/usr/jails/conf/textbox.fstab

```
/usr/ports /usr/jails/hosts/testbox/usr/ports nullfs ro 0 0
/usr/jails/shared /usr/jails/hosts/testbox/usr/shared nullfs rw 0 0
```

/etc/rc.conf

```
jail_enable="YES"
jail_list="testbox"
jail_interface="lo1"
jail_exec_start="/bin/sh /etc/rc"
jail_exec_stop="/bin/sh /etc/rc.shutdown"
jail_devfs_enable="YES"
jail_mount_enable="YES"
jail_set_hostname_allow="NO"

for _jail_name in $jail_list; do
    eval jail_${_jail_name}_name="${_jail_name}"
    eval jail_${_jail_name}_hostname="${_jail_name}.jail.example.com"
    eval jail_${_jail_name}_rootdir="/usr/jails/hosts/${_jail_name}"
    eval jail_${_jail_name}_fstab="/usr/jails/conf/${_jail_name}.fstab"
done

jail_textbox_ip_multi0="10.1.0.2"
```


----------



## lockdoc (Feb 18, 2012)

I would also be very interested in this topic.


----------



## Ikinoki (Oct 20, 2012)

I think you can give zfs dataset to a jail, but not provide access to root zfs dataset.
Jail root zfs dataset is immutable.


----------

